People often ask me, “What do you think is the number one issue in cyber security today?”
This is a problem that has a lot of focus. Go to any security conference or trade show, and you’ll find a line of companies ready to push their widget. Plug in this and ingest that; it’s a never ending stream of alerts, indicators, intelligence, vulnerabilities, and patches. But is technology really the problem? Do we really need more blinking lights and flashing screens? What is the real weakness in our cyber security process?
The fact of the matter is that no matter what technology you are using, there is still a human at the end of the keyboard. We have all spent a significant amount of time and effort on innovation in the technology solutions that power our cyber security landscape. Yet this is done at the expense of one of our most precious assets: our team. So, my answer to the question, “What do you think is the number one issue in cyber security today?” Training.
Sadly, training has become an overloaded term; it means anything from reading a power-point, to watching a video, or even going to a university for a degree. But there is one common trend in the vast majority of the “training” available out there. It’s entirely individual, and typically theoretical in nature. Sure, the material has a quantifiable effect in the real-world, but does reading from a book or listening to a lecture really give you the experience you need to make a real practical impact?
Even worse than the lack of practically-applied training is the absence of team-based training. Companies hire people to work together, as a team. It’s rare that you’re the only person performing cyber security tasks for your given organization. Employees are expected to walk in the door with a vast array of skills, then learn to work as part of an effective team. This is a challenge that’s complicated by the mere fact that “on the job,” by it’s very nature, indicates there is an actual job to be done! So, why is our industry’s normal operating procedure to focus on individual training followed by a “trail by fire?”
What is really the solution to this problem? I think the answer is simple: Training through Cyber Exercises. The military has a mantra: “train like you fight, fight like you train.” Military phrases might be cliche at this point, but I think the theory holds true. It doesn’t make any sense to wait until your organization suffers from a doomsday scenario to test your policies or your team. Cyber exercises give you the opportunity to test and train in both areas. In fact, you get the full spread of skills; from technical, to team-work, to soft-skills like documentation and communication. The great thing about training through a cyber exercise is you get both the benefits of training, and the advantage of testing your plan. Your team can learn new skills, technologies, or processes, all while learning to work effectively as a group.
Assistant Director Joseph M. Demarest of the FBI Cyber Division said, “You’re going to be hacked, have a plan.” Demarest is right; we live in a time when it’s no longer a matter of if, but when you’re going to experience a cyber intrusion. However, one thing Demarest didn’t expand on is the fact that a plan isn’t a plan unless is has been fully tested. Just like we’ve become accustomed to testing our backups from time-to-time, it’s important we test our plans. When the unfortunate day comes where you’re faced with a serious cyber incident, your team should be acting on muscle memory, not reading the organization policies locked away in a dusty filling cabinet.
So to summarize, while technological innovation in cyber security is vital, we cannot forget about our personnel! Realistic, hands-on training is one method to not only build the team synergy you desire, but also to acquire the critical skills needed in this ever-changing field. The next time you’re thinking of hardening your organization’s security posture, don’t forget about your cyber warriors!
Full Disclosure: WraySec, LLC sells cyber exercise services and products.