Five Questions Senior Executives Should Ask CISOs About Training
Five Questions Senior Executives Should Ask CISOs About Training
EDWARD AMOROSO, TAG CYBER
DEBBIE GORDON, CLOUD RANGE
Senior executives should use the five questions posed here to ensure that their CISO is effectively leveraging modern training options to minimize cyber risks to the enterprise.
Cybersecurity has emerged as an important component of the conversations that occur at the senior executive and board levels. Furthermore, it is no longer uncommon for boards and leadership teams to include at least one member who has some experience in this critically important area. Such emphasis tracks the disturbing growth of cyber threats to business and the relative lack of success security teams have had in preventing attacks.
In addition, every senior executive will certainly agree that training must be an important part of the protection strategy. Executives know, for example, that tools are used to test which employees click on phishing links. Such anecdotal data, however, is where their understanding of the best approach to cyber-related training will end. Most boards, for example, will have little insight into how training is embedded into their security program.
To address this issue, we offer below five questions that senior executives should ask their Chief Information Security Officer (CISO). While these questions might seem obvious, they will provide a complete and accurate view of the training strategies and tactics being used within the organization to address the growing cyber threat. Along with each question, we offer guidance below on the types of answers senior executives should hope to hear.
1. HOW ARE YOU TRAINING EMPLOYEES AND MANAGERS TO MAKE GOOD SECURITY DECISIONS?
The avoidance of phishing links is just a small part of the security training required for employees, managers, consultants, and other trusted agents in an organization. The CISO should be able to explain how a comprehensive training program has been deployed to ensure that good security decisions are being made by these individuals and groups in all aspects of their day-to-day work.
Such a program should include attention to good foundational cyber security concepts and incorporate the best training methods. Modern learners, for example, will often respond best to multi-media training resources rather than dry reports or checklists. Good metrics should also be in place to ensure that everyone understands their full responsibilities for security – beyond just avoiding suspicious email links.
2. HOW ARE YOU TRAINING OUR SUPPLIERS TO MAKE GOOD SECURITY DECISIONS?
It has become much too common for organizations to experience significant data breaches because of sloppy cyber security management by their suppliers, partners, and other third-party groups. Well-known hacking incidents, such as what occurred recently with IT management vendor Solar Winds, demonstrate the importance of focusing on and properly managing third-party cyber risk.
The most common approach to third-party risk involves the use of questionnaires. A purchasing entity will ask its suppliers, for example, basic questions about whether they encrypt data, use good passwords, and so on. Rarely, however, do organizations demand insight into the manner of security training being performed within a third-party. Your CISO should agree to include such inquiries (if not already present) in all third-party contract negotiations.
3. HOW ARE YOU USING TRAINING TO ADDRESS THE SKILLS GAP IN CYBER SECURITY?
Because the cyber security industry is evolving so quickly, with both offensive measures and defensive tactics changing daily, maintaining an excellent training program is essential for the security experts in the organization. As such, good training programs can be a source of employee satisfaction, especially with security experts, and can help to reduce staff churn in a competitive labor market.
For this reason, your CISO should clearly explain how security training is being used to retain good staff, not to mention improving the skills of everyone on the security team. By doing so, attrition is reduced and the need to replace ineffective team members is also addressed. This is important, because identifying, hiring, and retaining security knowledgeable staff is difficult, given the needs of organizations in all sectors, sizes, and regions.
4. HOW ARE YOU TRAINING OUR SECURITY EXPERTS TO KEEP TRACK OF NEW TECHNOLOGIES AND VENDORS?
One of the biggest advantages that cyber defensive teams have is that new security technologies and commercial vendor offerings emerge – literally on a daily basis. This provides defenders with a plethora of options in diverse areas such as endpoint protection, risk management, passwordless authentication, identity governance, zero trust network access, and on and on.
These new technologies can be complex, however, so CISOs must ensure that sufficient training is in place to help team members keep up. Executives should request information on how that is accomplished – perhaps through a mix of third-party security training offerings, as well as through partnership with vendors. It is not uncommon for commercial vendors to provide free training as part of a purchase deal. CISOs should be taking advantage of this option.
5. HOW ARE YOU TRAINING OUR SECURITY TEAMS TO COORDINATE IN THEIR PROTECTION TASKS?
A fifth question, and perhaps one of the most important ones, involves how the CISO is ensuring that teams are being trained to work together on security tasks. Unlike some types of business specialization, cyber security is truly a team activity – one that requires support for smooth information sharing, coordination of insights, and cooperation to follow agreed-upon workflow steps.
CISOs should thus be driving training initiatives for security teams to learn together. One great option involves so-called cyber range training, where security operations teams participate together on a routine, periodic basis responding to pre-defined threat scenarios that match realistic attack conditions. By engaging in such training, CISOs help to ensure that when real incidents occur, their teams are ready to perform.
This article was featured in Security Boulevard on June 6, 2022 - read the article here.
From AT&T to NSA’s Advisory Board—Ed Amoroso has held groundbreaking leadership positions in multiple arenas, working primarily with telecommunications and cybersecurity as developer, engineer and entrepreneur. As the founder and CEO of TAG Cyber, Ed is a prolific writer and pioneering manager, a computer scientist and inventor, holding ten cybersecurity patents, including software protection designs used by the DOD.
As founder and CEO of Cloud Range, Debbie Gordon is a globally recognized entrepreneur leading a new category in cybersecurity. Cloud Range was founded on the premise of closing the cybersecurity skills gap by giving security teams the ability to gain real life experience and practice defending against live cyber attacks in a protected customized dynamic environment. A consummate entrepreneur, Debbie began her career 25+ years ago in the technical education/certification space and has since built and sold several companies in eCommerce, IT asset management, and training.