There is a broad gap between purposeful learning with personal development benefits and catalog-based eLearning programs. One approach can boost employee development and create a culture of learning and critical thinking while the other actually stifles employee development in the name of education.
We face critical skills shortages across the board, but perhaps nowhere is the shortage more dangerous than in the field of cybersecurity.
Because in survey after survey, International business leaders rank cyber incidents in a virtual dead-heat for first place at 40% among business risks, alongside business interruptions caused by events like supply chain interruptions (3,000 leaders surveyed by Allianz Risk Barometer in 2021). In addition, with looming changes in technology like 5G, the global pressure on digitalization will likely transform traditional breaches into “black swans;” rare, unpredictable events with potentially severe impacts that no one could have predicted.
And while not wanting to put too fine a point on it, cybersecurity breaches are 20 points ahead of trade wars and tariffs, natural disasters, monetary policies, political instability, war, terrorism, riots and looting on the grand risk list.
Global cybercrime already causes a $1 trillion drag on the economy—a 50% jump from just two years ago.
And since 95% of breaches are caused by human error (IBM Cyber Security Intelligence Index Report 2021), in terms of preparation and readiness and hygiene and awareness, it is clear where most of the work needs to be done, yet we continue to ignore the opportunity to grow and upskill our existing workforce.
Most folks will go right to budget as the culprit, but my belief is that most companies are both resource-constrained to properly administer cybersecurity education and are challenged by implementation, management and measurement roadblocks.
Buying some enterprise license seats and pointing employees at a catalog of coursework is very different than guiding them through a set of predetermined learning paths designed to achieve specific goals. Employees want to understand what they are learning and why. They need to have context in which to place the coursework and be able to see how each path evolves and becomes part of a larger whole. Without context, it is difficult for learners to imagine a before and after and to understand the long term value both for them and their employer that can be extracted from the effort.
One of the other main reasons training programs fail is a lack of proper planning and framework. Without constructing a solid framework or defining actionable goals and milestones, your program will leave your team uninterested and unsure of their role in cybersecurity and in particular, within your own enterprise.
Many companies conduct security awareness training in an ad hoc manner, without a solid framework or plan and most do not get buy-in from senior management. Without senior management acknowledging they too need the same level of security awareness as the troops, any program will fail. We follow leaders. When they don’t lead, we don’t follow. All programs then become nothing more than an information dump wherein the audience is given more information than they can process, resulting in confusion and disinterest.
Learners must have context and it is incumbent upon the L&D teams to create that environment. Without it, Security Awareness training becomes digital shelf-ware and the enterprise loses an advantage upon which to build a culture of cybersecurity consciousness.
Learners, not unlike any other audience, must also be entertained – it doesn’t matter how often you conduct security awareness training sessions; If your training content is boring, then no one’s going to pay attention. Facts and statistics have their place. When exposed sparingly, they are useful in support of arguments that lift your thesis – beyond that, they get in the way of meaning – don’t kill your program by overloading your learners with data points – they care about how to detect a phishing attack, not how many phishing attacks lead to breaches.
Cybersecurity awareness is a marathon, not a sprint – your goal should be to help people form good habits that can lead to positive behavioral change – that process, not unlike any other discipline, takes time and requires rigor – it will not get done overnight. You need to communicate security practices and messages regularly and set the tone for the rigor you want your learners to follow when applying all of the information you are sharing. You cannot create a culture with a one-and-done approach.
Yes, this means that a person needs to be assigned to this job – and it cannot be someone from HR or L&D working the dials with their left hand – this is a full-time, dedicated function that is part of your Information Security strategy and an important part of your execution team.
The Other Problem
Most cybersecurity education programs are designed with one goal in mind – at least one goal on behalf of learners – and that is to get prepared to pass numerous technical exams that lead to certifications across a broad array of technical skills from vendor agnostic (CompTIA) to vendor specific (AWS Certified Developer) that serve the narrow interests of the learners (better job – higher salary) and not those of the broad interests of the employer (build competent cyber warrior corps).
The question then becomes, how do I invest in my employees’ education and still manage to retain them after their competencies are upskilled?
Some companies work deals with employees that amount to an earn-out – that is they agree to stay for a fixed period of time following their certifications in exchange for the employer picking up the tab for the coursework. This rarely works.
The employee is no longer committed to the company from the get go. S/he stacks time against that break-free moment – like serving 2 years in jail. What you want instead are employees that think your company is pretty cool and if it got its act together, started treating its employees like high value assets and investing in their future so that both the employee and the company win, then they are willing to go along for the ride. The old saw about losing a trained employee is still better than losing an untrained employee is true, yet given the myriad of opportunities to avoid that outcome, we really have few excuses if they leave.
Everyone wants to work for a cool company – one whose values align with the employee’s and one who generously rewards performance – particularly in a new job market characterized as the “Great Resignation.”
But rewarding performance doesn’t translate to a bonus at the end of a reporting period, based on the employee’s contribution. It translates to acknowledgment that the employee is special and represents a unique gift to the enterprise – public acknowledgment is much higher up Maslow’s ladder than compensation. Humans crave respect, self-esteem, status, recognition and freedom far more than they care about food and shelter. At the very top is the desire for self-actualization.
Employees want and will seek an environment where they can get what they need – in the realm of cybersecurity, you as an employer have a unique opportunity to tailor programs to suit the self-actualizing requirements of your employees and to do so in such a way as to secure an infrastructure that should survive a lot of change.
But, don’t forget the bonus either.
Beware of Self-Imposed Limits
Cybersecurity training programs should not err on the side of fixed skills around specific tools or software programs – learning programming languages, Salesforce tools, CRMs and Accounting Packages are all useful, yet teaching folks how to use them needs to be kept in perspective – what you are doing is transferring perishable skills.
What is at least equally important to both you and your learners are those durable skills, like leadership and thinking that will outlast you and the enterprise but will enable true transformation if allowed to flourish within the context of your business operations. Imagine your current organization operating under a reversal of the business model that got you here – is it possible that a completely new and different model will yield even better results and produce unexpected and positive side benefits as well?
The answer is yes.
All self-respecting technology companies pride themselves on innovation. Some have elaborate processes, labs, think tanks, partnerships, etc., while others have only board room slogans, yet both approaches often yield the same results.
Corporations are lousy environments for innovation.
Acquired start-ups can play a key role in corporate innovation because they are unburdened by the overhead baggage of larger enterprises and operating as an outsourced R&D function, they are free to quickly respond to market signals and create solutions for tomorrow’s problems.
Ignoring the start-up landscape in favor of internal programs can often wipe a company’s presence off a category map. Identifying the start-ups around your space with which you can boost your expertise and presence is an important strategy for growth, particularly in these outcome-based times.
A classic example is IBM’s last 10-15 years. Too many cooks and shareholders failed to see and share the cloud vision and the market demand shifted to a services model in an era of extreme downward pressure on talent. Whatever it was IBM was doing was going to happen in the distant future and their girth would defend against all pretenders in the meantime.
The problem with pretenders is that they are not all pretenders.
Change The Rules
Arvind Krishna, IBM’s new CEO, reversed all focus and moved the company quickly to a services model. Then he invited customers, not to sales pitches about IBM hardware, but customer’s needs and the solutions that could jointly be created between them often focused on building a better solution for the people the customer serves.
IBM is now a nimble competitor in the cybersecurity space with a broad set of product offerings, often from start-up acquisitions and professional services.
The average lifespan of an S&P 500 company is declining. The threats to incumbent organizations are multiplying and it is much harder to stay on top.
It costs 10x less to develop technology today than when I was raising VC ten years ago and the adoption curve is fast – IBM cannot compete with Joe’s Software.
A New Way of Thinking
But all this requires a new way of thinking – not just about education, but about cybersecurity in general – which is why executives, C-suite and Board leaders need to refresh on systems, design and critical thinking – and they should do it in a tribal form – a leadership team committed to a new direction in cybersecurity thinking can re-cast the entire security profile for an entire enterprise in less than a week. Zero Trust as an example requires no leap across a broad “earth is flat” belief but does require a commitment from every stakeholder to completely re-write our approach to cybersecurity architecture within the context of a Zero Trust framework and to adhere strictly to Zero Trust principles.
Once begun, it will be immediately obvious that the approach is completely different than our current excessive trust models and a demonstration of this kind of leadership at this level will send a clear message throughout the enterprise that change is on the horizon.
An Excess of Care
Running a cybersecurity education program is a full time job, requiring multiple resources and budget commitments. In order to implement and manage an effective cybersecurity training and education program, a business must either commit to a third party provider who offers a full managed service in continuing cybersecurity education or commit the resources to manage it on their own.
Trying to do the latter resembles the sort of challenge we find in the idea of building out one’s own SIEM/SOAR/SOC operation and trying to manage it.
The value proposition to save $20K/month by doing it yourself is that your IT organization must now invest in 9 new FTE hires, a full suite of training, software, infrastructure, management, tools and processes and get this done somehow out there in the middle of North Dakota, in time to prevent the next zero day threat.
Even casual observers with no background in cyber can see that this alternative is unsound. There Is only one way to assure that you have a chance at implementing an effective cybersecurity training and education program throughout your enterprise, ensure that you are building a culture of cyber consciousness and provide the appropriate upskilling and durable training necessary to compete in global cyber markets, and that is to engage with a team of cybersecurity professionals who can design a customized managed education and training program and manage it for you on an ongoing basis.
Any alternative will dim your chances of survival as we advance to new realms of cyber abilities, from AI to ML, from Quantum to 5G and from autonomous automotive to drones and advanced OT, and most businesses will be unprepared to deal with the consequences.
This is why 20 years later, we are in exactly the same position as we were when we began this journey. It is never about the technologies. It is always about the people, their training, their preparedness and their mindset.
Until and unless we change the way we look at cybersecurity, we are doomed to repeat the past and bound to create the same outcomes for the next 20 years.