- Career vs. Job
- Developing Job Roles
- SOC Job Roles
- NICE Cybersecurity Workforce Framework
- Role Tiers
- SOC Services and Associated Job Roles
- Soft Skills
- Security Clearance Requirements
- Pre-Interviewing
- Interviewing
- Onboarding Employees
- Managing People
- Job Retention
- Training
- Certifications
- Evaluating Training Providers
- Company Culture
- Summary
- References
This chapter is from the book
This chapter is from the book
This chapter is from the book
Training
Training is the action of teaching a particular skill or type of behavior. SOC employees need to be trained to be able to perform their jobs and keep up with the changing threat and IT landscape. When an incident occurs, a common corrective action is more training. I already covered how training is used by companies to retain top talent. Considering all of these reasons for investing in training, the costs for training can quickly become a fortune and training results can be hard to measure if specific objectives are not defined. The following are recommended steps and considerations when developing a training program for any SOC employee:
Step 1. Create the business case: How does this training impact the SOC and employees that will be attending it? Does the training target a specific SOC service need or is it for career development? A cost-benefit analysis might be needed to justify the requested training.
Step 2. Define objectives and learning outcome: Describe what knowledge should be obtained via the training and how to judge if learning objectives were met. This could be achieved in several ways, such as having the employee obtain a certification or demonstrate the new skill.
Step 3. Select a training method: There are many methods to deliver training. The traditional in-person class may be more effective than delivering training online, but a live class will cost more both in time and money. Using recordings will reduce the cost of delivering training, but students will not be able to have discussions with the trainer, potentially reducing the quality of the training. Consider all options, including over-the-shoulder training, video, video conferencing, and live classes.
Step 4. Identify resources: Who will provide the training? Will it be in-house or an external resource? Are there any qualifications required for somebody to deliver the training properly? Some certification programs require a certified proctor to deliver content, limiting available resources to provide the training.
Step 5. Develop training material: Make sure the content that is developed is in line with the training objective identified for the business case of the training. This includes meeting all learning objectives so that candidates who complete the training can be properly qualified as successfully trained.
Step 6. Deliver training and evaluate effectiveness: Deliver the training and include a way to obtain feedback. Feedback should come from both the trainer and trainees to best understand both parties’ experience of the course.
Step 7. Improve the training: The final step is to grade how well trainees accomplished the learning objectives as well as review the feedback from both trainers and trainees. Use these results to adjust the class so that it becomes more effective.
An example of going through this process is considering training for using a specific tool. The business case can be based on the impact the tool will have to a SOC service once the users are properly trained. The outcome of the training could be a certification from the tool vendor as well as the trainee’s ability to showcase how they use the tool. The method of training could be a live boot camp delivered by the vendor’s training resources or some other method that accomplishes the desired training outcome. The resource and material could be provided by the vendor, but a SOC sponsor can also be involved to help with running the class and obtaining feedback. The cost for this entire process can be computed and weighed against the value of the outcome to properly justify the training before any investments are made.
Training Methods
There are many variations of training, the quality of the results for which will be impacted by the method used. Many cybersecurity concepts require hands-on experience with potentially illegal tools. Certain divisions of the U.S. military such as the U.S. Cyber Command (USCYBERCOM) request contracted training to include working within real-world scenarios that replicate the actual challenges organizations are likely to encounter. Expectations are that the USCYBERCOM candidates will have experience dealing with real malware and defending against genuine exploitation tactics. USCYBERCOM not only requests real-world scenarios but also sets expectations for persistence as part of their success criteria. Persistence means training must be regularly scheduled as well as sometimes unannounced to continually hone skills.
Training might not be project specific. Your SOC employees might want to take on different roles that have certain training requirements to perform properly. Encouraging career growth is key to developing a relationship with employees, leading to employee retention and savings on in-house promotion versus the costs to replace lost employees. Enabling career growth can be accomplished not only through formal training but also using informal over-the-shoulder shadowing of other employees. This approach not only saves in training costs, but also develops redundancy for skillsets and critical personnel. Formal training can also be offered, which can be tied to agreements for a trainee to remain within their role at the organization for a period of time in exchange for the training being paid for by the organization. A violation of the agreement could require the trainee to pay for the training, reducing the likelihood of the employee leaving their role during the agreement period. Promotions and other awards can also be tied to training milestones, which milestones can align with expected skills of more senior job roles defined within your organization. Aligning training and career paths will improve employee retention since employees will have a reason beyond a paycheck to remain in the organization.
Another training consideration is to develop a cyber range, the purpose of which is to simulate a real environment and the types of threats that an analyst could encounter. A cyber range might not be tied to a specific learning objective, but can be viewed as a practice ground to help members test out various types of scenarios that will come up as the SOC operates as well as customized scenarios based on specific learning objectives. A cyber range should have a student utilize tools to solve challenges in real time using a similar environment to the SOC’s real network. The cyber range should be isolated from the real network, providing a safe, legal environment to gain hands-on skills with tools used by the SOC and expected situations the SOC will encounter. Many guidelines, including the National Initiative for Cybersecurity Education (NICE), define recommendations for a cyber range. One military-based saying that highlights the importance of using a cyber range to gain experience with cyberthreats is “the battlefield is the last place you want to meet your enemy for the first time.” It is best to fail in a range rather than in the SOC.
I recommend considerations for training based on real-world scenarios and including criteria for persistence to ensure that employees not only learn skills but retain them. It is not unusual to find that a candidate certified in specific skills isn’t able to perform those skills after a prolonged period of time of not using them. This brings us to an important concept, which is understanding the relationship between certifications and training.