Cybersecurity Training Often a Tangled Web
New study points to a growing opportunity for CLOs to protect sensitive corporate data.
Damaging cybersecurity attacks have become an increasingly regular occurrence in business. In 2013, Target Corp. notified 70 million customers that hackers had stolen their personal data from their computer systems. In 2016, Yahoo Inc. informed 500 million users their names, email addresses, dates of birth and telephone numbers were stolen by hackers. And just this week, a massive ransomware attack hit computer systems across Europe and the United States, the second such attack in two months.
Not coincidentally, a new study released this week found a growing need for training programs that close the security skills gap facing many companies. “The Evolution of Security Skills,” a report from the Computing Technology Industry Association, a nonprofit trade association, found only 21 percent of businesses completely satisfied with their current level of security.
It’s not for lack of effort. According to the report, 60 percent of companies use training to close their security skill gaps and 48 percent certify technologists to ensure their skills are up to date. But the reality is that training has failed to keep pace with ever-evolving security threats.
The State of Security Training
Seth Robinson, a CompTIA senior researcher, said many companies simply don’t do enough. Typical training takes place during onboarding or as an annual security refresher where employees are merely asked to validate they have read the policy.
“What we are seeing companies move toward as they become more intentional and aggressive about cybersecurity is training that is more interactive, possibly customized into job roles and training that can be measured,” he said. “This training is usually delivered online and it might be delivered similarly to other HR training like safety or sexual harassment training.”
At Mastercard Inc., the learning department developed a simulated email phishing attack paired with targeted training for employees who clicked on suspicious links. That training in part reduced the number of employees who opened phishing emails to 63 percent below the industry standard.
That proactive role in developing training to secure sensitive data and critical technology systems is increasingly needed. Jeffrey Morgan, president of e-Volve Information Technology Services, said IT security is not primarily about the technology but rather about policy, procedure and people – all areas where training can play an important role in preventing security breaches. Approximately 60 percent of problems result from human error, he said.
“Mostly training seems pretty weak,” he said. “Training tends to be better in well-run private sector organizations that are used to complying with standards.”
Weak spots tend to be in local government or start-ups where there’s lower quality or no training at all and people aren’t aligned to a security policy or process, he added.
The Role of CLO
One challenge highlighted in the report is that organizations tend to place emphasis on threats they understand best even if those types of threats may not be the most harmful. Robinson said a good first step is to lean on the IT team for basic understanding of each threat but not rely on them for everything.
“As much as companies are becoming more collaborative around their technology decision-making and procurement, companies are still looking to the IT or technical team to manage security,” Robinson said. “But the IT function may not be the best solution for providing training to the workforce and understanding how to make that training engaging and effective.”
Providing that solution often falls to the CLO who can also play a role in bringing together the needs of IT and business. IT needs to better understand what the business is trying to accomplish and the business side must understand the rigor and discipline IT provides to keep the business safe, Robinson said.
Learning departments can also identify new skills and expertise needed to secure the enterprise. Between 18 and 32 percent of companies surveyed reported they need significant improvement to existing security expertise.
“Sometimes new skills are needed to deal with specific technologies like intrusion detection, intrusion prevention and data loss prevention,” Robinson said. “Sometimes it’s simply the right mindset and finding those people that may be thinking about security in a different way and understand how security applies across a modern IT architecture that employs cloud computing and mobile devices.”
All this prevention doesn’t come cheap but Robinson urged companies to invest because the cost of not investing is even greater as this week’s ransomware attacks illustrate.
“Whether there’s the ability to bring in new people or whether companies are restricted to training, there’s probably going to be some additional investment there, if not in dollars at least in the time spent for employees to come up to speed on these new things,” he said. “Companies have to be willing to invest in training — but then also have the ability to measure if they are getting what they want out of it.”
As the increasing pace of threats shows, the need for ongoing cybersecurity training will remain strong. “Security is a continual learning thing — you have to be at it all the time,” Morgan said.
Ave Rio is associate editor for Chief Learning Officer magazine. She can be reached at editor@CLOmedia.com.