hbr.org
Open in
urlscan Pro
13.224.249.26
Public Scan
Submitted URL: http://bit.ly/43qb6Cz
Effective URL: https://hbr.org/2023/05/building-an-effective-cybersecurity-training-program
Submission: On May 31 via api from SG — Scanned from SG
Effective URL: https://hbr.org/2023/05/building-an-effective-cybersecurity-training-program
Submission: On May 31 via api from SG — Scanned from SG
Form analysis 1 forms found in the DOM
GET /search
<form action="/search" method="get">
<div class="search-container ">
<input type="hidden" name="search_type" value="search-all">
<input class="pts pbm search-box-desktop" autocomplete="off" name="term" data-type="search-input" placeholder="Search hbr.org">
<input class="search-box-mobile" autocomplete="off" name="term" placeholder="Search hbr.org">
<button>
<svg aria-labelledby="title" viewBox="0 0 24 24">
<title>Search</title>
<g>
<path d="M24.06,23.22l-6.38-6.38a10.11,10.11,0,1,0-.85.85l6.37,6.37ZM1.2,10.13A8.93,8.93,0,1,1,10.13,19,8.94,8.94,0,0,1,1.2,10.13Z"></path>
</g>
</svg>
</button>
<a href="#" class="clear-search-box do-not-show" js-target="clear-search-box">CLEAR</a>
</div>
<div class="backdrop-white width-100pct zindex-highest hide top-header--search-suggest" data-purpose="search-auto-suggest">
<div class="font-gt-america">
<ul class="no-bullet ptm mbs" data-container="results">
<li class="pbm pts line-height-normal font-size-15 darker-medium-gray"></li>
<li class="pbm pts line-height-normal font-size-15 darker-medium-gray"></li>
<li class="pbm pts line-height-normal font-size-15 darker-medium-gray"></li>
<li class="pbm pts line-height-normal font-size-15 darker-medium-gray"></li>
<li class="pbm pts line-height-normal font-size-15 darker-medium-gray"></li>
<li class="pbl pts line-height-normal font-size-15 darker-medium-gray has-border-bottom"></li>
<li class="ptl font-size-xsmall text-gray-light font-bold">SUGGESTED TOPICS</li>
<li class="pbm pts line-height-normal font-size-15 darker-medium-gray no-bullet"></li>
<li class="pbm pts line-height-normal font-size-15 darker-medium-gray no-bullet"></li>
<li class="pbm pts line-height-normal font-size-15 darker-medium-gray no-bullet"></li>
</ul>
</div>
</div>
</form>Text Content
Navigation Menu Cybersecurity and digital privacy | Building an Effective Cybersecurity Training Program Subscribe Sign In Account Menu Search Menu Close menu Search CLEAR * * * * * * * SUGGESTED TOPICS * * * Explore HBR * Diversity * Latest * The Magazine * Ascend * Podcasts * Video * Store * Webinars * Newsletters Popular Topics * Managing Yourself * Leadership * Strategy * Managing Teams * Gender * Innovation * Work-life Balance * All Topics For Subscribers * The Big Idea * Data & Visuals * Reading Lists * Case Selections * HBR Learning * Subscribe My Account * My Library * Topic Feeds * Orders * Account Settings * Email Preferences * Log Out * Sign In * * * * Subscribe Diversity Latest Podcasts Video The Magazine Ascend Store Webinars Newsletters All Topics The Big Idea Data & Visuals Reading Lists Case Selections HBR Learning My Library Account Settings Log Out Sign In YOUR CART Your Shopping Cart is empty. Visit Our Store Guest User Subscriber My Library Topic Feeds Orders Account Settings Email Preferences Log Out Reading List Reading Lists Diversity Latest Magazine Ascend Topics Podcasts Video Store The Big Idea Data & Visuals Case Selections HBR Learning You have 1 free articles left this month. You are reading your last free article for this month. Subscribe for unlimited access. Create an account to read 2 more. Cybersecurity and digital privacy BUILDING AN EFFECTIVE CYBERSECURITY TRAINING PROGRAM It’s critical to schedule time for simulated exercises and “scrimmages.” by * Dustin Updyke by * Dustin Updyke May 25, 2023 Anton Vierietin/Getty Images * Tweet * Post * Share * Annotate * Save * Get PDF * Buy Copies * Print Summary. Just as sports teams practice and train for upcoming games, your organization should be constantly and consistently practicing and training for cybersecurity events, building the muscles and skills they’ll need to respond when a cyber-attack inevitably happens....more Leer en español Ler em português * Tweet * Post * Share * Annotate * Save * Get PDF * Buy Copies * Print In the movie Any Given Sunday, Al Pacino gives a memorable speech to his losing football team. The speech highlights a critical lesson for teams: Trust in themselves and their teammates is critical for success. Just as elite sports teams depend on trust among players to perform at their best, cybersecurity relies on trust in computers, people, and organizations. We trust computers to perform reliably and consistently, just as we trust our teammates to excel in their organizational roles. As with sports, building trust within a cybersecurity team is essential for success. By emphasizing reliable and repeatable behavior, individuals and teams can develop the confidence needed to perform effectively in any situation they encounter. Our expertise at the CERT Division of Carnegie Mellon’s Software Engineering Institute is in Cyber Workforce Development. Our work helps organizations acquire the skills they need as a team to combat cyber threats. In many ways, business leaders function as coaches, helping employees develop crucial skills to make the organization successful. Just as sports teams must train and practice to build trust and cohesion, businesses must do so to ensure high productivity in an evolving workplace. We believe that individual training and team exercises can help create a clear business advantage. Through repetitive drills and practice, individual players can become subject matter experts on particular tools or techniques, while teams can collectively respond in the best possible manner to any scenario they’re likely to confront. Your organization should be constantly and consistently practicing and training for cybersecurity events, building the muscles and skills they’ll need to respond when an attack inevitably occurs. Insight Center Collection MANAGING CYBER RISK Exploring the challenges and the solutions. IDENTIFY KEY CYBERSECURITY SKILLS FOR YOUR ORGANIZATION Just as coaches defines the style of play for their teams, developing an effective cybersecurity training program requires identifying the specific skills and knowledge needed to confront cyber threats in a way that aligns with the organization’s goals and objectives. There are several ways to do so. * Conduct a skills-gap analysis by comparing your workforce’s skills to those needed to confront cyber threats. The National Institute of Standards and Technology’s (NIST’s) NICE Cybersecurity Workforce Framework is a helpful resource for identifying the skills and knowledge needed for an effective cybersecurity team. Reviewing your security policies, procedures, and protocols is another good starting point. * Review industry standards with organizations such as NIST and CISA to ensure that your organization is aligned with the best practices in your industry, and incorporate those practices into your cybersecurity training program. For example, there are special controls for organizations handling certain kinds of data, such as health care data and personal identifiable information, so certain industries need to adhere to regulations such as Personal Identifiable Information (PII) or the Health Insurance Portability and Accountability Act (HIPPA). * Engage with departments and leaders within your organization to understand their specific cybersecurity concerns and challenges. For example, a global sales force must consider its use of data in light of legislation such as the EU’s General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA). Speaking to each department leader will provide insight into the specific training needs at all organizational levels. DEVELOP A PERFORMANCE IMPROVEMENT PLAN TO MEET YOUR STRATEGY Once you have identified the skills and knowledge needed to combat cyber threats, the next step is to develop a comprehensive training and exercise program to improve them. Here are steps that can be taken to develop an effective program: * Design simulations to cover a range of scenarios, including phishing, ransomware, and social-engineering attacks. * Like blocking and tackling practice in football, begin with simple scenarios that focus on core concepts, and gradually increase the complexity of the scenarios. Focus on building skills and confidence before tackling more-difficult threats. * Focus simulations on real-world scenarios that teammates are likely to encounter in their daily work. This helps to build confidence about responding to specific threats and ensures that individuals are prepared to act accordingly. After each exercise, provide feedback and discuss what worked well and what could be improved. Helping teammates learn from their mistakes and improve their responses is one of the most valuable takeaways from any training event. EXECUTE AN ONGOING CAMPAIGN OF EFFECTIVE TRAINING AND EXERCISES Great athletes train regularly. Businesses must likewise prioritize ongoing skills development to remain competitive as technologies and cyber threats change rapidly. Here are some key considerations. * Training and exercise budgets should not be sacrificed in cost-cutting measures. Investing in employee development delivers enormous value, and no company can afford to underestimate the long-term financial costs of a cyber breach. * Planning and scheduling training and exercises is crucial; it allows teams to assess their performance. By regularly identifying areas for improvement, teams can plan and execute more effectively in the future. Additionally, taking the time to review and evaluate past performance can lead to more-informed decisions about which scenarios to exercise and which tools to use in future training sessions. * Team exercises should be done regularly and with the same tools, techniques, and procedures used in daily operations to build useful muscle memory in real-world situations. In his speech, Pacino says, “You find out life’s this game of inches; so is football.” So is cybersecurity. Every inch of progress counts. Today’s threats are more sophisticated and widespread than previous ones, and it’s not a question of if an organization will face a cyber-attack but when. That’s why it’s crucial for business leaders to prioritize cybersecurity training and exercise as a key component of their overall security stance. By identifying the specific skills and knowledge needed to effectively combat threats, planning and scheduling training and exercises, and engaging with key stakeholders to understand the specific training needs of their organization, businesses can build a stronger, more confident team. Investing in employee development through formal training programs and ongoing exercises can deliver enormous value and help businesses stay ahead of adversaries in the ever-changing cybersecurity landscape. New! HBR Learning Digital Intelligence Course Accelerate your career with Harvard ManageMentor®. HBR Learning’s online leadership training helps you hone your skills with courses like Digital Intelligence . Earn badges to share on LinkedIn and your resume. Access more than 40 courses trusted by Fortune 500 companies. Excel in a world that's being continually transformed by technology. Start Course Learn More & See All Courses READERS ALSO VIEWED THESE ITEMS * YOU AT WORK: DOING YOUR BEST WORK REMOTELY Tool Buy Now * HBR TOOLS: GOAL SETTING Tool Buy Now Read more on Cybersecurity and digital privacy or related topics Risk management and Developing employees * DU Dustin Updyke is a Senior Cybersecurity Researcher at Carnegie Mellon’s Software Engineering Institute’s CERT division. He develops realistic training and exercise programs for organizations to improve their cybersecurity readiness. * Tweet * Post * Share * Annotate * Save * Get PDF * Buy Copies * Print New! HBR Learning Digital Intelligence Course Accelerate your career with Harvard ManageMentor®. HBR Learning’s online leadership training helps you hone your skills with courses like Digital Intelligence . Earn badges to share on LinkedIn and your resume. Access more than 40 courses trusted by Fortune 500 companies. Excel in a world that's being continually transformed by technology. Start Course Learn More & See All Courses Read more on Cybersecurity and digital privacy or related topics Risk management and Developing employees RECOMMENDED FOR YOU WHERE TO FOCUS YOUR COMPANY'S LIMITED CYBERSECURITY BUDGET THE DIGITAL WORLD IS CHANGING RAPIDLY. YOUR CYBERSECURITY NEEDS TO KEEP UP. TO REGULATE BIG CORPORATIONS, UNDERSTAND HOW THEY GOT THAT WAY PODCAST HOW GENERATIVE AI CHANGES STRATEGY PARTNER CENTER Start my subscription! EXPLORE HBR * The Latest * All Topics * Magazine Archive * The Big Idea * Reading Lists * Case Selections * Video * Podcasts * Webinars * Data & Visuals * My Library * Newsletters * HBR Press * HBR Ascend HBR STORE * Article Reprints * Books * Cases * Collections * Magazine Issues * HBR Guide Series * HBR 20-Minute Managers * HBR Emotional Intelligence Series * HBR Must Reads * Tools ABOUT HBR * Contact Us * Advertise with Us * Information for Booksellers/Retailers * Masthead * Global Editions * Media Inquiries * Guidelines for Authors * HBR Analytic Services * Copyright Permissions MANAGE MY ACCOUNT * My Library * Topic Feeds * Orders * Account Settings * Email Preferences * Account FAQ * Help Center * Contact Customer Service FOLLOW HBR * Facebook * Twitter * LinkedIn * Instagram * Your Newsreader * About Us * Careers * Privacy Policy * Cookie Policy * Copyright Information * Trademark Policy Harvard Business Publishing: * Higher Education * Corporate Learning * Harvard Business Review * Harvard Business School Copyright © 2023 Harvard Business School Publishing. All rights reserved. Harvard Business Publishing is an affiliate of Harvard Business School.