The risks from cybercrime have never been so harmful and so
widespread. Almost daily we see news headlines covering a new data breach or
cyberattack, which has prompted many organizations to look for the best ways to
increase their own team’s cyber security effectiveness and defences against
Simone Petrella has been at the forefront of helping
organizations to level up their security teams by founding CyberVista, a
workforce and development company that helps organizations to identify and fill
gaps in knowledge amongst their security teams. CyberVista offers cyber
training to a range of customers, with modular learning materials and a mixture
of targeted learning materials.
We spoke to Petrella at RSA 2020, to learn more about the problems that organizations are finding when it comes to cybersecurity training, and how these issues can be resolved.
Identifying the Need for Better Cybersecurity Development
Petrella identified the need for improved cybersecurity
training throughout an experienced career in the fight against cybercrime. Starting
her career as an analyst in the Department of Defence, Petrella spent ten years
working in information, assurance and computer network operations. She then
moved to consulting, helping financial and retail customers to build out their
cyber operations, before going on to start CyberVista.
Petrella discovered that one of the biggest cybersecurity pain
points for organizations is identifying and training talent, to fill the
functions that are needed for teams to be effective.
“This was a pain point I was experiencing in 2005, and it
was a pain point that still existed in 2015,” Petrella says. “It’s a pain point that people are talking
about to an even greater extent today.” Petrella founded CyberVista as a way to
help organizations close that workforce shortage, with an employer driven
CyberVista combines learning science and an innovative online platform with a cybersecurity-specific focus. They train employees in specific cybersecurity pain points, customized for each organization based on a proprietary taxonomy mapped to the NICE Cybersecurity Workforce Framework.
To match each organization’s unique training needs,
CyberVista takes a data driven approach to cyber training. All of their courses
begin with a baseline assessment, which is used to inform the targeted learning
each trainee receives. The data is aggregated into reports for the employers, giving
organizations valuable insights into where people are going to be most
effective and where they need to upskill.
“Ultimately the biggest challenge that we see in the
training and upskilling is how do you prove effectiveness and the return on
investment,” Petrella says. “A lot of companies will send staff to training opportunities,
but it’s almost a retention bonus, not necessarily relevant to their roles.”
“This is a huge part of why we’re taking this data driven
approach, so we can measuredly demonstrate how well users have improved.”
Why Are Organizations Struggling with Security Training?
CyberVista aims to closely pair their traning materials as closely as they can to the unique needs of each organizaiton. But across all their customers, Petrella has identified that cybersecurity basics is one area that companies are struggling with.
“Cybersecurity as a field is multidisciplinary,” Petrella
says. “But the reality is that the underpinning of any cybersecurity role comes
from the same baseline of knowledge. A lot of people have gotten into
cybersecurity roles, and essentially specialized from the get-go, without
actually spending time studying the foundations.” Petrella likens this to a
doctor who has specialised in one medical area, but never learned basic anatomy.
“Where organizations are struggling,” she says, “Is that they
have staff in these very specialised roles, but when you actually put them to
the test, they’re not sufficiently scoring well on the basics of networking, security
operations, or engineering. So, an administrator may be good at working on a
specific tool, but that doesn’t mean they really know security.
“The theory, the principles and the context matters,” Petrella
says. “The tools and the vendors are going to change. But the foundations will
always stay the same.”
It’s often argued that organizations struggle to organize highly-trained
cybersecurity teams because technologies are always changing, and new threats
emerge so quickly. Petrella, however, argues that the problem is more
fundamental than that.
“The biggest misconception in cybersecurity is that everything changes so fast,” Petrella says. “The truth is, it doesn’t! The principles are the same principles around how data is stored, how it transmits. You can build different tools and technologies around how that’s handled, but you’re still dealing with the same principles of computing, technology and security.”
Why Non-Technical Roles Increasingly Need Technical Security Training
Since founding CyberVista, Petrella tells me the demand for
improved cybersecurity knowledge and training has grown. She tells me one thing
that she didn’t anticipate when trying to bridge the skills gap was the
importance in security knowledge across all areas of the organization, not just
within dedicated cybersecurity teams.
“As more companies are becoming more security focussed in
everything that they do, we are working with customers who need to have
security functions in non-security roles,” Petrella explains. One major area
where this is becoming common is in healthcare, as there is an increasing need
for cybersecurity knowledge and best practices to help protect patient data.
“We partner with a large medical device healthcare firm here
in there US, and we’re training their medical clinicians,” Petrella tells me.
“This is not on security awareness, but on actual technical security. Because
they are the ones that are interfacing on the front lines with patient data
that’s being captured through devices.”
Solving the IT Skills Shortage
One of the major problems for all organizations at the
moment is a lack of cybersecurity professionals across all industries and
verticals. “The fact of the matter is that there is not enough talent pursuing
this career field,” Petrella tells me. “But what we see time and time again is
that so many pools of talent exist within organizations already that could be
incredibly successful in security roles.”
“If companies or organizations took the time and spent the
resources to invest in upskilling that talent, it would actually cost them a
lot less than if they tried to poach every single qualified candidate.”
“It’s a misnomer that you have to have someone right off the
bat with technical skills. We’re missing out on a huge portion of the
population who, if given the time and the investment, would be incredibly
successful cybersecurity professionals.”
Thinking of Investing in Security Training?
Petrella’s advice for organizations thinking of investing in
security training is to think deeply about what they want to accomplish, and
the returns they’d like to see.
“My first advice is to be really thoughtful about what
you’re trying to accomplish,” Petrella says. “Be cognizant of the type of staff
that you have. You have to know the roles that you have in your organization,
and you need to know what you want them to be able to do, before you can
identify the training that’s appropriate.
“Otherwise, you are going to end up sending someone to
something, and spending money, and find it’s not relevant.”
Petrella also advises organizations to look for training that’s designed to be more engaging and more effective. The CyberVista material is designed to engage users, with varied quizzes that include a variety of question types.
“The whole point is to find how you can make it more
effective,” Petrella says. “You have to make it engage for users, and not just
the content itself.”
“My last big recommendation is that there has to be a forcing function that you are using and tracking training in a way that is aligned to the goals of the organization. If you don’t build in that forcing function, you’ll only have a few people that actually leverage those resources and you won’t be able to determine any amount of effectiveness.”
Find out more about CyberVista: https://www.cybervista.net/