4 Levels of Human Factor Security with Roy Zur On the Easy Prey Podcast
- Roy Zur, CEO, ThriveDX's Enterprise Division
The Easy Prey podcast focuses on protecting innocent people from being targeted by hackers, imposters, and online cyber crooks.
Recently, Chris Parker of the Easy Prey Podcast invited me onto his show to discuss what I look for when hiring cybersecurity employees and the four levels of internet security. Mr. Parker founded WhatIsMyIPAddress.com and started Easy Prey to help people defend themselves against internet scammers. He interviews guests and tells real-life stories about topics to open their eyes to the danger and traps lurking in the real world, like online scams, frauds and everyday situations where scammers try to take advantage of people.
Cyber Talent Management System
I looked forward to this podcast and it seemed like a good fit since one of ThriveDX’s primary offerings is security awareness training. Mr. Parker asked me to discuss the 10 years I’ve spent in the Israeli Cyber Defense Unit 8200, mostly on the operations and intelligence side where I learned much about human behavior and cybersecurity. During my first few years with the IDF, I was constantly meeting 18-year-olds without any experience, yet identifying certain cybersecurity mindsets I felt could turn them into cybersecurity professionals within 3-6 years.
I told him identifying and cultivating talent is challenging at that level because mandatory service in the IDF is three years, so you lose 1/3 of your workforce every year. This means you have to build your entire talent acquisition and talent curation strategy internally based on the group of people you have. In other words, we can’t hire PhDs and people with 5-10 years of experience, so you have to build this thing from the ground up.
To get everyone up to speed, the IDF and I came up with “accelerated learning concepts” to take a recruit I saw potential in and accelerate his/her learning through a concept called “Bootcamp.” During Bootcamp, recruits were training day and night, completely immersing themselves into the field. Many started at 6 am and didn’t stop until midnight.
It appears this concept has paid off, given that Israel is widely regarded as a “cybersecurity powerhouse.”
Solving the Cyber Skills Shortage
Now, in late 2022, the industry is currently undergoing something alternately referred to as a “cyber skills shortage” or “cyber talent gap” – essentially meaning there are more cybersecurity jobs than qualified people to fill them. During my experience in “coaching up the team we have,” I’ve learned a few things about evaluating cyber talent that I believe can ultimately help address the cyber skills gap.
Chris Parker asked me: “Are there certain characteristics or personality traits of your cadets that led them to excel over others?
I told him that’s a good question, and yes. It’s not just about the training, it’s about the screening. It’s not necessarily about hard skills like coding or hacking…it’s more about their attitude and aptitude.
What is a Cybersecurity Aptitude Assessment?
I explained that I look at future recruits through an “attitude vs. aptitude” lens. From an attitude perspective, I value traits like intellectual curiosity. What I look for are people interested in finding the “how” and “why” in people who ask a lot of questions, and pursue different challenges and clues until getting to the answer. Cybersecurity aspirants must be properly motivated because being a security professional is not always glamorous work. Sometimes it means going through log files that still need attention but may not seem as exciting.
From an aptitude standpoint, I look for fast learners. Because the industry and threat landscape are constantly evolving, I look less at math skills and more at learning comprehension. Whatever you learn today in cybersecurity is valid for a few months, but then you should familiarize yourself with the very latest techniques used by threat actors. Whether this person winds up hunting threats, conducting soft analysis, or securing code, all these disciplines are linked by a basic intellectual curiosity and love of learning.
Does Cybersecurity Require Math?
There is something around cybersecurity that people are afraid of, or at least sometimes deterred. Many people think it’s super technical (some of it is), but to me, cybersecurity is more of a business issue or human factor issue. If you get to the core of this, it’s about protecting networks, data, and secrets from people trying to steal them, change them, encrypt them, or spy on them.
The truth is, cybersecurity is less about math and more about business. The primary motivations behind cybercrime are business-related. It’s about making money. In other words, this career is not just for techies. You can find former law enforcement, business analysts, veterans, and technology analysts. So, does cybersecurity require math? Sometimes. Is it make or break? No.
We’re all familiar with endpoint security, email security, and cloud security. But I think it’s way past time to have a “human factor security” category. This is only logical since by some measures, 95% of successful cyber attacks involve human interaction. As risks evolve and the threat landscape changes, so must human understanding of these risks.
Human Behavior and Cybersecurity
In a way, human factor security is about constantly updating the human brain- just like a person might not know something a few months ago, that person is constantly learning new things. Like we patch operating systems and applications as new threats come online, we need to “patch” employees in an ongoing way.
So which parts of the workforce should receive what types of security training? Everyone in every organization needs to improve their understanding of cybersecurity best practices, the shifting threat landscape, or the latest in application security training. The main curriculum determiner depends on the employee’s specific role.
I’ve identified four (4) main groups of people within every organization requiring various levels of instruction.
Four Levels of Organizational Cybersecurity: Types of Security Training
1. General Employees
The first group requiring training are the general employees with basic knowledge and limited access to internal systems. This usually comprises around 95% of any given company. These folks need training and then retraining (or “patching”) to understand phishing, social engineering and other ways hackers are targeting them, what those attacks look like, and how those methods change over time.
The specific tactics threat actors employ today won’t be stuff they’re doing in a couple years. For instance, two years ago cybercriminals sent email subject lines like “COVID Vaccinations in your area” and “Click here to get the latest government stimulus.”
It’s not enough to just know what a phishing attack looks like. The real metric that matters is “changing employee behavior.” Until learning translates into actual behavioral change, organizations will never become truly secure.
2. Technological Professionals
The second group: Technological Professionals. These are tech professionals who don’t work in cybersecurity yet require adding cybersecurity skills. These are people like engineers and developers who develop the code, but their lack of knowledge in developing secure code and application security in general pose a critical vulnerability. So, they also need training on cybersecurity best practices, but at a more job-applicable level. Application security training, for instance.
3. Executives
With the possible exception of the CTO, these are not normally techies. However, their decisions enormously impact organizational security posture. At the same time, executives are typically the most targeted group in the sights of threat actors. That’s because hackers single out those with privileged access to sensitive data. Executives also require cybersecurity training, but they need it to be specialized, befitting of their most-frequently-targeted status.
4. Cybersecurity Professionals
This is by far the smallest group, but they still require hands-on skills in cybersecurity. Threats continually change so Cybersecurity Professionals need upskilling and more recent training to be up to date on the most recent attacks. Although their training isn’t as intensive, it still is important because they’re the gatekeepers and sometimes the “cybersecurity trainers” for other groups, too.
Conclusion
These four groups not only require different curriculums, but different delivery mechanisms. Let’s compare the corporate environment to education. In academia, more time is considered “better.” More time pursuing a degree, more time devoted to research after achieving tenure. In the corporate world, it’s the opposite. Time is precious, so it’s about training people in everything they need, and only what they need. “General enrichment” is usually not a corporate goal.
As far as jobs go, does cybersecurity require math? It requires analytical skills which can include math. Does it require curiosity and quick learning? Yes. But career or no career, everyone needs some type of security training in this day and age. We also need to better understand the links between human behavior and cybersecurity. Our collective cyber safety depends on it.
For more information on ThriveDX Security Awareness Training, please visit here.
Roy Zur is the CEO of ThriveDX’s Enterprise Division and founder of Cybint Solutions (acquired by ThriveDX in 2021). His background in cybersecurity and intelligence stems from his time as a Major in the Israeli Defense Forces, Cyber Unit 8200. Zur has more than 15 years of experience in developing cybersecurity training and education for organizations globally.
Zur also serves as an adjunct professor of risk management in cybersecurity for the MBA-AI program at Reichman University, and is the founder and chairman of The Israeli Institute for Policy and Legislation non-profit.
Protect Your Organization from Phishing
Explore More Resources
- Article, News
- Article, News
- Article, News
- Article, Blog
Your Trusted Source for Cyber Education
Sign up for ThriveDX's quarterly newsletter to receive information on the latest cybersecurity trends, expert takes, security news, and free resources.
