Cybersecurity Success Is About Practice, Practice, Practice

Note: This article was originally published on SecurityRoundtable.org, an online magazine about cybersecurity by PLEX Cyber’s own Kevin O’Malley.

This article is part of a series hosted by Security Roundtable and powered by Palo Alto Networks that provides ideas for dealing with the ongoing cybersecurity challenges during the coronavirus (COVID-19) pandemic.

From a cybersecurity perspective, we will learn many lessons from the COVID-19 pandemic. One of the most important—and one that we should heed now to help manage the crisis—is the value of training and regular, ongoing, focused practice.

All of a sudden, we have more people working remotely than any of us dreamed possible. Many of our IT and cybersecurity personnel are working from home, as well as a whole new population of users who probably have never been trained on best practices in remote access and security.

Needless to say, cyber criminals are taking advantage of the situation by launching all kinds of attacks. It is not too late to provide proper cybersecurity training and practice to all of our various constituencies. In fact, it may be more necessary than ever.

We can use the same tools and technologies to train both our users and IT staff to stay safe from attacks. We can use simulations, remote video training and other techniques to ensure that they can work without risks to ongoing operations.

Cybersecurity Is Complex  

I have always had a strong viewpoint about training. I have long believed, well before the pandemic, that most organizations do not devote nearly enough time, resources and commitment to cybersecurity training and practice. My philosophy has been to always include training and practice time with any purchase of cybersecurity hardware or software.

I imagine these strong feelings stem from my background in music, particularly playing the pipe organ, an extremely complicated instrument that takes high levels of skill combined with many hours of dedicated practice to play well, let alone master.

I couldn’t imagine performing on the pipe organ in public without a clear understanding of what I was playing. And, of course, putting in many, many hours of devoted practice toward understanding not just the notes, but also the nuances of both the instrument and the music.

Cybersecurity offers many similar challenges. Organizations spend tens of thousands of dollars on sophisticated technology, yet we don’t give the people who’ll use it proper time to train on it and/or practice what they have learned.

In cybersecurity, practice is often an afterthought. As a result, we fail to take advantage of many of the key features available to us and waste the money we have invested. In addition, we sometimes add duplicate technologies and tools simply because we’re unaware of all the features we could be using. But most importantly, cybersecurity professionals are asked to configure key security equipment with little or no training or practice.

On the user side, we know that errors are perhaps our biggest vulnerability, and hackers are using sophisticated social engineering techniques to induce mistakes.  According to one survey, 57% of CIOs said mobile workers had been hacked or caused a mobile security issue; 94% said the use of bring-your-own device (BYOD) programs has increased security risks. As the number of remote users grows, these risks will continue to rise.

Instill a Culture of Practice 

So, what can we do now and in the long term to make training and practice a fundamental cybersecurity imperative?

There must be a solid commitment to training and practice, which would start at the top. The board of directors, CEO, CTO, CFO and CISO must create a culture of training and ensure that it’s part of the cybersecurity budgeting process.

Accountability is key to creating this culture. We should make clear what the expectations are. Perhaps even include goals in the performance evaluation of employees.

Specifically, users should be given space to practice in a lab or sandbox environment that doesn’t risk production environments. The increased use of cloud computing and virtualization makes these simulated environments more feasible than ever before.

For example, one of the biggest challenges for cybersecurity professionals is learning how to interpret the data—monitoring, measuring, usage, etc.—for your particular environment. What is an alert, what isn’t an alert? What in the analytics is critical, what can be put aside?

If you don’t know what you’re looking at and if you don’t know how to fine tune your reports, you are constantly struggling against a lot of noise. The only way to get good and dexterous at that is through training and practice.

Similarly, we must use safe simulations such as phishing templates for our people in an effort to raise their awareness and give them practice in discerning and interpreting the information they receive. Many of the templates we are using are related to coronavirus itself, because that is where we are vulnerable right now. When we identify users making mistakes, we make sure they get special training.

We can also use computer-based training programs and teleconferencing more frequently by taking advantage of the fact that people are home and may have more time to practice. We can use remote tabletop exercises and other techniques to make cybersecurity training and practice a regular routine.

The Most Intellectual Profession

“Cybersecurity is perhaps the most difficult intellectual profession on the planet,” security expert Dan Geer once said. I couldn’t agree more. Cybersecurity is complex and hard. And cyber criminals are smart and always looking for a way to exploit your system to cause you loss of revenue and damage to your business.

As remote work becomes the norm, there’s an opportunity to teach users the basic fundamentals of cybersecurity, such as what VPN is or how does a firewall work. We can learn lessons from our emergency personnel—police, firefighters, EMTs—who are constantly practicing so they’re prepared for the unexpected.

I go back once again to my music discipline. In music as in cybersecurity, there are myriad things to remember. This requires a never-ending array of practice scenarios. Armed with muscle memory, you and your people can keep balance and focus. And, hopefully, we will all reap the benefits.

Kevin O’Malley is an employee of PLEX Cyber, LLC