When a cyberattack hits you need a prepared security team – not certificates

Cybersecurity training has entwined with certification over the years, but whether it should have is up for debate. The former is dynamic, practical and limitless; the latter is rigid, theoretical and finite. So why did we start measuring cyber skills with bits of paper? Well, the first antivirus was created in the 1970s to protect…

Cybersecurity training has entwined with certification over the years, but whether it should have is up for debate. The former is dynamic, practical and limitless; the latter is rigid, theoretical and finite. So why did we start measuring cyber skills with bits of paper? Well, the first antivirus was created in the 1970s to protect technology from attack, and this evolved to protecting connected machines (networks) and eventually cloud-based operations too. Throughout much of this time – particularly the 20th century – certificates were an adequate way of measuring human capability, proving the holder could utilize tools to protect specific technologies.

But the cyber-certs relationship was not built to last. It’s as if a young liberal paired up with a conservative partner only to realize that, with the passing of time, they had little in common. Cyber is a rapidly changing industry, and complacent defenders lose pace quicker than you can say ‘data breach’. The field demands people with demonstrable, evolving skill sets, yet most organizations judge the cyber capability of their employees on the certificates they hold, not the hands-on experience they’ve acquired.

Cybersecurity has now moved to an era of intelligence monitoring and incident response that is incompatible with legacy training. Businesses want to proactively detect and react to security incidents, and this has highlighted the challenges we face around people, dynamic skill sets, and capability measurement.

You’re no doubt familiar with the ‘cyber skills gap’, which, while overstated, has arisen from a lack of demonstrable cyber skills in the workplace. This is down to investment in security technology dwarfing investment in human capability. We’re seeing a rise in spending on talent, but the weighting is still far from equal; people remain an afterthought, with boards wrongly considering tech a cyber panacea.

The lack of investment in people may be down to the way business leaders view traditional cyber training methods and certifications, as these are outdated in their approach and often involve sitting in a hotel room and watching PowerPoint presentations (an approach dubbed eLearning). These methods may suit some industries and subjects, but people with an aptitude for cyber typically possess a hands-on approach to learning, and that means they want to develop skills by thinking outside the box.

When it comes to cyber skills development and the eLearning that accompanies many certifications, the approach is very much ‘next, next, finished’. But at the end of the course, that’s it: it is literally finished. You get your certificate but no longer have access to the learning material, and the techniques you’ve learned – often theoretically – are soon outdated. Cybersecurity is a fluid industry, and it is never game over. There is always an emerging technique to learn, an innovative way of working to adapt, or a new attack to defend against. The pace change of cybersecurity is simply too quick for this static approach to developing human capability.

The best ways to equip people with cyber skills are exercising and simulation – practical methods that build muscle memory and can be utilized during a cyber crisis. When an organization faces an incident and the pressure is on, nobody will run to their desk, pull out a certificate and say, ‘don’t worry guys, I’ve got this!’. Cyberattacks don’t happen on paper. You need people who can call on an actual experience that led to them acquiring a skill – a skill that can be used in the event to minimize damage.

Formula 1 is a great example of this kind of learning: at maximum speed, while pushing the absolute limit, the drivers find a way to press the right combination of buttons on the steering wheel to increase performance on the fly. It’s hugely impressive, but the only reason they are able to respond appropriately – especially when something goes wrong – is that they’ve built muscle memory when thrown those challenges in rigorous and highly realistic simulations. There are examples of this approach working in the military, emergency services and other high pressure environments too, which begs the question: why is it so underutilized in cybersecurity?

Those with cyber aptitude benefit from simulations because they want to get hands on with stuff; they’re the sort who break things apart to see how they work. It’s why hackers have always been a step ahead: they learn by doing and develop through experience, unbound by laws and regulations. Now it’s time for defenders to follow a similar model. Take Kevin Mitnick, for example; he was the FBI’s most wanted hacker in the 1990s, eventually spending five years in jail for his crimes. Now, however, he runs a security consulting firm and helps both Fortune 500 companies and the FBI perform penetration testing services. He also teaches social engineering classes so that people can prevent the very attacks from which he used to profit. It is our duty as an industry to learn how to best engage and maximize the human capabilities of these talented individuals.

At Immersive Labs we know that exercising and simulation are the key to developing human cyber capability. From our Immersive Originals that drop users into hyper-realistic scenarios, to our Threat Intelligence labs that provide hands-on experience of real-world attacks, we enable users to upskill anywhere, anytime. To book a demo and see how cyber pros learn, speak to one of our sales team today.

We help businesses to increase and evidence human capability in every part of cybersecurity.

Legal