Introduction
The demand for cybersecurity roles is growing exponentially. Based on the Bureau of Labor Statistics, Cybersecurity jobs are predicted to grow by 35 percent from 2021 to 2031. With technology moving at a rapid pace, it’s important to train and keep individuals up to date on the latest techniques to recognize patterns of attack and prepare them to defend and solve security issues when the challenge arises.
We’ve prepared a guide to help discover, train, and prepare security professionals in your current talent pool.
Identifying Talent
Being a successful security analyst requires knowledge in different areas of IT, software development and security policy. The knowledge and skill required to do security analyst work is a “mile wide and an inch deep”. Having a diverse talent pool with a hybrid skillset is a guarantee for success. For example, a security analyst with experience working in the medical industry will know how to navigate around HIPAA requirements and will be able to tailor their GRC efforts around their knowledge of that industry. An analyst with a background in software development will have a security-focused approach to SDLC and know the nuances/weaknesses in security for a specific development framework. And a network engineer will have the experience to implement the correct configurations to harden security in a network as well as hunt for threats in security logs.
Learning Environment
A learning environment that promotes knowledge sharing is important. It’s important to cultivate an environment that rewards efforts when a teammate decides to share a new tool, a security-related news article or a method to help streamline their work efforts.
An ideal learning environment should encourage members to ask questions regardless of their skill level. Curiosity should be rewarded. Having an “open-source” mentality improves the group overall and benefits your teammates regardless of background and level of skill.
Incremental Learning
Information overload is a huge problem when trainees are expected to complete their training in a short period of time. It’s important to teach information in chunks and structure the training in a way that builds on top of each other after each session. Expectations should be set in the beginning and an overview of lessons to be covered should be communicated early on.
Mentor and Mentee Training
Having a trainee see the entire security assessment process from beginning to end by a senior member will give them a high-level overview of the process and give them a better understanding of the skills required to perform successfully. This will also help a trainee develop the most important aspect of the training which is the “mindset”. Having the proper mindset to perform a security assessment is as important as having the right security testing methodology. It helps trainees become more thorough in their security assessments and helps them become more efficient and effective in performing assessments.
Hands-On Training
Theory isn’t enough. It’s important to give a trainee practical hands-on experience to use the actual tools and develop their methodology. One of the best ways to train security analysts for offensive and defensive security roles is to do capture-the-flag (CTF) exercise which simulates a security assessment/penetration test by using tools against a vulnerable machine.
This allows the trainee to gain practical experience and become more familiar with using their tools. This will also change their mindset from having a rigid approach to solving problems by forcing them to think outside the box.
3 labs we recommend at Altimetrik are OWASP Juice Shop, Metasploitable (Rapid 7) and Cloud Goat (Rhino Security Labs) for web, network, and cloud security training accordingly.
Developing a security-centric culture starts with everyone at your company. In a world with increasing cyber threats, we are all responsible for security. Your talent pool is already filled with individuals willing to learn and develop skills in cyber-security. It is important to recognize that a diverse background of people with different experiences will bring a lot of value to the table. And fostering a security-minded environment will improve security for the company overall.