Image: iStock/vadimrysev

Risk resulting from a cybersecurity event affects the entire organization. “As such, the cyber workforce—those responsible for preventing and responding to an attack—are no longer limited to just ‘the geeks in the basement,'” said James Hadley, CEO and founder of Immersive Labs, in an email exchange. “Until we prioritize cyber skills and education for the workforce at large, the threat landscape will continue to outpace us.”

To be more precise, cyberattacks can have a financial, reputational, regulatory, legal and technical impact. “This goes far beyond making sure employees don’t click on a phishing email,” Hadley added. “When cyber risk is all-pervasive, the skills that go towards protection and response must be equally as extensive.”

SEE: Security Awareness and Training policy (TechRepublic Premium)

When every team is equipped with the cybersecurity skills relevant to each team member’s role, good things happen. For example:

  • The CISO ensures the entire workforce is ready to respond to a cyberattack.
  • Communications and media teams know how to handle the impact of a breach on a company’s reputation.
  • Legal teams understand and advise on legal matters, such as whether to pay a ransom in a ransomware attack.
  • Incident-response teams know how to identify and resolve a major security issue.

Hadley said not to overlook executives and board members: “They also need to embrace a new mindset of seeing human capabilities as a wider part of risk-reduction strategies.”

With the entire workforce involved and understanding what their roles are, the organization will be far better equipped to avoid and, when needed, respond to cyberthreats. Hadley brought up a good point: “Bringing together diverse and creative minds is the answer to building a skilled, capable workforce that can defend against cyber risks.”

SEE: Quick glossary: Cybersecurity attack response and mitigation (TechRepublic Premium)

How to build a strong cyber-preparedness strategy

In cybersecurity, many believe the workforce is the weak link and to blame for most incidents; Hadley suggested something different. He believes human capabilities have been undervalued and underutilized. He agreed that technology is vital, but so are those who use the tech, and this is where human cyber capability comes into play.

“Having visibility of human cyber capability across the entire organization is crucial to building a strong, in-depth, cyber-preparedness strategy,” Hadley said. “Through continuous testing, analyzing and optimizing role-specific cyber capabilities spanning the entire organization, members of the organization can visualize and maximize the workforce’s expertise to meet ever-evolving risks.”

Cyber capability determination and training

The best way to improve a workforce’s resilience is to measure human capabilities and continually improve them in line with cybersecurity risk. “This is easier said than done,” Hadley said. “The challenge becomes creating an up-to-date picture of the workforce’s knowledge, skills and judgment against attacks, which change from one minute to the next.”

That said, it’s worth the effort. Some examples of insights gained:

  • How well board members will respond to a cyber crisis.
  • The security capabilities of a DevOps team.
  • Where weaknesses leave the organization digitally exposed.
  • Where to inject new human cyber capabilities.

To obtain up-to-date information, Hadley suggested data-driven benchmarking exercises. “The most effective way we’ve found to measure human cyber capability is through continuous, light-touch testing,” he said. “By running people through practical, simple, role-specific content and micro-drills based on emerging threats, you create a database of knowledge, skills and judgement inside your organization.”

“It is not dissimilar to the way organizations patch technology, but instead of software being updated, it is people,” Hadley said. This approach:

  • Increases competency of the cybersecurity department.
  • Supports and justifies department managers.
  • Informs and reassures C-level executives and board members.
  • Enables a continued cycle of improvement.
  • Allows human capabilities to be applied more strategically to a fast-changing threat.

Don’t forget to train your new hires

An organization’s cyber-resilience comes down to knowledge, skills and judgment. Hiring talent aligned with these pillars makes the difference between a proactive and reactive cybersecurity strategy.

Hadley believes there’s an unconscious bias in hiring. “Certifications and education can often work against the process of hiring skilled talent by reinforcing bias towards people who have the right pieces of paper,” he said. “The best people for the job may not be the ones with security experience or background—they just need to prove they can do the job by looking at their cyber capability.”

Why training staff is a good method of cybersecurity

Using cyber-capability tools seems like a good approach to involve the organization’s entire workforce. “By prioritizing the people and measuring their human capabilities, those responsible can analyze and assess an organization’s overall security posture in a way that includes its people, not just its technology,” Hadley said. “CISOs can justify their spending and, more importantly, C-suite executives and board members will be less anxious, knowing everyone is prepared as much as possible.”