How to plan for your organization-wide cyber security skills
Cyber security is one of the key pillars of the digital transformation era. It is the body of technological processes, practices, and tools designed to protect networks, computer systems, data etc. from any unauthorized access, attack or damage. It concerns identifying ways to spot threats, fend off attacks and immediately respond to emergencies. Cybersecurity spans across a broad era of technologies and IT infrastructure and is crucial to the success of a business. The lack of cyber security can have far-reaching business impact— the average consolidated total cost of a data breach is $ 4 million.
Cyber Security Skills to Build
Organizations must start from scratch, conceptualizing the cyber security function right from the role of the Chief Information Security Officer (CISO) to teams at the ground-level. Some of the key skills that organizations must build are:
- Security and Risk Management: Security, risk, compliance, law, regulations, and business continuity Asset Security: Protecting Security of Assets
- Asset Security: Protecting Security of Assets
- Security Engineering: Engineering and management of security
- Communication and Networks Security: Designing and protecting network security
- Identity and Access Management: Controlling access and managing identity
- Security Assessment and Testing: Designing, performing and analyzing security testing
- Security Operations and Software Development Security: Investigations, incident management, and disaster recovery
- Software Development Security: Understanding, applying and enforcing software security during software development phase.
These skills are intricately tied to the key roles that exist in the function.
Cyber Security Roles
L&D and HR must collaborate with the following stakeholders to build the above-mentioned skills:
- C Suite: CISO, Chief Technology Officer and the Chief Information Officer at the strategy end
- Senior and Mid Management: Information security architects, security consultants, project managers etc.
- Ground level: Security engineers, security analysts, security administrators, network administrator, security auditors, developers etc. at the implementation end.
How to build a skill development plan for cyber security
L&D and HR must create viable learning and career paths keeping in mind both the organizational goals for security and the employees’ career needs. Either of the below approaches can help:
- Role-based approach: Hire and /or train for the above mentioned specific roles.
- Topic-based approach: Hire and /or train categorically to enable the above-mentioned buckets.
- Certification-based approach: Hire and/or train in specialized certification areas.
Here are few steps that the L&D team needs to think of while approaching cyber security skill-building:
- Provide access to the right learning content i.e. certifications:
The hallmark of a good security professional is whether he or she carries the requisite certification. It not only assures stakeholders of a good credibility, but certified professionals are more likely to help mobilize security agendas on the technical and people front. Some of the certifications you must offer your employees are.- ISACA: Certified Information Security Auditor (CISA) and Certified Information Security Manager (CISM)
- (ISC)2: Certified Information Systems Security Professional (CISSP) and Systems Security Certified Practitioner (SSCP) which is more popular in India.
- CompTIA: A US-based agency which is great for beginners with the CompTIA Security+ Fundamentals.
- EU Council’s Certified Ethical Hacker (CEH) and Computer Hacker Forensics Investigator (CHFI)
- Develop the right learning-delivery channels:
It is important to devise the right learning channels to ensure absorption, retention and practical application. Here are a few options:- Implement a technology learning platform where training courses can be deployed and employees can learn on-the-go, anytime.
- Allow employees to enroll for online university courses i.e. Massive Open Online Courses or online webinars. Make sure you assess the industry worth of the training beforehand.
- Encourage employees to attend security and technology conferences. Fund their attendance for paid events, if needed.
- Avail support from public or regulatory bodies through their formal support programs: For example, NASSCOM and Symantec, have come together to sign a MoU for “Building Cyber Security Skills”, an initiative to develop skilled and certified professionals in India.
- Use social learning: Both online and offline. You can schedule informal learning sessions and rope in the IT team to spread the message about security.
Making an organization truly cyber-secure cannot be the prerogative of a few employees. Security starts with every individual being more aware, alert and responsible. Organizations must educate their employees and define guidelines to empower every employee to take the right action to secure cybersecurity. Start with formulating and communicating an organization-wide security policy, conducting communication campaigns through email and post-its, and carrying out cyber incident simulations. Teach employees to navigate the digital world with a watchful eye, and half your job is done.
Insights from this article are curated from a webinar and other sources