Each organization must determine what risks are most relevant and where gaps exist in its current skill sets. The MITER ATT & CK framework is a knowledge base of adversary tactics and techniques that can help organizations identify their most prevalent risks. Then, in addition to the resources mentioned in the previous section, organizations can use the National Initiative for Cybersecurity Education framework from the National Institute of Standards and Technology (NIST) to inventory and track strengths and weaknesses in their workforces.
Training resources can be accessed from a variety of sources. CISA provides a toolkit for state, local, tribal and territorial (SLTT) governments, which identifies resources including self-assessments, tools and training environments. NIST offers an extensive list of low-cost resources available online, including free, on-demand training and discounted labs, as well as webinars, blogs, portals, courses and video training at all levels.
Another valuable source is the Resource Center for State Cybersecurity, which features plans and guidance for response planning, critical infrastructure and elections infrastructure cybersecurity, and workforce development.
DIVE DEEPER: How can security operations centers help state governments?
Management Must Support Security Training
No resource can help close the skills gap unless security is a priority, and that calls for management support.
Resources to help start the discussion and facilitate improved understanding and mutual responsibility for cybersecurity throughout the organization are available in the CISA SLTT toolkit, which also includes suggestions for making cybersecurity a budget priority, how to involve educational institutions in developing training (thus sharing the funding requirements), and how to facilitate the discussion with leadership to support and enhance cybersecurity preparedness.
Just as senior management is key to success, so too are the students. Make sure the training is effective and engaging. Current and aspiring members of the cybersecurity team need relevant on-demand courses that will hold their attention even while under stress to complete their daily tasks. The most effective tools include highly interactive training and gamification. Cyberwarfare gaming, ethical hacking and simulations allow security professionals to experiment and hone their skills.
As with any complex but worthwhile venture, security training doesn’t happen overnight. Take it in steps: Lay out a reasonable schedule and syllabus that matches your organization’s specific needs and addresses its existing strengths and weaknesses.
Most importantly, take advantage of the tools and knowledge of those who have already assembled impressive resources and pass it on.