Hiring the right people is the first step when building a great security operations team. But you also have to train them on how your company approaches and implements security measures.
The common reality is that many companies lack the time or expertise to design and execute an effective training program. Hiring the best security people still means they need to understand how your network and systems are configured, what past and present security threats your company faces, what tools are in place, etc.
Especially considering the shortage of talent in the most technical areas of security — incident response, forensic analysis, network monitoring, and security operations — training on these needs to become a much more integral part of your onboarding process.
Training doesn’t have to be a huge event, though -- short sessions of training can go a long way. Let’s go over a framework for training security talent at your company.
Security Training Approach
Training gets a bad rap, especially when it’s not very helpful, and many companies embrace the “learn on the job” mantra. I’ve trained many different skill levels, and from experience, I always find that positivity works best when approaching and conducting training sessions. Most people are receptive to training, even the most senior of staff, but positioning it as a positive experience and not demeaning of their skill sets is key.
First, get a sense of what skill set each team member has and what information would benefit them most during the training. Things to consider with your audience:
- Current technical skills
- Level of skill maturity
- Knowledge of your environment
- How they currently do things
A good way to determine these factors is by doing interactive exercises during the training sessions, which can help uncover skill gaps. Based on what you find, you can provide the right level of information to them and even hint at solutions that may benefit them in their day-to-day work. Here are a few examples of exercises you can perform:
- Malware analysis and containment
- Log analysis exercises
- Reverse engineering exercises
Once you complete an exercise, you’ll have a better sense of what tools, techniques, and processes you’ll need to train on.
Security Training Content
An effective way to deliver this content is through a combination of lectures and hands-on activities. This will help keep trainees engaged and enables them to think out loud and ask questions about how to approach a given task.
While larger organizations may have the resources to develop separate training programs for different levels of staff, smaller ones will likely train everyone at once. That’s okay. For smaller orgs, it may just be a matter of spending a little more one-on-one time with junior staff to get them up to speed, while senior staff dig in once you provide a bit of direction.
At the most basic level, your training should focus on two pillars:
- An overview of the necessary high-level skills
- Your environment and the company at large
Let’s break down what this means:
- Begin with networking and operating system foundations
Never assume they know everything, and even if they do know quite a lot, this is a good time to review the basics. This also gives trainees an opportunity to ask how these fundamentals apply to your company in particular.
- Train on the ins and outs of your company, industry, environment, threats, etc. Understand that they may be coming from a company with a very different setup, or this may even be their first job.
- Bridge any gaps in your audience’s current skill sets
Giving a good overview of the skills everyone on your team should have is a good start. But, you may need to sit down with junior staff one-on-one to go over specific concepts and processes, such as how to handle phishing attacks and investigate alerts. Training senior staff, on the other hand, should be focused more on technical intricacies and discussing new ways to solve problems.
Security Training Timeframe
Training doesn’t have to be a day-long, intensive process. I actually like to break up training into two-hour sessions. This provides enough time to get into a subject, but not too much to overwhelm or bore them.
Training doesn’t stop after the initial onboarding, either. I recommend ongoing training, at minimum, once every quarter. Companies should be vigilant about keeping employees up-to-date and continuously addressing any skill gaps as technologies and processes change and evolve.
Training can also go beyond the in-person time. Sending staff relevant articles and books like the ones from O’Reilly can help to supplement their training. Conferences and training sessions from SANS, Security BSides, and RSA can also be great places to learn even more, especially for more senior-level security staff (see a full list of U.S. security conferences and events here). Be sure to make time in their schedules and room in the budget for them to attend these regularly.
Creating a Culture of Continuous Learning
Dedicated training fosters a culture of learning in the workplace. By immediately giving new hires the run-down of your organization and helping them to get up to speed on the required skills, you demonstrate your organization's commitment to its people. And considering the security talent crunch today, this can be a great way to hire and retain great people. But more than anything, it ensures a successful, efficient, and collaborative team environment.