Degrees alone aren’t enough to keep cybersecurity defences effective for the long term

University qualifications in cybersecurity are important but are only a start to keeping up with the changing cybersecurity threat, according to a corporate cybersecurity executive and educator who is currently leading nearly 3500 attendees through an online cybersecurity skills course focused on phishing countermeasures.

That course, offered through Charles Sturt University’s IT Masters program, has been running across 4 weeks in April and was designed by cybersecurity educator Bianca Wirth as an intermediate-level approach to helping businesses fight back against phishing “from a people, process and technology perspective”.

It’s the kind of complementary training that Wirth – who is currently enrolled in the IT Masters program and works as global cyber and physical security education and awareness manager with a major insurance company – says is critical for business and technical staff working to promulgate a cybersecurity-aware culture throughout any company.

“There’s still the perception in industry that you need certifications, a Master’s degree or a specialty degree in a particular area” to be regarded as well-trained in cybersecurity, Wirth told CSO Australia. “The Master’s credential is helpful, but that will still complement less traditional styles of learning.”

Because they are delivered online, complementary courses can be continually updated as new attacks or techniques come to light – making them an ongoing educational resource for time-pressured cybersecurity practitioners. Such training complements other continuous improvement strategies Wirth and her team employ at her current employer, where gamification techniques and active phishing of employees help keep awareness of the phishing problem front and centre.

The recent Verizon Data Breach Investigations Report (DBIR) 2018 found that human complacency and error were the major contributor to the incidence of data breaches, with 4 percent of people clicking on any given phishing campaign – and repeat offenders even more likely to do it again.

Public-sector and professional services targets were particularly vulnerable to manipulation by phishing, with stolen credentials and personal data heavily targeted and contributing to “shocking” numbers of data breaches. And while Verizon recommends the use of two-factor authentication to reduce the incidence of phishing-engendered malware, regular training is equally important in maintaining awareness.

Cybercriminals certainly aren’t standing still, with the recent Nuix Black Report 2018 finding that attackers also tend to be well-trained. Fully 40 percent of respondents to that survey, which polls white-hat and black-hat cybersecurity specialists, said they have 3 or more technical certifications.

Despite this, 78 percent said that these certifications are not a good indicator of technical capabilities, beyond helping them secure employment. Cybersecurity qualifications have been linked with higher salaries overall, reflecting the industry demand for at least a baseline of security skills.

Whatever their formal certifications, practitioners were actively engaged in finding new ways to bypass IT security, with 49 percent saying they spend 21 or more hours weekly working to penetrate target systems. Fully 7 in 10 respondents to that survey believe that security professionals don’t know what they’re looking for when trying to detect attacks, and 9 out of 10 said that organisations don’t address all the vulnerabilities they find during penetration tests.

With those sorts of persistent adversaries, Wirth believes that defensive cybersecurity practices must be meaningfully taught and persistently reinforced.

“There are many different areas out there in IT, and when you step into cybersecurity you find there is a whole nother world behind it. There are a whole range of jobs that we can hold, which are specialisations of themselves. It is such a fast-changing area, and very specialised.”