Basic Principles in Designing an Education and Upskilling Strategy

This blog was originally published by CXO REvolutionaries here.

Written by Greg Simpson, Chief Technology Officer (retired), Synchrony.

One of the oldest cliches about business is that the only constant is change. And while we’ve all heard that one too many times, it is, like many cliches, fundamentally true.

Furthermore, it’s even more aptly applied to the tech world, and within that, to the cybersecurity world. Such is the incredible pace of change – in attack methodologies and malware; in malicious actors; in computational architectures; in best practices; in new solutions; and, in the potential business consequences of failure – that all security professionals must constantly educate themselves and evolve. We must always strive to ensure we’re up to speed and proactively ready to address, or better yet preclude, emerging threats.

However, as with any other sphere of human endeavor, there are better and worse ways to go about this. Those of us in a position to shape ongoing learning – how it happens, whom it involves, and where its focus lies – should try to optimize that (much as we might optimize a security architecture).

What follows, therefore, are some general thoughts to consider in formulating a strategy to retrain and upskill your cybersecurity workforce to solve the challenges of the future.

Build the right culture

One of the most important aspects of an upskilling strategy is also one of the fuzziest: culture.

For education to deliver the intended value, every cybersecurity team member must embrace certain key ideas – not just about security as a topic, but more generally about the inevitability of technical change and the overarching need to learn and adapt.

What some might consider a continuous chore, top-tier security professionals will instead consider a continuous opportunity to excel.

Those who aren’t in alignment with such a culture will struggle with the technical aspects of their jobs and to fit in professionally with the rest. If you don’t want to learn, you probably won’t – and in cybersecurity, the business impact of any reluctance to learn can be devastating. Incoming job candidates should be vetted with this principle in mind.

It’s also important for team members to understand that security is best implemented from the ground up, beginning at the earliest possible point, which in practice means accelerating the application of new ideas. So whenever learning takes place, the next logical step should be to consider all the ways newly-learned ideas might be leveraged in current or future projects to reduce risks. A little cultural proactivity in applying the new material can go a very long way.

And security professionals should also realize they are more than agents of security – they’re also advocates, even evangelists, of security. What they learn themselves, they can often pass on to others. Perhaps that means the specifics – a process, a best practice, a technology – or perhaps it simply means encouraging others to think practically about risk and the various ways it can manifest via technical infrastructure.

If this happens often enough, the security culture becomes not just successful but self-sustaining, and the value of education to the team is multiplied.

Incorporate the big picture and the long term

No two organizations have the same context or architecture, so no two will have the same upskilling strategy for security professionals. But it’s still always wise to consider where the business model, the service types, and the architecture are headed — not just where they are today.

Think of skeet shooting: it’s not really about aiming at a target, but at its projected future location. The same principle applies to security upskilling.

Of course, it’s important to incorporate the current paradigm, but as we’ve all seen lately, in business change is not just constant – it can essentially be instant. The pandemic is a good instance of that phenomenon at work; organizations that had already anticipated remote work on a mass scale adapted faster, better, and at lower risk and costs than those that had not.

So if for instance your business model and service portfolio are shifting in a cloud-ward direction, you will need to consider where they’re going to be in a year, in two years, in five years – and educate the security team accordingly.

That will mean accepting, among other things, that security will increasingly be a collaboration between the team and external partners, and then choosing partners that fit your current and future goals and requirements.

Once those partners are chosen, the specifics of educating your team concerning responsibilities, technology, and other factors will often logically slot into place to ensure a good fit with your partners, and the capabilities they’ll bring to the table, as they work with you to fortify the company infrastructure.

Finally, though security is continually evolving as a field, we endorse the following core principles as a central part of any upskilling strategy:

• Zero Trust Architecture ideas and implementations. No two entities in any network transaction, human or machine, should ever be unverified if access is to be granted.
• A minimal, ideally nonexistent, attack surface. The team must strive to eliminate assets, services, and data that are exposed to the internet. Security partners that can provide a logical buffer to protect against such exposure are directly on point.
• Maximum flexibility in workforce distribution and service deployment. Does your security strategy support a completely remote workforce for an indefinite time? Does it support any combination of services and their architectures, both in-house and cloud-hosted? If not, it probably should – and the faster, the better.
• Make sure your company embraces the basics of good security practice. You need to involve your entire company in the upskilling process. Make sure the employees understand the risks of phishing and how to avoid it. Until you can completely replace passwords with more secure identification processes, make sure the passwords you do have are strong. A great security strategy can be sidestepped if your non-security colleagues don’t understand the risks.