The ever increasing exposure of our economy and societies to digital technology increases the risk of cyber crisis. Recently, many cases of cyber attacks by criminal groups were made public and proved to be particularly damaging for economic and state assets. As a matter of fact, one question remains: how to better develop cybersecurity skills to anticipate, prevent and, if necessary, respond to these cyber attacks?
From the board of directors to the management, from the worker to the executive, from the IT specialist to the technician, from the community manager to the subcontractor, each actor contributing to the development of the organization must be aware of the threats, of the stakes, and of the good reflexes in case of incident. Each of them is, at his or her level, a cyber-defender! Their continuous, adapted and regularly updated training is crucial.
That said, the study conducted by (ISC)2 Cybersecurity Workforce Study in 2020 shows the following panorama:
This estimate of the cyber skills shortage is striking: no less than 3.12 million individuals are missing worldwide. This study, that focuses on cybersecurity professionals, confirms the need for further development of initial and continuing education in cybersecurity in the near future. In parallel to these educational actions, the training of employees and even supply chain providers must also be considered as an immediate, adapted and efficient solution. To ensure maximum risk coverage and to strengthen the organization on an ongoing basis, the investment must therefore be complementary between cyber education and cyber training. While technological cybersecurity solutions and the in-depth hardening of the IT infrastructure are crucial, they cannot, on their own, be a sufficient firewall against the threat: the human good sense, contrasting with the concept of “PEBCAK” AKA “Problem Exists Between Chair and Keyboard“, is definitely a major quality that can no longer be neglected.
Investing concretely and skilfully
In 2018, Gartner delivered an analysis and already announced the massive increase in investment devoted to cybersecurity. According to them, this market could thus reach more than $170 billion in 2022. However, whether public or private organizations are involved, the right balance of investments between technological solutions, audits, training and coaching must be sought in order to ensure a good ROI in accordance with the challenges.
While organizations’ investment in cyber security must, of course, result in improved performance and coverage of cyber security tools, the training and education of the people in charge of mastering and maintaining these complex tools are essential. The level of cybersecurity provided by these tools can quickly be downgraded with a misconfiguration, lack of updates, underestimation of the induced workload or even staff turnover. The realization of regular cycles of exercises and trainings should therefore allow organizations to reinforce, in fine, their technical and organizational capacities by investing in what makes them rich: the human factor.
There’s nothing worse than having a bunch of tools that is not mastered, not maintained by anyone and that turns out to be a financial drain and an Achilles heel for an organization.asserts Guillaume PRIGENT (Chairman & Founder of DIATEAM).
In order to increase cyber skills, training organizations and academics must focus on two fundamentals: software development and network administration.Training and coaching all the protagonists is a key challenge to help them improve their reflexes, procedures and policies. The ambition is not to turn them into hackers as we can sometimes see, taking possession of an entire computer network in a few lines of obscure code. No, here the reality is quite different, no innate skills, in fact, it is all about training women and men so that they are able to adapt to the context, to societal evolutions such as remote working and to crises, by providing the most efficient response possible to protean threats: phishing, ransomware, supply chain attacks, continuous integration compromises, etc.
A team spirit and a good cyber preparedness reinforce the reputation.
Any sustainable digitization of an organization or a sector cannot be achieved without appropriate investment in cybersecurity. Start-ups are the leading figures in this digitization process, but they sometimes fail to invest sufficiently in “by design” security, as time issues often take priority. However, without an in-depth review of processes, development or integration techniques, there is a real risk that this oversight will quickly remind the company, impacting its sales and its brand image. The same is true for small and medium-sized businesses, which too often learn at their own expense the importance of preventive reinforcement of their cyber security.
Innovating means taking cyber security seriously at the software designing stage and demanding cyber security criteria before purchasing solutions. Turning this constraint into a business asset must become a native, integrated and assumed approach for any company or organization conscious of the importance of its brand image. And it is in part by encouraging training and hands-on exercises that women and men will be able to better protect both the data of organizations (SMEs) but also the personal data of their users, customers and citizens.
Increasing the frequency of cyber training, a regal and an European challenge.
Cybersecurity is not only an industry that generates employment, but it facilitates economic growth and strengthens the resilience of an economy and therefore a community. To close the cybersecurity skills gap, Education as an institution must make a concrete investment in learning-by-doing and must continue to significantly expand cybersecurity curricula.
The difference will be made by the educational, scientific and university systems that will manage to develop their offer of continuous training, or even professional retraining, through practice, in order to allow a larger part of the population to acquire cyber skills.
France and Europe must continue their efforts to guarantee their sovereignty on these strategic issues. In this respect, Europe has multiplied the so-called H2020 programs. These programs aim to stimulate cooperation between European organizations to build cyber training offers for operational staff in industry and universities. This dynamic can be found in all sectors, including the maritime sector, whose cyber specificities deserve increased attention and mobilization.
Cyber training and its success factors
Let’s be clear, one could not claim to reach a sufficient level in cybersecurity without a good foundation in the two disciplines mentioned above: software development and network administration. These two prerequisites are paramount to better understand the subtleties of operational cyber security. To do so, it is highly recommended to train on the most realistic environments possible. Being able to replicate all or part of an IT or OT system provides the right conditions for immersive and efficient practice.
Hands-on training has two enormous advantages: the beneficiary organization creates value by training its personnel, who will protect its information assets more effectively. In addition, individual employees thrive because their operational skills are continually enhanced and they can derive personal satisfaction from a job that often escapes routine and proves to be useful and exciting.
In order to maintain excellence, hands-on cyber training must offer a variety of techniques and oppositions in order to prepare cyber defenders. For this reason, the creation of content and the realism of tactics, techniques and procedures are highly differentiating factors in the learning paths.
Moreover, we must emphasize that the spaces for information exchange, discussions and games (CTF attack/defense and/or OSINT) Those sharing spaces strongly contribute to feed a community passionate about infosecurity. The events dedicated to infosec are privileged moments for all those who wish to learn new techniques and methodologies. Challenging oneself and leaving one’s comfort zone are two qualities that are eminently required to grow and become more competent.
In the long run, cybersecurity can lead to vocations as it is the case for people who, from a very young age, aspire to become a firefighter. Of course, any organization can only have firefighters in its midst, but the more people are capable of providing first aid or even using a defibrillator, the more chances are to reduce the damage of an incident.
Today, increasing skills in cyber security allows people to constantly explore new playgrounds, new issues, and to perform skills, especially when it comes to participating in a defensive effort under fire from cyber attackers, thanks to a dedicated environment: the cyber range.
The Cyber Range, an essential cyber playground and training environment
Today, the operational teams of large organizations and administrations are trained to react to cyber crises in order to test their capabilities to respond technically and collectively to one or more incidents.
Thanks to the Cyber Range, the training possibilities are particularly wide and can be played on several degrees of intensity. The combination of a cyber range and teams of players with well-defined roles contributes greatly to quality cyber training. The confrontation between the defenders (the Blue Team) and the attackers (the Red Team) allows all of them to improve their posture and significantly increase their skills.
Finally, the possibilities of using a cyber range go beyond training. It also allows prototyping, testing, proving, securing, testing the update of systems and/or network equipment without affecting production. For Procurement Departments for instance, a cyber range is a great tool to compare different products before placing an order and for Human Resources Units you can can test the skills of candidates or new recruits.
We are used to saying that when it comes to a cyber crisis, the question is not if it will happen but when it will happen. Hence the need to train and prepare for these inevitable events. So what could be more galvanizing than this rallying appeal from the Minister of the Armed Forces, Florence PARLY, during the Paris Cyber Week 2021:
“Cyber knows no borders. Our horizon is Europe. We must train together to be able to react together. Cyber will be one of the priorities of the French Presidency of the European Union.”source : https://twitter.com/florence_parly/status/1402350869744701443