How We Can Solve The IT Skills Shortage
Expert Insights interviews Simone Petrella, CEO and Founder of CyberVista
The risks from cybercrime have never been so harmful and so widespread. Almost daily we see news headlines covering a new data breach or cyberattack, which has prompted many organizations to look for the best ways to increase their own team’s cyber security effectiveness and defences against cyber-attacks.
Simone Petrella has been at the forefront of helping organizations to level up their security teams by founding CyberVista, a workforce and development company that helps organizations to identify and fill gaps in knowledge amongst their security teams. CyberVista offers cyber training to a range of customers, with modular learning materials and a mixture of targeted learning materials.
We spoke to Petrella at RSA 2020, to learn more about the problems that organizations are finding when it comes to cybersecurity training, and how these issues can be resolved.
Identifying the Need for Better Cybersecurity Development
Petrella identified the need for improved cybersecurity training throughout an experienced career in the fight against cybercrime. Starting her career as an analyst in the Department of Defence, Petrella spent ten years working in information, assurance and computer network operations. She then moved to consulting, helping financial and retail customers to build out their cyber operations, before going on to start CyberVista.
Petrella discovered that one of the biggest cybersecurity pain points for organizations is identifying and training talent, to fill the functions that are needed for teams to be effective.
“This was a pain point I was experiencing in 2005, and it was a pain point that still existed in 2015,” Petrella says. “It’s a pain point that people are talking about to an even greater extent today.” Petrella founded CyberVista as a way to help organizations close that workforce shortage, with an employer driven perspective.
CyberVista combines learning science and an innovative online platform with a cybersecurity-specific focus. They train employees in specific cybersecurity pain points, customized for each organization based on a proprietary taxonomy mapped to the NICE Cybersecurity Workforce Framework.
To match each organization’s unique training needs, CyberVista takes a data driven approach to cyber training. All of their courses begin with a baseline assessment, which is used to inform the targeted learning each trainee receives. The data is aggregated into reports for the employers, giving organizations valuable insights into where people are going to be most effective and where they need to upskill.
“Ultimately the biggest challenge that we see in the training and upskilling is how do you prove effectiveness and the return on investment,” Petrella says. “A lot of companies will send staff to training opportunities, but it’s almost a retention bonus, not necessarily relevant to their roles.”
“This is a huge part of why we’re taking this data driven approach, so we can measuredly demonstrate how well users have improved.”
Why Are Organizations Struggling with Security Training?
CyberVista aims to closely pair their traning materials as closely as they can to the unique needs of each organizaiton. But across all their customers, Petrella has identified that cybersecurity basics is one area that companies are struggling with.
“Cybersecurity as a field is multidisciplinary,” Petrella says. “But the reality is that the underpinning of any cybersecurity role comes from the same baseline of knowledge. A lot of people have gotten into cybersecurity roles, and essentially specialized from the get-go, without actually spending time studying the foundations.” Petrella likens this to a doctor who has specialised in one medical area, but never learned basic anatomy.
“Where organizations are struggling,” she says, “Is that they have staff in these very specialised roles, but when you actually put them to the test, they’re not sufficiently scoring well on the basics of networking, security operations, or engineering. So, an administrator may be good at working on a specific tool, but that doesn’t mean they really know security.
“The theory, the principles and the context matters,” Petrella says. “The tools and the vendors are going to change. But the foundations will always stay the same.”
It’s often argued that organizations struggle to organize highly-trained cybersecurity teams because technologies are always changing, and new threats emerge so quickly. Petrella, however, argues that the problem is more fundamental than that.
“The biggest misconception in cybersecurity is that everything changes so fast,” Petrella says. “The truth is, it doesn’t! The principles are the same principles around how data is stored, how it transmits. You can build different tools and technologies around how that’s handled, but you’re still dealing with the same principles of computing, technology and security.”
Why Non-Technical Roles Increasingly Need Technical Security Training
Since founding CyberVista, Petrella tells me the demand for improved cybersecurity knowledge and training has grown. She tells me one thing that she didn’t anticipate when trying to bridge the skills gap was the importance in security knowledge across all areas of the organization, not just within dedicated cybersecurity teams.
“As more companies are becoming more security focussed in everything that they do, we are working with customers who need to have security functions in non-security roles,” Petrella explains. One major area where this is becoming common is in healthcare, as there is an increasing need for cybersecurity knowledge and best practices to help protect patient data.
“We partner with a large medical device healthcare firm here in there US, and we’re training their medical clinicians,” Petrella tells me. “This is not on security awareness, but on actual technical security. Because they are the ones that are interfacing on the front lines with patient data that’s being captured through devices.”
Solving the IT Skills Shortage
One of the major problems for all organizations at the moment is a lack of cybersecurity professionals across all industries and verticals. “The fact of the matter is that there is not enough talent pursuing this career field,” Petrella tells me. “But what we see time and time again is that so many pools of talent exist within organizations already that could be incredibly successful in security roles.”
“If companies or organizations took the time and spent the resources to invest in upskilling that talent, it would actually cost them a lot less than if they tried to poach every single qualified candidate.”
“It’s a misnomer that you have to have someone right off the bat with technical skills. We’re missing out on a huge portion of the population who, if given the time and the investment, would be incredibly successful cybersecurity professionals.”
Thinking of Investing in Security Training?
Petrella’s advice for organizations thinking of investing in security training is to think deeply about what they want to accomplish, and the returns they’d like to see.
“My first advice is to be really thoughtful about what you’re trying to accomplish,” Petrella says. “Be cognizant of the type of staff that you have. You have to know the roles that you have in your organization, and you need to know what you want them to be able to do, before you can identify the training that’s appropriate.
“Otherwise, you are going to end up sending someone to something, and spending money, and find it’s not relevant.”
Petrella also advises organizations to look for training that’s designed to be more engaging and more effective. The CyberVista material is designed to engage users, with varied quizzes that include a variety of question types.
“The whole point is to find how you can make it more effective,” Petrella says. “You have to make it engage for users, and not just the content itself.”
“My last big recommendation is that there has to be a forcing function that you are using and tracking training in a way that is aligned to the goals of the organization. If you don’t build in that forcing function, you’ll only have a few people that actually leverage those resources and you won’t be able to determine any amount of effectiveness.”
Find out more about CyberVista: https://www.cybervista.net/