By: Dr. Edward Amoroso
July 15, 2020
Why Enterprise Security Leaders Should Inspire Continuous Learning
By: Dr. Edward Amoroso
July 15, 2020
Continuous learning means more effective cybersecurity in the modern enterprise
As in many industry sectors, the only constant in cybersecurity changes. Obtaining technical certifications and degrees isn’t enough to call yourself an expert. That’s not to suggest they’re not important – they most certainly are – but such credentials are only the beginning. Cyber professionals need to support a culture of continuous learning to prepare themselves for new and emerging threats.
Many of the things which worked a couple of decades ago are no longer relevant. The threat landscape is evolving by the day, posing an ongoing challenge to those tasked with protecting their organization’s digital assets. Thus, security professionals must be unrelenting in looking for opportunities to empower their teams and employees across the organization to become better at security. They need to be one step ahead of cybercriminals.
View the on-demand course, Enterprise Security Leadership: Learning Methods for Cyber Leaders, covering this topic.
What makes a modern CISO’s role different?
The modern cybersecurity leader isn’t the person who says no. No longer do they work alone, with their sole responsibilities being to apply enterprise-wide security controls and policies. If anything, their job is more about people than technology. They’re team players; enablers of innovation who support an environment of continuous learning throughout the organization.
Continuous learning is a constant cycle that starts with learning. Learning sparks discussion which supports the practice and the application of new solutions. And, when challenges arise, the cycle goes full circle back to the learning stage. It’s a problem-solving process that starts with understanding the problem, delving into solutions, applying those solutions and, finally, testing and validating them.
Especially in a field as dynamic as cybersecurity, learning isn’t about teaching a finished result. It’s about making educated guesses and deductions, asking the right questions, and helping people learn independently. After all, innovation in cybersecurity, just like any other business department, is a journey rather than a destination.
Rule 1: Learning must be continuous and lifelong
We all know that no one ever stops learning. But, in the context of career development, we typically associate learning with formal education, certifications, and degrees. However, in a constantly changing sector like cybersecurity, many older models no longer apply. And much like outdated software, an outdated skillset is a security risk in itself. Today’s cyberthreat landscape looks very different to how it did a decade ago. Learning is a lifelong process. In cybersecurity, it’s about keeping informed about the latest trends and developments.
Rule 2: Learning must be tailored
Learning styles change with age and experience, which is why it’s also important to create an open learning environment that adapts to the way different teams and individuals learn. Some people prefer a more hands-on experience with labs and other practical tests. Others prefer a more traditional approach by way of textbooks. Some prefer to learn online, while others prefer in-person training. Of course, the optimal training style varies on the subject matter and other factors too, but it’s important to provide a tailored learning space people feel comfortable with.
Rule 3: Diverse teams always learn more thoroughly
Encouraging diversity isn’t just about moral and ethical responsibilities. It also offers practical advantages in the form of multiple perspectives and higher chances of insight. Cybersecurity is an extremely broad topic, and no one could possibly claim to know everything about it. This is why it’s important to have a diverse range of perspectives to combat both technological and human threats. Cybersecurity leaders also need to forge close relationships beyond their own departments, and promoting diversity is often a critical part of that.
Rule 4: Learning requires focused attention
The often urgent and complex nature of cybersecurity incidents requires focused attention. If your mind starts to wonder, it’s easy to get sidetracked by something else and lose focus on what’s most important in the there and then. The same applies in learning, and the ability to focus is a critical skill when dealing with potential incidents. Most incidents involve a human factor, so cybersecurity leaders need to be able to focus on factors like intent and tactics too. This requires in-depth analytical thinking and, equally, the ability to switch off when you’re not able to focus.
Rule 5: Learning requires personal interest
It’s safe to say that most people don’t count cybersecurity among their favorite subjects, but that doesn’t mean learning about it should be boring for them. After all, people rarely pick up a textbook or join a seminar on a whim. Rather, they learn things because they’re relevant to them. And cybersecurity is relevant to everyone who uses the internet, both at home and in the workplace. Thus, cybersecurity leaders need to engage their colleagues and partners on a more personal level by making it about them, and not all about the needs of the business.
Rule 6: Innovation depends on learning
Innovation is all about learning. No team can ever hope to innovate if they don’t have a diverse range of voices bringing new ideas to the table. Research is the learning process that supports innovation, and cybersecurity should be central to that process. After all, cybersecurity is no longer all about enforcing rules and policies, but also about empowering innovation without adding risk. Innovation might be an inherently uncertain process, but adopting a culture of continuous learning makes it all the easier to innovate safely.
Rule 7: The most effective learning is actionable
The greatest responsibility of any modern cybersecurity leadership role is changing human behavior through actionable learning. People should be able to leave a training session with knowledge and attitudes they can apply immediately. Even failures should be taken as insights into how to improve. Regret, by contrast, isn’t actionable, so it has no practical purpose in the learning process. Instead, training should enable people to practice the actions which build confidence and competence and, ultimately, changes their behavior for the better.
Cybrary helps organizations close the cybersecurity skills gap and build a workforce capable of tackling the challenges of today, and tomorrow. Request your demo of Cybrary for Teams to get started.