Training is one of those interesting areas that everyone believes they can do. Not everyone can do marketing, coding or analysis, but everyone typically believes they can train someone else. This is only partially true. Here are a few of the traps people tend to fall into when it comes to managing risk and working in the cybersecurity industry. And, yes, don’t worry, we have some solutions that can help you deal with these challenges. More on that later! The traps:
Trap 1: “The Comfort Trap”
There is a human tendency to not see things objectively, but to instead actively find things to fit their own views. This occurs often in the learning process. The security industry is composed of very highly trained and skilled professionals. Sometimes this works at a disadvantage. There is a danger of being comfortable to the point where any research or educational pursuit is done just to confirm that already acquired knowledge or skillsets.
Meanwhile, the “bad guys” are using creative techniques, some not terribly technical, to bypass legacy thinking. Signature-based technologies, the addiction to the “reactive security” mindset, and security solutions that require an entire intrusive separate infrastructure are, surprisingly, concepts a lot of security professionals are used to and defend. Anything that runs contrary to that knowledge that challenges their core belief and prevents the reception of new knowledge.
The danger is that learning stops because many security professionals believe that they have a handle on how attacks work and that they’ll be breached at some point anyway. Prevention has almost gone by the wayside. We do not have to rely on have a recovery play in order to react to a breach that could have been prevented in the first plan.
Keep learning! Read forums where people are sharing their experiences, ask your team and your customers what new threats they’re seeing in the field. Conduct regular trainings and accept that this is an industry that’s constantly in flux. Attackers aren’t settling into the comfort trap, so you can’t either!
Trap 2: “It’s Worked For Me There, it Will Work For Me Here…”
I once worked for a company that brought on a Senior Executive Leader with an impressive record at another organization. Bolstered by success, he was confident in his all-encompassing corporate methodology even though this new company he was to lead was in a different industry.
When he came onboard, he immediately instructed the education and training teams to implement his vision, which was a duplicate process/system of what worked for him previously. There was no adjustment or compromise or incorporation of new ideas. No consideration of the different industry, nor even an assessment period to understand the differences in systems, processes, and customer threats. Every concept referred to his former company verbatim. Other executive leaders were required to recite, by memory, HIS stories to teach subordinates.
He was gone in 18 months.
Past experience is valuable but not an absolute roadmap. Unquestioning obedience to past experience without allowing actual learning, adjustment, and the introduction of new ideas, especially in an industry where the threat environment changes daily, will work against you. Confidence in presenting your teams’ work to the executives is one thing, but setting expectations that you’re listening to your team and learning about the threats your customers are facing should go a long way in managing risks and in presenting your security team as a competent and capable group.
Trap 3: Planning Training Without Accounting For How Your Team Learns Best
A course developer who worked for me was having a frustrating time getting a certain Active Directory function to work. He spent a lot of hours scouring vendor knowledge base articles and documentation to find a solution for the issue he was encountering. In desperation he went to YouTube, did a search, and found a short video by a 17-year-old student that addressed his issue and, in a few minutes, he had an understanding of how to solve it.
Many speak of the “millennial effect” and how that has influenced attention spans and learning. In reality, this has affected more than millennials, of course. How many people nowadays have the patience to read manuals? We watch a three-minute YouTube video or read a thread on a forum of security folks and crowdsource our learning. Or, God forbid, we ask Alexa.
This isn’t about “dumbing down” instructional content as much as it is about focus and competing for attention in a “connected” world. Email, social media, conference technologies and just about anything else could be a distraction.
In Education, you don’t want to be just the manual, the KB article, or the course… you want to be that 17-year old kid with the knowledge that can used immediately.
Trap 4: Assuming That if Training Materials Are Accurate, They’re Engaging
Simulations and Discovery
Which of these scenarios resonate better?
“Create a policy for Company X that has full Auto Quarantine enabled for this group of employees.”
“Company X has a sales force (laptop users) that have been high risk users in the past. They tend to connect to unsecured wireless access points and may be off the corporate network for weeks at a time. What kind of policy would be appropriate in this scenario?”
Education can become just “noise” with careless repetition, bullet-point text heavy PowerPoint slides, and unicast “do this, and click this” directions. The question that is in most student’s mind at any given time in a classroom is “how does this apply to me?”
It has been said that people learn more through simulation and real-world scenarios. Lab exercises and discussions are better when actually mean something to someone trying to learn a skill or product. “Hands on” and “deep dive” are well used often in technology training, but if not given in the correct context, it becomes just noise and the chances of actually educating is significantly decreased.
In the second example above a student can go through the UI with some limited guidance, use their new knowledge and answer. The exercise has a better chance of retention because the student found the answer through discovery. They might also debate and defend their answer with their classmates who might have different perspectives or found different ways. These are ideal outcomes. All these actions support learning better than blindly following steps, with minimal understanding, in a serial fashion.
You need to listen to your students. You need to understand how they learn best in order to retain that information for practical application. Visual learners exist and are probably on your team, as are people who learn by hearing real-world examples, as are those who need to memorize definitions of the things they’re learning.
To be the best teacher, you have to offer a variety of training options for your team. The key, really, is to talk openly with your team to see if your style of teaching is working for them and, if not, actually ask them how they’d like to learn.
Ongoing Trainings for Security Professionals are a Must
Cylance Education Services released the Cylance Security Professional Beta exam in October to customers and channel partners who had signed up previously through the Cylance Community. This exam and the accreditation that goes with it was a major step forward in Education and Enablement activities at Cylance, but it is not an end state.
The goal of any Education team is knowledge transfer and the promotion of competency, not just testing. To do this requires a fundamental consideration of not only exams and the material being taught, but also how people learn in the present day given technology, and other social dynamics that influence behavior and affect the retention of knowledge.
Yes, you can train others, but can you get the outcomes that will encourage not just knowledge retention but competency? Are you considering how people process information in the present day? Can you adjust and explore alternative training techniques that encourage interactivity and knowledge retention?
These are the questions we at Cylance Education Services are asking ourselves daily. The CSP beta exam may seem like a more traditional way of measuring knowledge, but it is one component of a larger education strategy that aspires to be both effective and relevant.
About Douglas Rivers
Douglas Rivers, Director of Cylance Global Education Services, has been in the security field for over 20 years in various capacities, including physical security, investigations, executive protection, sales engineering and technical product management. He is a graduate of the University of Michigan (B.A.) and the Army War College (M.S.) and holds both CISSP and CISA certifications. In addition to his work in Education and Training at Cylance, Douglas is a Naval Reserve Officer and a Reserve Sheriff’s Deputy assigned to a unit tasked with the investigation of technology related criminal activity.
The opinions expressed in guest author articles are solely those of the contributor, and do not necessarily reflect those of Cylance.