member

Rethink how you train your IT staff: Why the WannaCry attack is a wakeup call for the entire C-suite

Contributor: Management Matters
Posted: August 4, 2017

cybersecurity

A superior owes it to his organization to make the strength of every one of his subordinates as productive as it can be. But even more does he owe it to the human beings over whom he exercises authority to help them get the most out of whatever strengths they may have. The organization must serve the individual...” – Peter F. Drucker

The recent WannaCry ransomware attack didn’t wreak the havoc expected. 

But this is not the time for IT professionals to let their guards down, says Frank Schettini, Chief Innovation Officer of ISACA (the Information Systems Audit and Control Association). 

The worldwide cyber attack impacted more than 300,000 computers, including companies like FedEx and hospitals in the UK. The New York Times reports that most companies dodged a bullet because employees knew not to click on the malicious links. In other words, individuals are smartening up. 

But it’s worth noting that hackers still collected about $94,000 in ransoms. Meanwhile, industry experts say WannaCry was just the tip of the iceberg of what hackers are capable of. 

ISACA provides training and certifications for professionals in information security, assurance, risk management and governance. Schettini is in charge of thought leadership and research to drive the direction in which IT is audited. 

This is a weighty role in an age where both longstanding companies like FedEx, as well as tech-savvy startups are vulnerable. Last fall, younger companies like Spotify, Twitter and Netflix were victims to cyberattacks due to their unsecured IoT devices.

Schettini says all executives must pay special attention to how they hire, attract and retain professionals involved in cybersecurity. This is why managers focused on cybersecurity may want to consider Drucker’s advice on staffing for strength and providing them opportunities for continuous learning. 

In the following interview, which has been edited and condensed, Schettini explains how innovating the way we train and develop cybersecurity pros is a major key to ensuring the safety of their company data. 

How did you become an expert at cybersecurity?

I’ve always worked with fast-growing startups and dynamic groups, in environments that were always changing. During the turbulent dotcom era when I had to learn new types of business models, I eventually became a turnaround expert where I helped companies apply technology in order to solve business problems. 

Before joining ISACA, I served as CIO for three different organizations including the Project Management Institute, which specializes in certifications for project management practitioners. 

Matt Loeb, the CEO of ISACA, asked me what I can do for the certification program at his organization, be it certifying experts in information technology, cybersecurity, information systems, or risk governance. 

Why do most companies need to overhaul the way they approach cybersecurity? 

When speaking with companies, many confessed they wouldn’t know how fast they could detect an attack, and whether they have the right staff in place to mitigate the attack. 

ISACA research shows that it usually takes them five months to detect an attack – and that’s terrible! 

Also, 46% of those who participated in the survey feel their staff is equipped to handle only basic cyber attacks. 

How is your firm innovating how IT governance professionals are trained and certified?   

Professionals traditionally have to take a paper and pencil test to get certified in information systems. 

There are a lot of traditional training methods that involve classroom learning, Powerpoint slides and multiple-choice tests. These programs are costly and time-consuming; many have to leave work for one whole week to complete them. As a result, not everyone can attend. 

So in May, we introduced a computer-based testing for certifications. It’s powered by a software development program called CMMI (Capability Maturity Model Integration). It was created by Carnegie Mellon and I led the acquisition of it. 

What makes this program so effective? 

If you look at traditional training today, they are more so a simulation and emulates an attack. But our solution is more so performance-based, and is live on the cloud. 

Individuals at Fortune 1000s can use it on their company laptops. Instead of hooking up software, all you need is a browser to complete the training. 

This is not $6,000 for a one-week class, where they read books and memorize terms.

This is hands-on training. 

There’s so much demand for tech talent trained in cybersecurity, and as a result a high turnover of staff. How does this program reduce turnover? 

Our lab is also a full training assessment tool with 100 hours of learning materials available. Our training is based on the most common threats and based on what our clients tell us what’s most important to them. Our connections in the healthcare industry, for instance, ask us how to mitigate ransomware.

We update our new lab and training every quarter so it’s constantly evolving. This means employers can train workers more than once a year, as hackers are constantly finding new ways to attack. 

This may entice cybersecurity workers to stay because they want to attend the lab for the next quarter, so they’re getting opportunities for continuous learning. And we track continuing professional education hours so we can make sure they are on track for the right certifications. 

How can the CIO and CISO help companies better assess talent? 

The training module has a proprietary scoring mechanism, which tracks everything the individual does during the training. With cybersecurity, there are several ways to detect an attack, so if you don’t follow all the steps you might miss something. We report the strengths and weaknesses to their boss and we craft their training programs around those results. 

Many CISOs report that when they hire someone, they don’t truly know their strengths and weaknesses until they enter the door and come face to face with a problem. So we’re bundling instruction packages for HR departments so that they can use the assessment tool for incoming employees.           

How many companies are adopting your new training method?

We launched earlier this month so we have 12 companies doing 30-day testimonials. Our early clients include Fortune 1000 as well as other overseas agencies and companies.