By: Cybrary Staff
October 25, 2021
Cybersecurity Awareness - Cybersecurity Awareness Standards
By: Cybrary Staff
October 25, 2021
Cybersecurity Awareness Month– Adhering to cybersecurity awareness standards With numerous standards and frameworks developed around security awareness and training, formulating the best strategy can be difficult.
Summary: With numerous standards, certifications, and frameworks developed to help counter today’s evolving cyber threat landscape, it can be difficult for business leaders to formulate a comprehensive training strategy. This guide explores some of the most popular and proven options for developing such a plan.
Most people still view cybersecurity as a technical challenge and the sole responsibility of the IT or information security department. This view is undoubtedly a root cause of the continuing rise of cybercrime globally.
The reality is that cybersecurity is a human challenge before it is a technical one. Technology, in many cases, is simply a medium through which criminals launch their attacks, often by way of highly targeted social engineering scams.
People, not technology, are squarely on the front lines to protect themselves against cyber threats. Technical and administrative measures are vital but are only effective when the responsible users receive proper training.
This very fact is what Cybersecurity Awareness Month is all about. Held every October, this collaborative effort between government and industry seeks to ensure every organization and individual has the resources they need to stay safe in today’s hyperconnected world.
Here are the four weekly themes addressed this year:
Week 1 covers cybersecurity fundamentals, including how simple actions can help make a significant difference in securing our digital lives.
Week 2 focuses on one of the most common cyber threats of all – social engineering scams, including how they exploit other vulnerabilities as well as human weakness.
Week 3, in partnership with the National Initiative for Cybersecurity Education (NICE), explores the vital role that training plays in building a global cybersecurity workforce.
Week 4 emphasizes the role of cybersecurity in driving innovation without adding risk and how security must be a priority rather than an afterthought.
Good cybersecurity hygiene begins with education and awareness. Employees of every rank and industry are still falling victim to phishing scams. Many people are still failing to take relatively simple measures, such as locking their smartphone screens or using adequately strong passwords.
There has never been a stronger case for organizations to invest in their employees, given the continuing skills shortage in the information security space. After all, insider threat, typically due to negligence rather than malicious intent, remains the top cause of data breaches. This threat factor is why every business should adopt a robust security awareness and training program while investing in its internal talent to build an effective and efficient cybersecurity team. While outsourcing cybersecurity expertise is an increasingly popular option, the responsibility still falls to employees and internal stakeholders to a significant degree.
Below, we will look at the three main steps to achieve organization-wide security awareness.
#1. Identify skills gaps to mitigate risk
By now, most business leaders are used to carrying out risk assessments. Such assessments typically only cover technical and administrative vulnerabilities, however. While essential, it is every bit as important to identify the vulnerabilities in employees. A poorly informed employee can be all it takes to render even the most robust technical measures and policies all but useless.
An organization’s employees are its greatest asset, but they can also be its greatest threat. For example, overworked employees may be more prone to making mistakes, such as leaving their devices unlocked when away from the desk or clicking on a malicious link in an email. The same applies to those who are poorly informed about the risks.
Another common problem is that roles and responsibilities are poorly defined. As mentioned earlier, many people still view cybersecurity as the sole responsibility of the IT department. To create a culture of accountability, all employees must be up to speed with how security factors into their roles and responsibilities, even if they are not directly involved in IT.
One of the easiest ways to identify skills gaps is to use targeted assessments and advanced analytics to gain a clearer view of the team’s skills. These steps will help pinpoint areas in need of further development and people who need additional training. Direct learning content can help those who need it most, regardless of their role, function, or level of experience.
#2. Personalize skills development
In every organization, employees will be at varying levels of security awareness. While much of this comes down to the individual roles in the organization, some may still fall short in terms of the security-related knowledge they need to perform their roles without unnecessarily adding risk. Other skills gaps may be down to not having a particular position filled at all. While some roles, such as a CISO or SOC analyst, might be outsourced, especially in the case of smaller businesses, there may still be a strong case for filling a position internally.
Personalized skills development programs should be tailored to the business’s unique requirements and the degree of knowledge and experience of each employee. Moreover, any such program should align with widely recognized industry standards, such as the NIST Cybersecurity Framework and DoD 8140. When choosing a workforce development platform, creating custom career paths can also be a valuable feature to have.
#3. Create a long-term training program
Cybersecurity awareness training is a quick fix, and neither is it something organizations should expect to do just once – or even once per year. In an industry where the only constant is change, the need to create an adaptable ongoing training program should be clear. Training should be ongoing and integral to every employee’s role.
When it comes to training employees for specific roles in cybersecurity, a blend of self-paced and on-the-clock learning can give businesses and their teams the flexibility needed to absorb as much knowledge as possible. This method is especially important when preparing employees for demanding industry accreditations, such as CompTIA Security+ or CISSP.
Finally, for seamless implementation and adoption of any training program, businesses should partner with a provider that offers a dedicated customer success manager. A CSM will become invaluable in providing recommendations, establishing goals, tracking progress, and providing ongoing support.
Cybrary for Teams is an all-in-one workforce development platform that helps organizations develop stronger cybersecurity skills, prepare for new certifications, and track team progress.