Cybersecurity has emerged as an important issue to discuss at the senior executive and board levels. Furthermore, it is already common for boards and leadership teams to include at least one member who has some experience in this critically important area. The reason is the disturbing growth of cyberthreats to businesses and the relative lack of success security teams have had in preventing attacks.
In addition, every senior executive will certainly agree that training must be an important part of the protection strategy. Executives know, for example, that tools are used to test which employees click on phishing links. However, here their understanding of the best approach to cybersecurity training will end. Most boards do not figure out how training is embedded into their security program.
To address this issue, we offer below five questions that senior executives should ask their chief information security officer (CISO). While these questions might seem obvious, they will provide a more complete and accurate view of the training strategies and tactics being used within the organization to address the growing cybersecurity threat. Along with each question, there are types of answers senior executives should hope to hear.
- How are you training employees and managers to make good security decisions?
Not clicking on phishing links is just a small part of the security training required for employees, managers, consultants, and other trusted persons in an organization. The CISO should be able to explain how a comprehensive training program has been deployed to ensure that good security decisions are being made by these individuals and groups in all aspects of their routine work.
Such a program should focus strong cybersecurity concepts and incorporate the best training methods. People will often respond best to multimedia training resources rather than dry reports or checklists. Good metrics should also be in place to ensure that everyone understands their full responsibilities for security—beyond just avoiding suspicious email links.
- How are you training our suppliers to make good security decisions?
More and more organizations experience significant data breaches because of poor cybersecurity management by their suppliers, partners and other third-party groups. Notorious hacking incidents, such as what occurred with IT management vendor SolarWinds, demonstrate the importance of focusing on and properly managing third-party cybersecurity risk.
The most common approach to third-party risk involves the use of questionnaires. A purchasing entity will ask its suppliers, for example, basic questions about whether they encrypt data, use strong passwords etc. Rarely, however, organizations request the manner of security training being performed within a third party organization. Your CISO should agree to include such inquiries (if not already present) in all third-party contract negotiations.
- How are you using training to address the skills gap in cybersecurity?
Because the cybersecurity industry is evolving so quickly with both offensive measures and defensive tactics changing daily, maintaining an excellent training program is essential for the security experts in the organization. As such, good training programs can help to reduce staff churn in a competitive labor market.
For this reason, your CISO should clearly explain how security training is being used to retain good staff, not to mention improving the skills of everyone on the security team. This is important, because identifying, hiring and retaining security knowledgeable staff is difficult.
- How are you training our security experts to keep track of new technologies and vendors?
One of the biggest advantages that cybersecurity defense teams have is that new security technologies and commercial vendor offerings emerge all the time—literally on a daily basis. This provides defenders with a plethora of options in diverse areas such as endpoint protection, risk management, passwordless authentication, identity governance, zero-trust network access and on and on.
These new technologies can be complex, however, so CISOs must ensure that sufficient training is in place to help team members keep up. Executives should request information on how that is accomplished—perhaps through a mix of third-party security training offerings as well as through partnerships with vendors. It is not uncommon for commercial vendors to provide free training as part of a purchase deal. CISOs should be taking advantage of this option.
- How are you training our security teams to collaborate on their protection tasks?
A fifth question, and perhaps one of the most important, involves how the CISO is ensuring that teams are being trained to work together on security tasks. Cybersecurity is truly a team activity—one that requires support for smooth information sharing, coordination of insights and cooperation to follow agreed-upon workflow steps.
CISOs should be driving training initiatives for security teams to learn together. One great option involves so-called cyberrange training, where security operations teams participate together on a routine, periodic basis responding to pre-defined threat scenarios that match realistic attack conditions. By engaging in such training, CISOs help to ensure that when real incidents occur, their teams are ready to perform.