Creating a sustainable cybersecurity approach for your business

The rapid digitalisation of the enterprise triggered by the pandemic has created a tsunami of opportunities that are ripe for exploitation by cybercriminals and threat actors everywhere.

Today’s businesses now have to defend a significantly expanded attack surface that features cloud platforms, remote workforce channels, mobile platforms, digital supply chains and more.

Unsurprisingly, these new conditions for conducting business have resulted in a sharp increase in cyber threats and the intensity of damage caused by these attacks is growing at an alarming rate – so much so, that 88% of companies confirm having suffered a breach in the past 12 months. As a consequence, many businesses are now struggling to find the best way to address this increased risk and cost.

Investing in new technology solutions, adapting processes, and adopting zero trust best practices is a start. However, combating the rising tide of cyber threats also requires a rethink where cybersecurity is concerned.

To drive real and enduring change, organizations will need to embed security training into their workforce development strategy. Focusing everyone’s collective efforts on the importance of addressing security issues and maintaining the security posture of the enterprise.

Cybersecurity is everyone’s business

The pursuit of the digital agenda has significant implications for how firms operate. IT teams will need specific cybersecurity training in a whole range of category areas including cloud, IoT, open source and identity and access management, if they’re to keep IT systems secure.

Since many Dev and DevOps teams already view security as one of their primary responsibilities, it makes sense to shift more security responsibilities into these teams rather than creating new security roles. To support these extended responsibilities, teams will benefit from undergoing secure agile programming and penetration testing training that will boost their skills in this area.

Similarly, enabling security analysts to hone their techniques on the system and information security controls and governance will help prepare them to become knowledgeable security architects who can support business leaders as they evolve operational processes and practices.

However, dedicating time and resources to ensuring that technical staff are given the skills and know-how to proactively build increased resilience to cyber incidents and minimise the impact of incidents when these occur is just the start.

The majority of cyber attacks are still enabled via social engineering tactics such as phishing, baiting, scareware, spear phishing and pretexting. So non-technical staff will also need robust information security awareness training to make sure they are ultra-aware of the need for vigilance.

This includes ensuring they know how to identify a cyber threat and what action to take, understand what the organization expects from them in terms of safe working practices, and are clear on what constitutes risky behavior.

Ultimately, investing in expensive cyber defense technologies will be irrelevant if employees don’t know what to do when they are targeted by cybercriminals. Just one click can be all it takes to undermine an organization’s carefully constructed defenses. The aim of the game here should be to eliminate ‘preventable’ hacks.

Building a lasting cyber security culture

Without the right levels of cybersecurity awareness and skills, organizations are more likely to suffer data breaches or experience operational disruption and downtime. But with the right workforce training plan in place, everyone can acquire the right mindset and skills that are needed to successfully navigate today’s evolving cybersecurity threat landscape.

Building a lasting cybersecurity culture that entrenches awareness and knowledge across the workforce depends on four key pillars that are the foundation for sustainable success:

• Facilitate an enterprise-wide focus on a common goal – everyone in the organization needs to buy into cybersecurity and recognize they have a part to play. Providing clearly defined learning opportunities will help reinforce the organization’s commitment to providing every employee with access to cybersecurity skills training commensurate with their role. Regular updates and communications on the latest threats, together with ‘refresh your skills’ prompts, will help ensure everyone stays alert to the fact that ‘we’re in this together’ and that cybersecurity training is much more than a tick-box exercise.
• Adopt a blended approach to learning – learners are hungry for content they can access anytime, anywhere and want to be able to access a mix of resources including videos, podcasts, bite-sized and hands-on learning. Making it easy to digest learning in a format that works best for everyone’s individual style of knowledge acquisition and can be fitted around busy work schedules will help boost organization-wide uptake of all relevant learning opportunities.
• Nurture lifelong learning – serving up tailored recommendations that enable employees to accumulate knowledge and acquire certifications is a win-win for everyone. Encourage employees to build further on necessary or foundational skills, making it easy to pursue a guided self-development journey that will bolster their cybersecurity credentials for work and everyday life.
• Make learning immersive and ‘in the moment’ – initiating a creative approach to training will both engage employees and make them more proficient at identifying cyber threats. This could include putting practical skills learned to the test in controlled practice labs or gamified ‘attacker versus defender’ style environments. Introducing a gamification element is especially effective for taking security practitioners beyond traditional passive learning and into applying skills and tools to real-life scenarios. Enabling them to safely practice how to tackle threats they may later encounter head-on in their day jobs.

Cybersecurity training uptake reaches new heights

Recent analysis of data from Skillsoft’s own learning experience platform reveals how 2021 has proved to be a true inflection point for security learning and development in corporate environments.

Since 2019, we’ve observed a 53% increase in the total number of hours that learners are dedicating to security training content and courses on an annual basis. Further analysis of 25 industries – ranging from aerospace to banking and medical – reveals how the number of hours spent by learners jumped 80% in 2021 compared to the previous year.

The five industries that experienced the largest cybersecurity content consumption uptakes were legal, energy and utilities, healthcare, training and development, and non-profit.

Examining the top 10 security courses completed so far in 2021, web application security and cloud security fundamentals topped the list followed closely by certifications in social engineering techniques and attack types as well as basic cryptography principles.

All these findings indicate a positive move in the right direction, with organizations actively supporting IT specialists to pursue upskilling journeys and plug any existing skills gaps.

However, there is still work to be done when it comes to spreading awareness and education to all employees and maintaining a continuous culture of learning and curiosity. To be effective and sustainable, cybersecurity training must take place frequently and be accessible to all.

Security training can’t be a ‘stop and start’ or one-month priority

Making learning digestible and relevant to people within the context of their role will help ensure that appropriate cybersecurity behaviors are built-in, not bolted on. Similarly, giving employees a degree of flexibility and choice about the training they undertake is a sure-fire way to encourage uptake of cyber-defender skills.

To build the foundational workforce skills needed to operate securely in the digital age means organizations will need to find ways to cascade learning in the most cost-effective way possible.

Providing on-demand bite-size learning in a variety of formats is a great way to democratize access to cyber skills training that employees can consume on their own timelines.

Similarly, continuous learning can be encouraged and rewarded with automated Amazon-style personalized recommendations that enable people to tailor their next learning experience and share their learning milestones with colleagues.

Today’s immersive learning platforms can help organizations nurture and direct a sustainable cybersecurity L&D culture that develops the workforce capabilities, skills, and competencies needed to manage human risk and address business-specific vulnerabilities.