Alan McCafferty · uOttawa PDI News · Posted: Dec 04, 2024 12:25 PM EST | Last Updated: 5 minutes ago
Online learning is an excellent resource and has been a great equalizer and enabler. Rather than having to find courses available in your area and physically drive to and from them, many professionals in many fields have been able to effectively update and refresh their knowledge, especially in specialized areas. This is convenient, efficient, and, in many cases, effective.
But not in the case of cybersecurity. At first glance, it would seem a likely, even an ideal, candidate for online certification. Take a course on the latest attack method or vulnerability and you’re all set, right?
But because so many organizations assume that cybersecurity is a technology problem, they assume the solution is technology as well. This is not the case. And the consequences for misunderstanding that can be extremely severe.
Organization Cybersecurity Is Primarily Human Management
Increasingly, in the modern world, when we have an issue, we look to technology to solve it. For many organizations, when they read headlines about the increasing risk and cost of a cyberattack, they turn to technology: better firewalls, backups, and cyber vaults to keep attackers out and protect data.
That’s all well and good. But the best firewall on the market today will keep out, maybe, 70% of attackers. The rest are walking right in, and you don’t even know about it.
So, what’s the answer?
Your people. They have been, are, and will continue to be the key to the effectiveness of your cybersecurity. Therefore, they should understand the behaviors that can create problems. They should be working to ensure that your organization has policies in place that encourage good cybersecurity practices. And your managers should know what to look for and how to communicate with their teams, not just about threats but about what to do to counteract them.
Critical Thinking and Evaluation Are Important Skills
If you take a two-hour online course explaining the mechanics behind the latest cyberattack, you learn how to defend against that attack. If cybersecurity was a static field, where it was just a series of square and round holes with square and round pegs, that might be good enough.
But the cybersecurity landscape is dynamic and ever-changing. It is a constant challenge to be dealt with, rather than a problem to overcome. It can’t be solved like an equation.
Effective cybersecurity training, therefore, must go beyond technology. It must teach your people how to correctly comprehend and manage the cybersecurity landscape in your organization based on key principles, best practices, and critical thinking. People must be trained to correctly deal with a potential cybersecurity threat beyond simple recognition. Therefore, they need the skills to:
- Evaluate the people, processes, and policies that exist within your organization
- Identify the exposures that current people, processes, and policies could create
- Determine how potential exposures relate to existing and emerging threats
- Identify solutions that could address those threats and challenges
- Communicate all this information to the rest of your organization
To put it more succinctly, would you let a surgeon operate on your brain if they’d watched 1,000 hours of video but had never done a surgery before? Probably not. The risks of modern cyberthreats are profound, to the point of potentially losing your business, depending on your industry. So, your organization should have people in place who have the hands-on skills to protect your cyber landscape.
Everyone in Your Organization Needs Some Level of Training
Not everyone in every organization needs to be a cybersecurity expert. Not only is that just not realistic but it’s frankly overkill.
But it is true that everyone in your organization needs at least some level of cybersecurity training because everyone in your organization is involved in your cybersecurity — whether that means training a few managers who can train staff, training some trainers to train everybody, hiring consultants to handle it, or whatever else best suits your organization.
The point is that your organization can’t afford to focus your cybersecurity strategy on technology, no matter how good that technology is. While effective technology is an important part of a cybersecurity strategy, effective training must be the core of it or your business will be fundamentally unprepared to deal with the ever-changing reality of modern cyberthreats.
Cybersecurity Training Is Fundamentally About Communication
The persistent image of cybersecurity, hacking, and so on is one of lone geniuses hunched over desks, typing furiously as green characters flash by. I’ve talked before about how this simply isn’t the case. Analog hacking is at least as big a deal as digital hacking. For all the hubbub around AI, people are still by far the most important element of an organization’s cybersecurity, as well as the primary vector of attack (at least for now).
That’s why effective cybersecurity training is fundamentally about communication. If you want to improve the cybersecurity posture of your organization, it’s not really about getting your engineers to watch a couple of courses online about the latest attacks. It’s about being able to effectively communicate what the solution for your business is to everyone who needs to understand.
Think of your favorite movie. You can probably quote at least one or two lines from that movie, right? But you couldn’t make the movie. And in cybersecurity, I’ve seen it happen time and again, where someone’s taken some online courses but they can’t apply any of that knowledge beyond the exact context in which it was given. In other words, they learned how to repeat a message, not communicate it.
Building out an effective cybersecurity posture is the same. You need the skills to effectively communicate to your entire organization about what needs to happen and what everyone’s role is, whether that’s writing the processes or not downloading attachments from spam emails.
uOttawa PDI Cybersecurity Emphasizes Organizational Training
This is why the University of Ottawa Professional Development Institute’s Cybersecurity Program emphasizes training in what are often the most difficult aspects of cybersecurity: critical thinking skills, the ability to ask tough questions, and understanding how the cybersecurity posture of an entire organization operates.
We challenge our students to identify and overcome the gaps in their knowledge and give them the skills to do the same in their own organizations. And we’re one of the few North American institutions to teach cybersecurity from this organizational perspective.
Check out our website to learn more.