Randy Marchany, Chief Information Security Officer, Virginia Tech
Through this article, Marchany emphasizes the importance of anticipatory thinking in cybersecurity, drawing parallels to defensive driving. It highlights how continuous training, situational awareness and preparation are essential for building resilient security architecture and workforce readiness.
I was checking out some YouTube videos and ran across this one with Michael Jordan, Charles Barkley and Oprah Winfrey. Towards the end of the video, Michael talks about being a defensive driver if you ride a motorcycle. “You have to be really focused and see the traffic ahead,” says Jordan. He then takes a dig at Charles.
Check out https://www.youtube.com/ watch?v=t_Q1k2r2yao.
I’ve ridden bicycles almost all of my life and motorcycles for 20 years. When I’m on the bike, I am looking ahead to see what traffic patterns are there and trying to anticipate how I can maneuver through those patterns safely and efficiently. My nephew and I used to play a game when he was younger. We’d be in the mall and the challenge was to walk through a crowd from point A to B without missing a step or stopping because someone stepped in front of you. You had to watch the traffic flow and make your best guess on where and when an opening would occur.
This is one of the things a CISO or security architect should practice. You want to look at threat intel, your network traffic or attack patterns and chart a course of action based on your past knowledge as well as your ability to guess what will happen next. Sure, sometimes you guess wrong but you use that knowledge to improve your prediction capability. Sound like machine learning? Probably.
For example, the first step in an Incident Response plan (IRP) is “preparation.” Training programs are an important component of the preparation phase. You train to anticipate then act. Rinse lather and repeat.
I’ve always said that a poorly trained sysadmin is one of the greatest threats to any organization’s infrastructure. The military training module may seem archaic and cumbersome but it is effective. Organizations that fail to train their technical and general user staff in basic or advanced IT security practices are doomed to suffer multiple failures.
I’m not going to dive into pedagogy (can’t help but giggle every time I hear that word) or the merits of a good training program. Too much has been said on those topics. Instead, I’m going to present my idea of a training roadmap here:
Here we have three mail training tracks:
• Technical track – The target audiences are system administrators, developers, IT Security analysts or architects. These training programs are designed to enhance your staff’s technical knowledge. Role based training for Data Owners is an important task.
• Awareness track – The target audiences are your general staff and management. These training programs are designed to make your workforce aware of the laws, regulations, best practices for handling your organization’s sensitive data. In addition, these programs show your staff the different types of physical and cyber attacks they may see and how to respond to these threats.
• User (How-to) track – This training program teaches your staff how to use the day-to-day tools of your business. It covers things like how to:
• use Microsoft Office, Adobe Acrobat tools
• use graphical design tools
• use collaboration tools
• use in-house tools
• use external software or hardware products.
There needs to be a blend of externally developed training materials and “local” training for in-house applications and business processes. Local training includes modules on how to obtain proper authentication credentials, what data protection procedures are in place and where or how to report cyber incidents. These are definitely local to an organization and sometime not given the resources needed to effectively train your workforce. There is a significant amount of investment in creating an effective training program. I believe the correct technical description is “it isn’t cheap”.
Next time you ride a bicycle or motorcycle, see if you ride defensively by looking ahead and anticipating the next action that can happen. Take that skill and apply it to designing and implementing your security architecture.