Africa Studio - stock.adobe.com
Using simulated disaster management to tackle the security skills gap
With the increasing need for cyber security professionals, organisations are turning to new ways to address the skills gap facing the security sector
Academic qualifications, such as Cyber Security & Computer Forensics BSc (Hons) and Cyber Security MSc, provide cyber security professionals with the necessary knowledge for their career, but nothing compares to real-world experience when dealing with potential network threats.
There is a line in a Star Wars film: “I should think that you Jedi would have more respect for the difference between knowledge and wisdom.” This is just as true in cyber security, where experience is equally as important as qualifications.
“When you are in a disaster recovery situation, you do not want the new person trying out the wings,” says Bruce Beam, chief information officer at (ISC)².
Unfortunately, the number of cyber security positions outweighs the number of available cyber security professionals. The demand for cyber security professionals has outpaced supply in recent years, due to emerging threats and organisations increasing the amount of business they conduct online.
According to a study, the number of organisations that reported shortages in the cyber security skills of their staff has increased over the past four years. In 2014, approximately 23% of organisations indicated this was a challenge, but this has now risen to more than 50%. Much of this rise has been due to the increasing workload of cyber security teams.
Continuing professional development (CPD) has been used to ensure that skills remain relevant. However, some training is purely academic and offers little real-world experience. “It is not like training someone to be a welder and giving them the basic skillset,” says Beam.
In order to overcome this challenge, organisations are turning to various ways to provide their cyber security interns with the necessary experience to tackle the online threats facing organisations. One way has been through mentoring schemes, where organisations assign an intern to an experienced cyber security professional. Mentoring allows a company to preserve their staff’s experience against retirement and poaching, however a drawback is that it can inadvertently reinforce bias.
Simulated disaster management
Some organisations are turning to simulated disaster management scenarios in order to provide their staff with the experience they need. Just as fire drills are used to assess how personnel respond to a potential incident, simulating critical failures allows organisations to see how their staff respond to such events.
“I always go back to my military training and one of the things we learned was to train like you are going to fight, because you will fight like you train,” says Beam.
Simulations allow cyber security personnel to experience critical failures, without any risk to the actual network or company data. These simulations can vary from disaster recovery scenarios to white hat hackers probing a company’s network defences to see how their IT teams respond to the perceived threat.
“Too many organisations talk about disaster recovery, but never really test it and make sure it is working the way they think it is working,” says Colin Tankard, managing director of Digital Pathways.
Read more about cyber security professional development
- (ISC)² invests in professional development of security workforce.
- Collaborative alliance to advance UK’s cyber security profession.
- The UK government has announced plans for a Cyber Security Council to form a strategy for developing future cyber talent.
- Despite government pledges to up cyber security spending across the NHS, there are still huge disparities in cyber security skills and spending on cyber security training, FoI requests reveal.
Simulated disaster management provides a replica of an organisation’s network architecture, thus providing a real-world experience, thereby making responses second-nature.
This allows cyber security teams to use the security tools that they would use in a genuine situation and to experience the network setup and traffic. In order to be effective, disaster scenarios need to be accurately simulated, including advanced, evolving threats, targeted malware and ransomware.
A more complex version of simulated training is to use white hat hackers to probe the network defences to see how soon the cyber security team are aware and how they respond to the threat. “I have heard of white hat teams spying on organisations to see where they can get in,” says Tankard. “That has been very successful for companies as they have seen how their people are reacting.”
Simulated disaster management can be costly. Not only is there the initial cost of ensuring the training scenario is realistic, but there is also personnel’s time away from their day-to-day operations. “You have to balance how much you are spending on it, because you can rapidly spend a budget on just one area,” says Beam.
Train the organisation, not the people
However, when done properly, simulated disaster scenarios do not just train the staff, but the organisation as a whole. Performing these disaster scenarios allows organisations to assess where they can improve their data recovery processes and whether any tasks can be automated. “You should look at it not just from the personnel aspect, but also from your TTPs – training, tactics and procedures,” says Beam.
These simulations do not have to just focus on IT teams. Instead, all personnel can be assessed to see how they respond to threats.
One classic technique to raise awareness is to scatter USB keys in the company carparks. This technique can be used to assess who picks up a USB stick and plugs it into their PC to find out who it belongs to, rather than handing it in to the appropriate team.
Another technique is to send company-wide phishing emails to see who responds to them. Not only does this raise awareness of threats posed by scammers, but it also highlights which personnel require further training in security awareness. When staff are aware of these techniques being used, it can encourage the reporting of security threats.
The cost of simulations may deter some organisations, but reviewing the results allows identification of areas where training should be focused in the future, maximising their cost-effectiveness.
“When you can take these metrics and show how your programme is improving the security of your company or disaster recovery reaction times, that is going to make managers want to invest,” says Beam.
With the growing skills shortage in cyber security, organisations need to consider adopting simulated disaster management training to complement CPD, in order to provide their staff with the necessary experience they need to counter threats in the future.