In the need to increase their cyber security resilience, companies start searching for cyber security trainings. This thing, in fact, is a very normal and recommended action.
But there are many times when they find themselves in one of these three situations:
- There are too many options
- Trainings are too expensive and the overall quality is not guaranteed
- There are too many new terminologies that are very hard to understand
The purpose of this article is to offer a guidance for companies to understand current cyber security trainings options. Also, it is important to know what are the ones recommended for your company maturity level.
Let’s develop each of the situations from above:
1. There are too many options
This is true, there are too many options. The cyber security field is as big as the internet, with multiple perspectives and a lot of actors involved.
Almost all companies, in cyber security field offer trainings, and many offer certifications and accreditation.
A solution to this problem is to filter the training options based on criteria that defines the need.
Trainings can be split on the following categories, no matter how fancy their title sounds: 🙂
- Offensive Security – will teach your employees how to hack(pentest) your company or products;
- Defensive Security – will teach your employees how to secure your systems, detect attacks and take measures;
- Security for Managers – will teach your managers how to create a cyber security strategy in your company.
Each of these categories consists in a specific strategy, and many times they complementary. If your company is just at the beginning in these field, I recommend to start with an Offensive Security Training.
Once you have a dedicated person in the company, cyber security will become a top priority. This will happen because that person alerts everyone regarding the vulnerabilities discovered.
2. Trainings are too expensive
Indeed, trainings offered by top actors in the market are extremely expensive.
Some of them reach 10-20.000 euros, depending on the number of members that participate or the type of training.
A good solution, in this case is to look for smaller companies. Almost all cyber security companies have training services.
Choosing a smaller company for trainings has the following advantages:
- Trainers can be more up-to-date with the latest hacking techniques;
- Prices are considerably lower than those of big companies;
- Flexible to adapt to your company needs;
- Trainer culture is very similar with your company, if it’s in the same region;
- New cyber security companies are built by young, very motivated cyber security engineers. Most of the times this persons offer more than what you expect.
There are some hints about how to discover if the training is of good quality:
- Make sure the trainer has real penetration testing experience, no matter what training it is. This will give serious insight even to more general trainings.
- Most important: all cyber security trainings must have a practical, hands-on part. This is the most efficient method of teaching, even awareness trainings. The question to ask here is: Will the trainer put you in the hacker experience?
- How many iterations they had. Many iterations means the training has been improved a lot.
3. There are too many new keywords and terminologies
The solution, in this case is to explain each terminology.
A. Offensive Security Trainings:
Penetration testing, Ethical hacking, Vulnerability Assessments, Security Auditing, Cyber Guardian
These are basically, terminologies for the same outcome. This training will teach how to hack, scan, search for vulnerabilities in different assets: web applications, mobile, wireless and networks. Also it will teach how to report the vulnerabilities.
This cyber security trainings are for advanced engineers who already have experience in penetration testing. This training should include knowledge from penetration testing plus other techniques: social engineering, public information discovery, physical security and others. This is not recommended for companies that are at the beginning of cyber security.
These trainings are for individuals who want to develop small programs or scripts by using existing vulnerabilities. These vulnerabilities extend access or create some sort of damage (or just to proof the vulnerabilities exist). It addresses to the very passionate cyber security individuals that want to go towards research.
B. Defensive Security Trainings:
This area is very comprehensive. I will try to translate as many terminologies as possible. 🙂
Will teach how to detect if a hacker is already inside the network (or application). Also, you will learn about: tools that detect intrusions (IDS), network monitoring and communication protocols where leaks and hacks can happen.
Securing stuff (Windows, Linux, routers etc.), SecureDevOPS
How to increase the devices security inside or outside the network. To raise the level of cyber security you can use different builtin security settings, firewalls.Useful for system administrators.
Security Operations and Monitoring
Can contain: network monitoring, detection of intrusion attempts. Furthermore, you might learn what measures are taken when an attack is happening against your company, and who is alerted. Also, you will learn all kinds of tools to manage attacks and alerts.
Can contain different methods, tools and approaches that will detect what type of data has been altered. Also, what steps did the hacker make, traces to track back to someone, usually in an operating system or network. This may include, investigations for employees that stole data or other malicious activities. Furthermore, it may contain Threat Hunting. These is a popular buzzword in cybersecurity, that means to trace the hackers paths inside the networks. We use threat hunting in order to discover the breaches that happened. I recommend this only for mature companies. Cyber Threat Intelligence, another buzzword, is basically the data that has been collected that may be useful in an investigation.
Training that will teach how to reverse applications, malware and other malicious software and analyse their code. We use this in order to detect if there is any abnormal behaviour (like stealing data, encrypting computers etc) or to trace back to their owners. I recommend this training for advanced or specialised companies.
Secure Software Development
Will teach how to write code that doesn’t generate security vulnerabilities (secure coding). Also, you will learn how to build an architecture that contains security components. How to release software on platforms (web servers or servers) that are secured in their configuration. Basically will turn SDL into sSLD (Secure software development life-cycle).
Basically this training will show how hackers act when they hack websites, networks or persons. How to secure your phone, computer and how to stay safe online. It may also contain Phishing simulations. Good training for raising awareness to all employees. Make sure you look for a hands-on training.
Are some specialising trainings on a certain industry or technology for example: SCADA
4. Security for Managers
Information Security Manager
Will turn your manager into the brains of the organisation’s IT and information security teams. In addition it will manage the overall operations and direction of their departments. This training will teach how to:
- create and manage security strategies;
- manage security team members and all other information security personnel;
- provide training to information security personnel;
- implement and oversee technological upgrades;
- improvements and major changes to the information security environment.
What to choose
For a company that just starts to increase their skills, I recommend to invest in offensive security trainings.
This suggestion may seem non-intuitive.
Why offensive and not defensive?
There are many arguments to support this affirmation:
- How to defend against attacks you know nothing about? The penetration tester will start sending alerts about vulnerabilities it discovers. This will start an entire process of learning, fixing, improving and defending.
- Penetration testers show real proof of vulnerabilities. This puts people in a real situation where they have to act. Whereas defenders (blue team) they don’t always come with Proof of Concepts when they propose changes. This is not motivating for people that have to fix the issues.
- Penetration tests offer very fast results regarding existing security issues.
- Pentesters have real hacking mindset. In this case, you will deal directly with real security flaws. These are the ones that pose the highest risk. A defence team will spend much more time securing what is not necessary critical.
The benefits are that they will raise the awareness inside the company when they start to pentest the company’s assets. Cyber Security is the responsibility of everyone and this is the message they will share. Usually it is recommended to start training those employees that have a true passion for technology.
Second, start training a manager to become an Information Security Manager. This will be your first step towards having a cyber security strategy inside the company, at all levels and departments. The IT manager is usually a good starting point.
And third, investing into a Security Operation Center. Thus a security operations engineers, will make sure you will have someone who is looking at attacks 24/7.
Also, investing in a training that offers a renowned certification is a debatable situation. Are still few Certified pentesters and they are wanted. So, there is a high risk that they may leave your company once they get certified. My suggestion is to invest in a certification only if you use it to for some important partners or clients in order to prove the competence. If this is not the case, there is not much advantage.
This is solution is for a company that is at the beginning and the strategy is to train its own personnel (not to employ specialists).
I tried to make things a lot simpler. In reality you may find the titles a little more complicated, or with different words in the title (Advanced Training or Active Defense, Critical or continuous “something”). Sometimes this shows either to the competence level, or the type of technology used. Other times, it is just a fancy word that makes the training sound more complicated.
The area of cyber security trainings may seem big, but if you look behind the fancy words, they are not that complicated.
Check out our services to see if there is something that you may be interested in. 🙂
Senior Cyber Security Engineer @ Cyber Threat Defense