Organizations have relied on cyber awareness training for years, pouring tens of thousands of dollars into programs that promise to make employees ready to spot a phishing attack or confront other such threats. The problem is the flawed âsuccess metricsâ of these trainings taint results and give organizations a false sense of security – and worse – an overconfidence in the cyber capabilities of their workforce.
Itâs time to consider new approaches to assessing, building, and proving cyber capabilities across the entire organization and with content relevant to every role. Fortunately, new approaches exist that can help organizations get a better picture of real cyber capabilities of the workforce across all roles and functions.
The Flaws of Traditional Cyber Training
Many leaders perceive training to be a whopping success when they see a high rate of completion. But, itâs one thing to say someone has completed a series of multiple choice questions correctly, and quite another to say with confidence that someone will have the ability to perform the necessary tasks to mitigate an attack in the real event.
In most traditional cyber training, no hands-on skills were tested and no breach simulations were run. Such training doesn’t report with granular performance data that can help organizations understand, baseline, benchmark and prove cyber capabilities of teams and individuals. All these sessions tell you is that the course was completed, which doesnât necessarily result in long-term cyber resilience.
A good way to think about this is by the analogy of the school fire drill. What sets this apart from a multiple choice test is that teachers and school administration put all students through a mock exercise to practice what to do in the event of a real fire, and time how long it takes to reach safety to measure and continually improve over time. Organizationsâ success against cyber threats that target people require a similar hand-on approach to exercising.
How to Build Cyber Resilience
The industry is beginning to leave traditional cyber training behind and adopting new approaches to people-centric cybersecurity to achieve lasting cyber resilience. These include implementing regular cybersecurity exercises that simulate real-life threats, so people throughout the organization – at all levels and roles – can test and improve their skills in a risk-free environment. To successfully build resilience to attacks, cybersecurity exercising programs must be:
- Realistic – Hands-on exercising must leverage realistic scenarios through simulations and gamification. Gamified learning environments drive up engagement and should cover the full spectrum of cybersecurity threats to help organizations continuously assess, build and prove cybersecurity skills.
- Continuous – Organizations that consistently exercise their teams and individuals demonstrate greater resilience against attacks. Cyber exercises should be conducted with a frequency that aligns with the rapid pace of attackers, fostering muscle memory for effective response.
- Organization-wide – To be successful, cyber skills development and exercising should span the entire organization. That means everyone from entry-level employees all the way to Board members, not just cyber teams.
- Tailored to individual roles – Content must also be tailored to every role in the organization. In cybersecurity, there is no one-size-fits-all approach.
- Measurable – Organizations require granular performance data to understand, baseline, benchmark, and prove cyber capabilities. This involves prioritizing activities that produce reports on breach readiness and incident response, shifting away from mere quantitative metrics related to the frequency of attacks and alerts. This enables you to build a more targeted and impactful cyber resilience strategy.
As attackers become more sophisticated in their techniques and attacks continue that send ripple waves across industries, the next phase of awareness should focus on knowing what people will do when they encounter those situations. Weâve been successful at making people aware. Now we need to shift focus to not only knowing what they would do in a given situation but also ensuring they do the right thing.
Legacy, in-person cybersecurity training is ineffective because it is focused on activities, not outcomes and individuals instead of teams. By investing in continuous exercising that offers data-driven reports with actionable insights around where gaps exist, organizations can identify and fill skills gaps before itâs too late. This in turn enables business leaders to be smarter with their security budgets, prioritize spend and get a better ROI on the solutions they are implementing.