Cybersecurity Training: A Pathway to Readiness

Cybersecurity Training

Cybersecurity Training

A Pathway to Readiness

Gregory J. Skulmoski and Chris Walker

Cybersecurity Training: A Pathway to Readiness

Copyright © Business Expert Press, LLC, 2024

Cover design by Gregory J. Skulmoski

Photo courtesy of Pexels.com, (Laptop Over A White Desk, Anna Nekrashevich)

Interior design by Exeter Premedia Services Private Ltd., Chennai, India All rights reserved. No part of this publication may be reproduced, stored in a retrieval system, or transmitted in any form or by any means—electronic, mechanical, photocopy, recording, or any other except for brief quotations, not to exceed 400 words, without the prior permission of the publisher.

First published in 2023 by

Business Expert Press, LLC

222 East 46th Street, New York, NY 10017

www.businessexpertpress.com

ISBN-13: 978-1-63742-553-4 (paperback)

ISBN-13: 978-1-63742-554-1 (e-book)

Business Expert Press Portfolio and Project Management Collection

First edition: 2023

Description

Organizations face increasing cybersecurity attacks that threaten their sensitive data, systems, and existence, but there are solutions. Experts recommend cybersecurity training and general awareness learning experiences as strategic necessities; however, organizations lack cybersecurity training planning, implementation, and optimization guidance. Cybersecurity Training: A Pathway to Readiness addresses the demand to provide cybersecurity training aligned with the normal flow of IT project delivery and technology operations.

Cybersecurity Training combines best practices found in standards and frameworks like ITIL technology management, NIST Cybersecurity Framework, ISO risk, quality and information security management systems, and the Guide to the Project Management Body of Knowledge. Trainers will appreciate the approach that builds on the ADDIE Model of Instructional Design, Bloom’s Taxonomy of Cognitive Thought, and Kirkpatrick’s Model of Evaluation, a trilogy of training best practices.

Readers learn to apply this proven project-oriented training approach to improve the probability of successful cybersecurity awareness and role-based training experiences. The reader is guided to initiate, plan, design, develop, pilot, implement, and evaluate training and learning, followed by continual improvement sprints and projects.

Cybersecurity Training prepares trainers, project managers, and IT security professionals to deliver and optimize cybersecurity training so that organizations and its people are ready to prevent and mitigate cybersecurity threats, leading to more resilient organizations.

Keywords

NIST cybersecurity awareness and role-based training; specialized cybersecurity training; ADDIE Model of Instructional Design; Bloom’s Taxonomy; Kirkpatrick’s Model of Evaluation; project-oriented cybersecurity training; cybersecurity readiness; ITIL technology management; cybersecurity resilience; Lean Six Sigma; agile project management; quantum cybersecurity

Contents

Testimonials

Foreword

Acknowledgments

PART I Cybersecurity Learning Ecosystem

PART II Cybersecurity Training

Appendix 1: Leaderboard Use Case

Appendix 2: Instructional Design Team

Appendix 3: Cybersecurity Roles

Appendix 4: An Applied Glossary

References

About the Authors

Index

Testimonials

Cybersecurity Training: A Pathway to Readiness was peer-reviewed by a diverse group of project management, instructional designers, and cybersecurity practitioners. Our peer review sample of experts was heterogenous, representing project management, instructional design, and cybersecurity. Fifteen subject matter experts were invited to participate in a peer review process, and nine reviewed Cybersecurity Training and returned constructive comments, recommendations for change, and praise. The project management reviewers deliver today’s innovations on time, on budget, and to the delight of their customers. The cybersecurity reviewers are on the leading edge of protecting organizations and understand where cybersecurity is evolving and needs to mature. Finally, instructional design specialists reviewed Cybersecurity Training and gave guidance about our project-oriented approach to cybersecurity training.

We thank our reviewers like Derek Molnar, Thomas Edgerton, and others like Irene Corpuz, who gave praise and constructive criticism like only a seasoned cybersecurity specialist can: One area to improve would be to provide a more context on why ISO/IEC 27001 and NIST Cybersecurity Framework are important for organizations to follow (i.e., when would it be advisable to implement NIST over ISO/IEC 27001, and vice-versa). The personal pronoun we is being used to refer to the authors of Cybersecurity Training. We incorporated Irene’s and other peer reviewers’ feedback, which strengthened our book. Thank you again!

Highly recommended

"Cybersecurity readiness is becoming increasingly critical as people remain the weakest link despite the widely available information on the Internet about massive attacks caused by a single end user clicking on a ‘click-bait’ link (i.e., phishing e-mail). But what is wrong with the ongoing cybersecurity awareness training the organizations offer their employees? Were they designed strategically according to specific training models? Were they executed correctly and treated as a project?

Cybersecurity is often seen as a technical responsibility, but in the book Cybersecurity Training: A Pathway to Readiness, authors Greg and Chris encourage readers to merge strategic thinking and project management when implementing a cybersecurity readiness program. They discuss creating a cybersecurity awareness culture aligned with the organization’s vision, principles, goals, and objectives. Doing so provides a ‘learning ecosystem that encourages life-long and ubiquitous learning,’ supporting the organization’s cybersecurity-related KPIs. It also discusses combining the training ecosystem’s tailoring and principles to achieve the most beneficial delivery plan.

Thus, Cybersecurity Training is highly recommended for project managers, the HR training section, and the cybersecurity readiness team."—Irene Corpuz, United Arab Emirates, MSc, CISA, ISO 27k Lead Auditor and Lead Implementer, ITIL, PMP, PMI-ACP, Co-Founder and Board Member—Women in Cyber Security Middle East, Global Advisory Board Member—EC Council

A to Z in cybersecurity training

"I’m very impressed with the overall cybersecurity training model beautifully detailed in Cybersecurity Training: A Pathway to Readiness. I can use these techniques; if the reader follows this approach that combines best practices from training, project management, and relevant standards, they will remove most project risks. Chris and Greg have written an easy-to-read book that guides the reader to plan and implement cybersecurity training by removing guesswork and leaving no room for errors. They have captured everything from A to Z in cybersecurity training."—Zaid Al Ardah, Director, Technical Protective Operations, Cleveland Clinic, United States

An incredible book that empowered and inspired me

"Cybersecurity Training is an incredible book that empowered and inspired me. The authors, Greg and Chris, write with a genuine passion for cybersecurity readiness and its critical role in the success and survival of organizations.

Their writing is characterized by a deep knowledge of the subject matter, evident in the comprehensive overview of NIST cybersecurity functions and the Goldilocks Approach to cybersecurity. The authors stress the importance of a holistic approach to cybersecurity readiness involving people, processes, and technologies. Cybersecurity Training emphasizes the importance of seeing cybersecurity frameworks as a guide rather than a rigid set of rules. By doing so, organizations can balance cybersecurity with business objectives and avoid unnecessary constraints on their partners.

What impressed me most about the book was the authors’ unwavering belief that cybersecurity readiness is everyone’s responsibility. Their call to action for organizations to shift toward designing-in cybersecurity as a routine matter is bold and inspiring. I was particularly moved by their invitation to business partners from the finance and supply chain departments to join to improve resilience.

Overall, Cybersecurity Training is an excellent book written with character and passion. It inspired me to act and make a difference in the fight against cyber threats."—Charles Aunger, CEO/President/Founder, HEAL Security Inc., United States

A timely and innovative approach

"Cybersecurity Training provides an innovative holistic project management approach that combines the best practices of established instructional design, training, and learning programs (e.g., ADDIE, Bloom’s Taxonomy, and Kirkpatrick). This blueprint will guide your organization as it builds a resilient cybersecurity operation. I congratulate Chris and Greg for their timely and innovative approach to cybersecurity training. Fantastic!" —Rhoda DiCrescenzo, CCNA, CCNI, Sr. eLearning Specialist and Instructional Designer and Trainer, United States

The first worldwide reference

"According to IIBA and IEEE Computer Society, a hacker attack occurs every 39 seconds. Also, according to the 2022 (ISC)² Cybersecurity Workforce Study, there’s a global shortage of 3.4 million cybersecurity-related jobs. This could signal that society needs to change its thoughts about cybersecurity and invite nontechnical participants to join cybersecurity teams. The first building block, ‘a well-thought cybersecurity awareness program,’ is the starting point. Greg and Chris’s book proves this can be successfully achieved.

As a business analyst, program manager, and professional trainer for over 20 years, I have found this book to be the first worldwide reference combining cybersecurity, project management, and training with a ready-to-action perspective. Read it, study it, and tailor it to your specific context. Get ready now to help your organization proactively manage cybersecurity risks."—Rafa Pagán MSc, CBAP, CPOA, AAC, PMP, PMI-ACP, PMI-PBA, PMI-RMP, PMI-SP, OPEN PM2, KANBAN, POWER BI, MCTS, MCITP, CTT+, SAMC, SDC, SMC, SPOC, SSMC, SSPOC, CSM, CSPO, PSM, PSPO, COMPTIA, Freelance Consultant and Trainer, Madrid, Spain

"Invaluable resource for both beginners and experts"

"As the CEO of a management consulting company that delivers innovation through projects, cybersecurity has increasingly gained attention in the last 15 years of my consultancy. Unfortunately, and more often than not, there is a disconnect among project team members as they are grounded in their own discipline’s tradition, culture, and language. A disconnected project team is not a recipe for project success. Skulmoski and Walker, in Cybersecurity Training: A Pathway to Readiness, have aligned cybersecurity training and project management with global standards, frameworks, and best practices, resulting in an invaluable resource for beginners and experts."—Dr.-Ing. Alexander Lang, CEO IMAN Solutions GmbH, Munich, Germany

A hands-on guide to cybersecurity training

"Skulmoski and Walker take the complex IT and educational frameworks that guide modern organizations and meld them into an approachable guide to cybersecurity training focusing on delivering successful projects that provide true value to organizations.

The design of Cybersecurity Training makes it a perfect guide for anyone looking to educate themselves on the current approaches within IT and education and how to blend both to deliver value.

For educators, Cybersecurity Training, with its comprehensive yet approachable guides to IT and educational frameworks, paired with microlearning sections, enhances and invites the reader to explore key concepts . The authors provide a perfect reference for students on delivering value by utilizing proven project management and training best practices ."—Derek Molnar PMP, IT Project Manager, Colorado State University, United States

Foreword

Chris Walker and I met at the beginning of the Cleveland Clinic Abu Dhabi hospital project, where I was on the owner’s side and Chris on the vendor’s side. Our project was to train approximately 3,500 caregivers representing 550 positions ranging from surgeons, accountants, phlebotomists, pharmacy technicians, respiratory nurses, registration specialists, and many more. I was assigned the training project due to my background (e.g., a university professor with a Bachelor of Education degree and a Canadian professional teaching license). Our CIO asked me to review the training contract before our organization signed the document.

The next day, the CIO asked me what I thought, and I responded, This contract is for training. We don’t want training; we want learning. We then examined training as an input and the vendor could provide double the number of contracted training hours, and our organization still might not have competent systems users. However, if we signed a contract based on outputs (e.g., learning outcomes), our training project team could track learning KPIs. Indeed, the vendor could achieve the contracted KPIs and underspend with a lean approach. The vendor liked this innovative approach to training, and a training contract was signed where training continued until 80 percent of our caregivers received an average mark of 80 percent on assessments. The assessments were developed in collaboration with the business units to ensure that proper learning occurred and was assessed.

Chris arranged and led a highly skilled training team, and we provided training to our caregivers as outlined in this book. Training in the Middle East and for specialized skillsets required for a first-class hospital brings unique risks, such as unpredictable new caregiver arrivals due to at-home work obligations and visa approval time variances. We used risk management and other project management approaches to deliver training successfully. Our project team trained 90 percent of our caregivers, who earned an average of 90 percent on their assessments. Our vendor, led by Chris, delivered a successful training project, came in under budget, and the Cleveland Clinic Abu Dhabi hospital was safely opened with competent caregivers.

Fundamental to Cybersecurity Training is the authors (we) rely on best practices in project management, risk and quality management, and training. We are aware that no one model fits all training circumstances. As you begin your study of instructional design, bear in mind that models of instructional design/development are helpful guides to the process, but no single model should be considered a lock-step recipe for creating instruction, nor is any one model the only correct way to design instruction (Brown and Green 2016, 12). Project managers tailor tools and processes to the unique project context. Therefore, we invite you to tailor our instructional design models, standards, and frameworks to your projects to improve the probability of success.

Our book is structured in three parts. In PART I, we review the burgeoning demand for cybersecurity training. Simply, the demand for cybersecurity training is increasing because there is an increase in cybersecurity incidents, with the expectation that the need for cybersecurity readiness will continue for years to come. The main drivers include waves of digital transformation; a recent wave of digital transformation was triggered by the COVID-19 pandemic, resulting in the massive adoption of technologies to support new ways of working. Unfortu -nately, cybersecurity was not always a high priority, resulting in many vulnerabilities, attacks, and the increased need for cybersecurity training. The following digital transformation wave features AI-embedded func -tionalities where organizations launch new projects to implement and protect these new systems, leading to an increased demand for training. Finally, quantum computing will enhance or displace AI-based systems, resulting in new projects and training. Government regulatory bodies and insurance companies are responding with more cybersecurity regula -tions and cybersecurity readiness expectations for reduced cybersecurity premiums. Thus, there is an increased and sustained demand for cyber -security training.

PART I continues with an overview of globally recognized training and education models and frameworks that Cybersecurity Training incorporates: the ADDIE (Analyze, Design, Develop, Implement, and Evaluate) Model of Instructional Design, Bloom’s Taxonomy of Cognitive Thought, and the Kirkpatrick Model of Evaluation. These training best practices are longstanding and successful that can be used in cybersecurity training. In PART I, we align our training with the Information Technology Infrastructure Library (ITIL) framework. The ITIL framework guides organizations to plan, deliver, and optimize digital products (e.g., new laptops, printers, servers, etc.) and services (e.g., e-mail, human resource information systems, pharmacy systems, IT, etc.).

We review the National Institute of Standards (NIST) Cybersecurity Framework in PART I. The NIST Cybersecurity Framework includes a comprehensive suite of documents to guide organizations to provide cybersecurity, including the (1) identify, (2) protect, (3) detect, (4) respond, (5) recover, and (6) govern functions. Cybersecurity training can optimize these six functions to achieve cybersecurity readiness. The NIST Cybersecurity Framework is widely adopted globally in over 100 countries and translated into 10 languages, including English, Arabic, Japanese, Spanish, Portuguese, and Polish, with more translations promised. Therefore, in Cybersecurity Training, we align with the generally accepted NIST Cybersecurity Framework and supporting documents.

Finally, in PART I, we use the hybrid project delivery approach to deliver technologies, products, and services like cybersecurity. We align the ITIL framework, NIST Cybersecurity Framework,¹ and project management with the ADDIE Model of Instructional Design to improve the probability of successful cybersecurity training. These models and frameworks are incorporated into an adaptive learning ecosystem to help achieve cybersecurity readiness. Therefore, we combine previously disconnected best practices into a holistic approach to deliver cybersecurity training, a critical success factor for organizational readiness and resilience.

In PART II, we apply the ADDIE Model of Instructional Design phases to cybersecurity training using a project management delivery approach. We use the same project management approach to deliver and optimize NIST Cybersecurity Framework aligned training: general security awareness and specialized (role-based) cybersecurity training. Thus, we align best practices to deliver and optimize training, including ongoing learning experiences to achieve cybersecurity readiness. Combining best