Notepad with passwords

Is training the missing link in cybersecurity?

Much has been written about the skills shortage in information security, but the problem goes deeper than the 40,000 jobs in the profession that are unfilled every year or even the expected shortage of 2 million information security pros by 2019. It also afflicts cyber warriors already in the data trenches.

Almost half (46%) of chief information security officers doubt that their existing workers have the skills to detect and respond to a cyber attack on their organizations, according to survey conducted earlier this year by ISACA, an association for professionals involved in information security, assurance, risk management, and governance. "Although the skills gap is a big issue, organizations want to know what they can do today to address the problem," said ISACA's chief innovation officer, Frank Schettini.

The skills shortage shouldn't be confused with a manpower shortage. There's no shortage of people who want to get into the security field, noted Scott Crawford, research director for information security at 451 Research.

"What there's a shortage of is people with the skills born of experience in the field, particularly when it comes to looking for both threats and weaknesses in an environment."
Scott Crawford

Many security training platforms focus on tool sets and how they're implemented, with only a brief understanding of attack methods, said Israel Barak, CISO of Cybereason. "There's really no emphasis at all on how attackers bypass security technologies and what approaches can be used to detect and protect against malicious activity," he added.

What is a security operations center (SOC)?

New training platform emerges

That skills gap is especially evident among new hires. Not only is it taking longer to fill information security slots, but many new hires need additional training once they're brought into the fold. The ISACA survey found that 25% of organizations took six months to fill an information security position. Meanwhile, more than a third of those organizations (37%) said new hires needed additional training after being brought aboard.

"They're accepting people who don't have the skills because they have this huge hole to fill."
Frank Schettini

From ISACA's surveys and member feedback, it became apparent to the association that the industry needed a training platform that was flexible and economical and provided a hands-on approach to skills acquisition. So in April it launched its Cybersecurity Nexus Training (CSX) Platform and Assessment Tool. "ISACA has been mostly focused on governance, risk management, and compliance, so this is a welcome sign from them and an acknowledgment that more technical expertise is needed in the field," Crawford observed.

He explained that for years ISACA—as well as many other certification bodies—has concentrated more on security management than on hands-on technical expertise and experience. CSX has the potential to change that and address the immediate needs of CISOs to beef up the skills of their existing people.

"Training like ISACA's can help close gaps by giving people the fundamental technical knowledge that they need. It can shorten the time to takes to gain a level of understanding that's necessary to do the job."
—Frank Schettini

Barak added: "ISACA's hands-on approach is extremely valuable for the development of professional intuition and versatility that's required of security professionals."

Crawford cautioned, however, that to get those results, the training needs to be realistic and require a person to think like an attacker to achieve an objective.

Flexibility for a fast-moving space

Flexibility is an attractive aspect of the CSX platform. It can be targeted at groups of existing workers or new employees, tailored to individuals, and even used by educational institutions.

The labs are cloud-based and hands-on. Students or trainees use a web browser to access an environment where they must respond in real time to system threats. Because the training takes place in the cloud, it has no local footprint. Participants in the program don't have to worry about providing trainers or classroom space or distributing and collecting tests. The self-service approach is one that some CISOs will welcome.

"There are definitely challenges to finding off-the-shelf resources to train personnel, especially when it comes to self-service options."
—Israel Barak

The platform allows ISACA to be nimble. Currently, about 100 hours of training and labs are part of the program, but more content is being added all the time. "Cybersecurity changes almost every week," ISACA's Schettini noted. "There are new threats that happen and old threats that resuscitate themselves. The beauty of the platform is we're on a quarterly update cycle where we create new apps and training based on what we see in industry trends as well as what our clients are asking us to do."

At the RSA Conference in San Francisco earlier this year, Schettini recalled, one security pro told him he wished his developers had a better understanding of the impact their code could have on an organization's security. "So we took that and created a lab to show how a bad coding practice can create a hole in a firewall and allow bad actors to get in," he said. "The platform can be useful not only to security practitioners, but to network engineers and software developers, too."

Hire with eyes wide open

The CSX platform also has an assessment component. The two-hour tool allows an organization to assess the skill levels of both employees and job candidates. It can be customized to individuals so a training regimen can be tailored to help a person improve his or her weaker skills.

Schettini noted that the assessment tool can be useful to HR departments. "It allows you to make a decision with your eyes wide open," he said. "Based on the score from the tool, you can decide if you want to hire the person, and if you do hire them, you'll know [in which] areas you may have to provide additional training for them."

If done right, the assessment tool can be valuable for hiring managers. "It lets them know for sure that a candidate has a basic set of fundamentals," said Schettini. "It probably won't help with getting the candidate productive on day one, but you know they have a fundamental understanding of security."  

Cost was another element ISACA took into account when designing the CSX platform. Security training courses today can cost from $4,000 to $6,000 per person. By comparison, ISACA will provide its training to 10 users for $21,000. As a bonus, some of the training modules can be used as credit for certifications offered by the association.

"Most training programs have a budget for one or two out of five or six people," Schettini said. "What do the other four people learn? This platform allows you to train in a cost-effective manner in real time, on-demand, at a much lower price point, with material that's constantly evolving."

Security goes to college

As the training program grows, Schettini sees it expanding beyond its initial focus on security pros to other occupations such as auditors, network engineers, and software developers and to markets beyond the enterprise, such as practitioners and education institutions.

"The really big play will be academia. We're working with several universities globally on how they can implement it."
—Schettini

A lot of universities are starting to implement cybersecurity programs, but very few of those programs are producing industry-grade professionals, said Cybereason's Barak. "Programs like the one launched by ISACA and others can play an important role in enabling on a large scale academic institutions to raise their standards," he said.

However, Schettini acknowledged that working with universities can be challenging. "Each academic institution is its own beast," he said. "It has its own bureaucracy, its own politics, so coming up with an academic program that can be used across the board can be a real challenge."

The value of the CSX platform may lie in the short term, said Ajit Sancheti, CEO of Preempt, a behavior-based authentication company. He believes ISACA's training program is filling a gap until the universities can catch up with demand.

"For the next few years, the ISACA program is going to be an important way to get the fundamentals right. Over time, I'm not sure it will be as relevant."
Ajit Sancheti

What is a security operations center (SOC)?
Topics: Security