Five Questions To Ask Your CISO About Training
Cybersecurity has emerged as an important component of the conversations that occur at the senior executive and board levels. Furthermore, it is no longer uncommon for boards and leadership teams to include at least one member who has some experience in this critically important area. Such emphasis tracks the disturbing growth of cyberthreats to businesses and the relative lack of success security teams have had in preventing attacks.
In addition, every senior executive will certainly agree that training must be an important part of the protection strategy. Executives know, for example, that tools are used to test which employees click on phishing links. Such anecdotal data, however, is where their understanding of the best approach to cybersecurity-related training will end. Most boards, for example, will have little insight into how training is embedded into their security program.
To address this issue, we offer below five questions that senior executives should ask their chief information security officer (CISO). While these questions might seem obvious, they will provide a more complete and accurate view of the training strategies and tactics being used within the organization to address the growing cybersecurity threat. Along with each question, we offer guidance below on the types of answers senior executives should hope to hear.
1. How are you training employees and managers to make good security decisions?
The avoidance of phishing links is just a small part of the security training required for employees, managers, consultants and other trusted agents in an organization. The CISO should be able to explain how a comprehensive training program has been deployed to ensure that good security decisions are being made by these individuals and groups in all aspects of their day-to-day work.
Such a program should include attention to good foundational cybersecurity concepts and incorporate the best training methods. Modern learners, for example, will often respond best to multimedia training resources rather than dry reports or checklists. Good metrics should also be in place to ensure that everyone understands their full responsibilities for security—beyond just avoiding suspicious email links.
2. How are you training our suppliers to make good security decisions?
It has become much too common for organizations to experience significant data breaches because of sloppy cybersecurity management by their suppliers, partners and other third-party groups. Well-known hacking incidents, such as what occurred recently with IT management vendor SolarWinds, demonstrate the importance of focusing on and properly managing third-party cybersecurity risk.
The most common approach to third-party risk involves the use of questionnaires. A purchasing entity will ask its suppliers, for example, basic questions about whether they encrypt data, use good passwords and so on. Rarely, however, do organizations demand insight into the manner of security training being performed within a third party organization. Your CISO should agree to include such inquiries (if not already present) in all third-party contract negotiations.
3. How are you using training to address the skills gap in cybersecurity?
Because the cybersecurity industry is evolving so quickly with both offensive measures and defensive tactics changing daily, maintaining an excellent training program is essential for the security experts in the organization. As such, good training programs can be a source of employee satisfaction, especially with security experts, and can help to reduce staff churn in a competitive labor market.
For this reason, your CISO should clearly explain how security training is being used to retain good staff, not to mention improving the skills of everyone on the security team. By doing so, attrition is reduced and the need to replace ineffective team members is also addressed. This is important, because identifying, hiring and retaining security knowledgeable staff is difficult, given the needs of organizations in all sectors, sizes and regions.
4. How are you training our security experts to keep track of new technologies and vendors?
One of the biggest advantages that cybersecurity defense teams have is that new security technologies and commercial vendor offerings emerge all the time—literally on a daily basis. This provides defenders with a plethora of options in diverse areas such as endpoint protection, risk management, passwordless authentication, identity governance, zero-trust network access and on and on.
These new technologies can be complex, however, so CISOs must ensure that sufficient training is in place to help team members keep up. Executives should request information on how that is accomplished—perhaps through a mix of third-party security training offerings as well as through partnerships with vendors. It is not uncommon for commercial vendors to provide free training as part of a purchase deal. CISOs should be taking advantage of this option.
5. How are you training our security teams to collaborate on their protection tasks?
A fifth question, and perhaps one of the most important, involves how the CISO is ensuring that teams are being trained to work together on security tasks. Unlike some types of business specialization, cybersecurity is truly a team activity—one that requires support for smooth information sharing, coordination of insights and cooperation to follow agreed-upon workflow steps.
CISOs should be driving training initiatives for security teams to learn together. One great option involves so-called cyberrange training, where security operations teams participate together on a routine, periodic basis responding to pre-defined threat scenarios that match realistic attack conditions. By engaging in such training, CISOs help to ensure that when real incidents occur, their teams are ready to perform.
Debbie Gordon, founder and CEO of Cloud Range, contributed to this article.
