Prioritizing People as Part of the Risk Management Process
An Information security program is only as effective as the capability of the people who design, implement and operate it. As we consult with numerous large, small and mid-sized companies we’ve identified some common trends and gaps.
- Tool Saturation – Many organizations have plenty of tools to work with. In some cases too many tools and not enough expertise to deploy and operate what they have due to lack of training for technical staff.
- Alert Fatigue – There are simply too many alerts and analysts need to have the training to sift through SOC dashboards and identify legitimate attacks. This requires a fundamental understand of how these attacks work.
- Fragmented Incident Response – Many cybersecurity programs still lack structure and process. Effective incident response requires coordination and training among SOC and Blue team staff members.
- Little or no Red team in-house expertise Most companies are still outsourcing all of their pen testing operations. Even if you do your staff needs to be able to interpret and act on pen testing reports. This requires ethical hacking expertise on-staff.
- Absence of formally designated cybersecurity leadership – Too many companies have still not appointed formal CISOs. This leads to fragmentation in how companies manage and deal with risk across various departments and organizations.
We Can Help
Let us help by offering free skills assessments for your team. These assessments are the first step in identifying where your strengths and gaps are in terms of the skills and expertise of your staff. Our skills assessments map to the NICE cybersecurity initiative which include the following knowledge domains:
- Oversee and Govern – Specialty areas providing leadership, management, direction, and/or development and advocacy so that individuals and organizations may effectively conduct cybersecurity work.
- Investigate – Specialty areas responsible for investigation of cyber events and/or crimes of information technology (IT) systems, networks, and digital evidence.
- Securely Provision – Specialty areas responsible for conceptualizing, designing, and building secure information technology (IT) systems (i.e., responsible for some aspect of systems development).
- Protect and Defend – Specialty areas responsible for identification, analysis, and mitigation of threats to internal information technology (IT) systems or networks.
- Analyze -Specialty areas responsible for highly specialized review and evaluation of incoming cybersecurity information to determine its usefulness for intelligence.
- Operate and Maintain – Specialty areas responsible for providing support, administration, and maintenance necessary to ensure effective and effcient information technology (IT) system performance and security.
- Collect and Operate – Specialty areas responsible for specialized denial and deception operations and collection of cybersecurity information that may be used to develop intelligence.
Building the Business Case for Training
Building an effective business case for cybersecurity training involves measurement. We help companies measure where their staff’s current skill levels are in relation to industry averages and common benchmarks. We can provide you with informative reports which you can leverage to identify the current state of readiness of your staff.
When asking your team to take assessments make sure they understand that the assessment is simply a tool to help justify training and that by taking the assessment they can formulate a better understanding of where there knowledge strengths and gaps are relative to their respective job roles. Employees will generally be receptive to participating if they know that it can help justify training and advancement.
From an HR and recruiting standpoint it is evident that there is a true cybersecurity talent shortage in the marketplace today. Simply dialing up a recruiter and asking them to hire the right cybersecurity talent can be an expensive and sometimes fruitless proposition. In our experience there are tangible benefits in training your existing staff by providing them with the exact skills they need to achieve the risk management objectives of your business. It is much less costly in terms of time and capital to train your existing staff.
Many IT departments have too many tools and not enough qualified or trained staff to operate them. Shifting budgets from tools to training can help make better use of your existing tools investments and deliver better results both tactically and strategically.
We understand that not all organizations want to pay for the actual certification testing and are more interested in the actual training and results delivered. We offer packages that include or exclude exam vouchers as part of our training partnership. In some cases it is practical to have employees purchase their own exam vouchers to pursue the actual certifications if they wish to do so.
Contact one of our cybersecurity training advisors to find out how we can help enable your organization to most effectively manage risk today.