[BreachExchange] Cybersecurity Training Often a Tangled Web

[Audrey McNeil]

http://www.clomedia.com/2017/06/29/cybersecurity-training-often-tangled-web/

Damaging cybersecurity attacks have become an increasingly regular
occurrence in business. In 2013, Target Corp. notified 70 million customers
that hackers had stolen their personal data from their computer systems. In
2016, Yahoo Inc. informed 500 million users their names, email addresses,
dates of birth and telephone numbers were stolen by hackers. And just this
week, a massive ransomware attack hit computer systems across Europe and
the United States, the second such attack in two months.

Not coincidentally, a new study released this week found a growing need for
training programs that close the security skills gap facing many companies.
“The Evolution of Security Skills,” a report from the Computing Technology
Industry Association, a nonprofit trade association, found only 21 percent
of businesses completely satisfied with their current level of security.

It’s not for lack of effort. According to the report, 60 percent of
companies use training to close their security skill gaps and 48 percent
certify technologists to ensure their skills are up to date. But the
reality is that training has failed to keep pace with ever-evolving
security threats.

The State of Security Training

Seth Robinson, a CompTIA senior researcher, said many companies simply
don’t do enough. Typical training takes place during onboarding or as an
annual security refresher where employees are merely asked to validate they
have read the policy.

“What we are seeing companies move toward as they become more intentional
and aggressive about cybersecurity is training that is more interactive,
possibly customized into job roles and training that can be measured,” he
said. “This training is usually delivered online and it might be delivered
similarly to other HR training like safety or sexual harassment training.”

At Mastercard Inc., the learning department developed a simulated email
phishing attack paired with targeted training for employees who clicked on
suspicious links. That training in part reduced the number of employees who
opened phishing emails to 63 percent below the industry standard.

That proactive role in developing training to secure sensitive data and
critical technology systems is increasingly needed. Jeffrey Morgan,
president of e-Volve Information Technology Services, said IT security is
not primarily about the technology but rather about policy, procedure and
people – all areas where training can play an important role in preventing
security breaches. Approximately 60 percent of problems result from human
error, he said.

“Mostly training seems pretty weak,” he said. “Training tends to be better
in well-run private sector organizations that are used to complying with
standards.”

Weak spots tend to be in local government or start-ups where there’s lower
quality or no training at all and people aren’t aligned to a security
policy or process, he added.

The Role of CLO

One challenge highlighted in the report is that organizations tend to place
emphasis on threats they understand best even if those types of threats may
not be the most harmful. Robinson said a good first step is to lean on the
IT team for basic understanding of each threat but not rely on them for
everything.

“As much as companies are becoming more collaborative around their
technology decision-making and procurement, companies are still looking to
the IT or technical team to manage security,” Robinson said. “But the IT
function may not be the best solution for providing training to the
workforce and understanding how to make that training engaging and
effective.”

Providing that solution often falls to the CLO who can also play a role in
bringing together the needs of IT and business. IT needs to better
understand what the business is trying to accomplish and the business side
must understand the rigor and discipline IT provides to keep the business
safe, Robinson said.

Learning departments can also identify new skills and expertise needed to
secure the enterprise. Between 18 and 32 percent of companies surveyed
reported they need significant improvement to existing security expertise.

“Sometimes new skills are needed to deal with specific technologies like
intrusion detection, intrusion prevention and data loss prevention,”
Robinson said. “Sometimes it’s simply the right mindset and finding those
people that may be thinking about security in a different way and
understand how security applies across a modern IT architecture that
employs cloud computing and mobile devices.”

All this prevention doesn’t come cheap but Robinson urged companies to
invest because the cost of not investing is even greater as this week’s
ransomware attacks illustrate.

“Whether there’s the ability to bring in new people or whether companies
are restricted to training, there’s probably going to be some additional
investment there, if not in dollars at least in the time spent for
employees to come up to speed on these new things,” he said. “Companies
have to be willing to invest in training — but then also have the ability
to measure if they are getting what they want out of it.”

As the increasing pace of threats shows, the need for ongoing cybersecurity
training will remain strong. “Security is a continual learning thing — you
have to be at it all the time,” Morgan said.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20170629/552056d5/attachment.html>