- Healthcare is one of many industries struggling with a cybersecurity skills gap, working to ensure that the right individuals are put into positions where they can adequately manage the increasing threats.
Being able to address that increasing cybersecurity skills gap was one of the main reasons ISACA created the Cybersecurity Nexus (CSX) Training Platform, ISACA Chief Innovation Office Frank Schettini told HealthITSecurity.com.
“When we first looked at the cybersecurity market, the one thing we realized was there was a huge skills gap,” he said. “And we are a not for profit association that focuses on membership, certification, training, providing white papers, videos, webinars, etc, to our professionals and from the field.”
The platform utilizes hands-on, performance-based training, and also has a skills assessment component where organizations can verify the technical competency of current employees and prospective new hires.
User assessments happen in real time and success metrics and continuing professional education credits are given out at the end of each lab and course.
“In 2017, the skills gap is just getting larger, not smaller,” Schettini explained. “In our survey we found that nearly one in three organizations take six months or more to fill an open cybersecurity role. Additionally, 37 percent of organizations said that basically 1 in 4 candidates are qualified.”
ISACA’s State of Cyber Security 2017 report also found that 59 percent of surveyed organizations receive at least five applications for each cybersecurity opening, with only 13 percent receiving 20 or more. Sixty-nine of respondents also said that their organizations typically require a security certification for open positions, while 25 percent reported that cybersecurity candidates lack the necessary technical skills.
“As part of our cybersecurity program, we not only do this platform, but we really do a kind of soup to nuts program, which emphasizes everything from providing guidance to individuals,” he noted. “We have a CSX fundamentals course, which is really an intro to cybersecurity, and it has all the key terms that you really need to learn within the field.”
Schettini added that ISACA provides guidance to its traditional audit and assurance professionals, and that the organization released a cybersecurity audit program that has been very well received by the ISACA constituent base.
“When we looked at this, we saw that there is really a need to help practitioners as well,” he stated.
The cybersecurity skills gap was really the key focus area behind the new training program, Schettini said.
“We launched it based on the certification and really trying to address that need,” he explained. “If you went through the right training and had the right knowledge base going on associated in the right competencies, and you passed the exam, then you would actually be very well qualified to be a cybersecurity practitioner in the marketplace.”
Common feedback was also that it's not just a matter of finding the people for cybersecurity roles, but that individuals don't have the right cybersecurity skills, he said.
“The platform that we were leveraging to do training and the certifications really lends itself very well to do that,” he explained. “It's really performance based training, so that's kind of the genesis of how this whole idea came about.”
There is no simulation involved with the training program, and is available online and on-demand at any time.
“One of the biggest challenges we have had when we talked to Fortune 100 or 500 companies is a lot of the traditional training classes one, tend to be paper based,” Schettini said. “You go into the classroom, you learn about the different thread types, whether it’s SQL injection, APT, etc. And then you take a multiple choice exam at the end.”
“The question arises, well how great is that? How good is that information?”
While the background information is very useful, Schettini added that there is really no true measure to determine whether an individual is really capable of handling an attack if it happens, or even determining that an attack did happen.
Another challenge with traditional training is the material, especially when it comes to cybersecurity because the material is always evolving.
“We know it's evolving almost every week with new types of attacks and new preponderance of certain types of attacks that have been around for a while,” he explained. “Additionally, some become more popular depending on how things work out.”
The training platform requires a browser and individuals go out to a cloud based LMS. Each individual user, depending on certain variables, there are labs available and training. Furthermore, ISACA has an assessment tool, as well as administrative functions.
How healthcare can overcome current cybersecurity threats
Security must be built across the entire enterprise, especially when it comes to creating strong cybersecurity plans for organizations, Schettini said.
“That really runs the gamut of everything from awareness to the appropriate policies and processes so that you can understand what the escalation path is,” he continued. “Organizations want to understand who needs to know what in communications across the board, as well as the having the right level of incident or response capabilities.”
Entities also need to focus on security by design, and security has to be at the table when organizations are doing the design process. Otherwise organizations are just creating a whole new set of holes for someone else to penetrate, Schettini explained.
CISOs in particular are having a communication challenge with the C-suite, he added.
“Instead of talking about the specific technologies, they really need to be looking at everything from a risk management perspective on what that means to the enterprise, because that's the language that the board and the C-suite really understand,” Schettini pointed out.
CISOs can also have difficulty in getting the right level of funding, he said, which can be a combination of their inability to selling what their needs are versus that an individual could hack the company that day.
“From a general perspective they need to be much more specific on how each investment is going to help mitigate the process, and that includes training,” he maintained.
ISACA Senior Manager of Information Security Frank Downs explained that when organizations are building a robust cyber security program, especially in the healthcare industry, the statement that cybersecurity is everyone's problem really holds true.
“There needs to be a baseline understanding and a baseline training specifically among other industries,” Downs said.
It must be a group effort between employees at all levels within an organization as well, he added.
For example, healthcare providers should ensure that nurses or clinicians do not leave screens open when they leave a room. Patients could inadvertently have access to other patients’ personal health information, and see data that should remain private.
Schettini concluded that the healthcare industry seems to be responding fairly well to the evolving cybersecurity threats. However, healthcare CIOs may not be ready or have the right tools – or staff – in place to address cybersecurity across the enterprise.
“I know [healthcare organizations] all speeding to address those threats, and the last couple of years has seen significant progress, but we still have a ways to go,” Schettini said. “The hands on skills is an area that is pretty much lacking across the marketplace, and that's really where that skills gap comes in.”
“CISOs and CIOs may have the best budget and they may have the best plans, but they don't find the right people,” he continued. “They're going to have the same challenges, and that's really the solution that we're really trying to address.”