How Lean Learning Can Improve Cybersecurity Training
By James Hadley
Today’s businesses are under constant attack from cybercriminals determined to gain illicit access to their networks, steal information or money and generally wreak havoc. While this is a current–and evolving–threat, the key to ensuring these businesses are protected from such attacks may lie in a 60-year-old practice based in manufacturing.
Particularly popular among startups looking to optimize their people and resources, lean methodology has its roots in the Toyota Production System, a revolutionary approach to the manufacture of physical goods since the 1950s. The methodology can also be applied to training methods, especially now that maintaining a competitive edge requires organizations and their employees to adapt to changing circumstances rapidly.
Indeed, by teaching people the core of what they need to learn and allowing them to apply that to a real-world situation, lean learning enables organizations and their employees to update their knowledge and expertise immediately. With cybercriminals continuing to refine and hone their tactics and techniques, it’s this that makes lean learning ideal for keeping an organization’s cybersecurity pros on top of emerging threats.
Time for change
There is a significant and growing shortage of suitably skilled cybersecurity professionals. According to a recent report, the skills gap stood at just over 4 million globally in 2019, up from 2.9 million in 2018. In the EMEA region, it reached 291,000–more than doubling over the previous months.
Closing this gap will require a change in the way that cyber skills are taught. Traditionally, training has been delivered in listen-and-learn environments such as the classroom. Assessments may be carried out every six months or so, by which time much of what’s been learned is already out of date.
But by applying the principles of lean learning these skills can be kept up to date. Training platforms informed by real-time threat intelligence, for example, ensure employees are always learning about the latest techniques and tactics, pulling them apart, and interrogating them in a bid to understand just how they work.
And by testing out their learnings in “real-world” scenarios, with no risk of causing damage, employees can effectively build their experience and measure their skills. Doing so means that should they then encounter a similar situation in real life, they’re equipped with the skills and expertise required to mitigate that threat.
This ability to put learnings into practice ties in with another of the methodology’s key principles. Unlike traditional teaching methods, lean learning is concerned with outcomes rather than credits. As it stands, many organizations use industry-recognized credentials and qualifications to measure the effectiveness of their cybersecurity training.
While such credentials are undoubtedly useful in assessing an employee’s qualifications on paper, they often don’t consider an organization’s specific needs and whether that employee has the necessary skills to deal with the actual risks faced by the organization at any given time. An impressive CV showing that an employee has taken all the right exams and achieved all the right qualifications is all well and good. What it doesn’t show is how that employee will perform when the latest attack takes place. It’s essential, therefore, that all security professionals can continue developing their skills and knowledge so that when the attack arrives, they’re prepared.
Lean learning in the wild
Lean methodology is becoming more widely used to improve business outcomes and efficiencies. As a natural extension of this, several high-profile organizations are now using lean learning to develop the skills of their cybersecurity professionals and improve their overall security posture.
Faced with a growing skills gap and an outdated approach to training, cybersecurity professionals are in danger of losing pace with an ever-evolving threat landscape. It appears, however, that what began more than 60 years ago as a revolutionary manufacturing process is now key to getting the industry back on track.