Cybersecurity Education and Training (the devil's in the detail)

On three separate occasions this week I was given pause to consider the development of cybersecurity skills and the associated education and training we need to acquire them.

To start with, on Saturday I read an excellent piece in the Irish Times by Fintan O'Toole called “No one is safe when half of us are digitally illiterate” (behind paywall).

On the Monday of the following week I met a long-time security friend at a funeral. We discussed the abundance of training on offer, much of it being promoted by very well recognised and professional organisations, with some being marketed as validated or recognised by faux “Institutions”.  She holds the view that this is tantamount to fraud. I lean more towards caveat emptor.  However we both agree that it is somewhat unethical.

Finally, I attended the Cyber Skills Ireland launch on Tuesday to listen to academics and industry speak about their initiatives to enhance cybersecurity education in third level institutions as a means to meet the skills gap that we apparently suffer from[1]. 

 My conclusions from these experiences are:

1.    We all need to understand that we have a personal responsibility to educate ourselves (and the people that we're responsible for) to some degree in Cybersecurity.  We also have a responsibility (using this acquired knowledge) to implement Cybersecurity Basic[2] controls and measures to protect ourselves, our employers, and our families and loved ones.  Cybersecurity education should be considered as “lifelong learning” and we should all strive to stay informed and continuously acquire the knowledge and skills needed to protect ourselves.
2.    I believe that it is incumbent on professional organisations promoting training and education, to validate the credentials of all training institutions[3] that offer courses certified by “Institutions” to ensure that those institutions are

•       Generally recognised as centres of excellence
•       Independent of (or at least not directly controlled by) the training body

3.    Lastly, I believe that good cybersecurity posture should also recognise the soft skills more often associated with Psychology or Social Science (communication, influencing, analysis, decision-making, etc.) as well as core technical skills.

There's a role for almost everybody in the cybersecurity workforce, and I think it's incumbent on employers to look for soft skill talent with a view to future need (technical skills are generally easier for many to acquire over time).

[1] /2021/03/22/cyber-security-skills-report-2021/  There are fifty five distinct competencies for cybersecurity identified under the NIST/NICE framework

[2] Cybubix offers Cybersecurity Essentials training for organisations. Find out more  

[3] Cycubix is an Official Official Training Partner of (ISC)2 which is international, nonprofit membership association of over 150k security professionals and recognised globally as the “Gold Standard” for cybersecurity certification