Michael Moniz, Co-Founder, President and CEO of Circadence, a leader in cybersecurity learning and training solutions.
getty
Have you thought about how critical the practice of education is to running a business? From onboarding new talent to meeting revenue goals, employees need to continually learn, train and gain relevant experience so they can apply expertise in their jobs that enable businesses growth.
To support employee professional development, there’s a lot we can learn from the academic world about building great training programs. Because continual cyber training is critical to the safety of our digital world, I’m interested in identifying ways to improve cyberlearning. Working with higher education instructors who teach cybersecurity, I’ve studied their pedagogical approaches and have drawn parallels to how those strategies can be implemented in workforce training for cybersecurity professionals. Because business and academia shouldn’t be mutually exclusive, I fundamentally believe we can learn a lot from how the “other side” operates.
One academic practice that stands out for me is curriculum mapping. At first glance, it may not seem like a topic that applies to business in general or cyber professional training specifically, but let me assure you, the parallels are evident.
What’s curriculum mapping?
A curriculum is the total of all things an educator needs to teach students, from the overall learning goals to the lesson plans and timelines to the textbooks. The process of “mapping curriculum” ensures alignment of the overall learning objectives to the details of the lesson plans so that the actual teaching delivers on the learning objectives. Professors have limited time, and a map gives them the control to be effective with what they teach and how they teach it.
I’ve been thinking about how to apply that practice to the business of cybersecurity training. The National Initiative For Cybersecurity Careers and Studies promotes a workforce framework for cybersecurity (referred to as the NICE framework) that sets out seven categories, 33 specialty areas and 52 work roles for understanding and managing the totality of cybersecurity.
Creating a cyber training program for your company is not about training in all those categories. It’s about building a specific curriculum that aligns with staff skills. We can use a similar design approach as educators map a cyber curriculum and build the right training program for our teams inclusive of all the ways we provide that training: digital training libraries, on-site workshops and off-site classes.
Successful curriculum mapping answers questions like these:
• What do you want students to do, know or feel at the end of the program?
• What elements are needed to teach students a specific discipline?
• How are those elements layered to yield effective retention outcomes?
• How do assessments, lessons and teaching techniques ensure student learning matches academic expectations?
Cyber managers or trainers can ask these same questions to start their training program’s curriculum map.
Best Practices
Give it a go! Cyber managers or trainers can apply three best practices of curriculum mapping to their own training program strategy.
First, define your demographic. Cyber managers and trainers, just like teachers, need to have a clear picture of where their students or cohorts are starting in their learning journey. Think of it this way: Someone who can barely make it up the stairs carrying a grocery bag isn’t going to be able to bench press 100 lbs in their first training session. Similarly, students with no cybersecurity experience won’t be ready to conduct a brute force attack on the first day of class. So, instead of drafting a full-blown curriculum, educators consider where their students are in their journey. They ask questions like:
• How much experience do they have with IT topics?
• How much experience do they have with cybersecurity and its associated technology?
• What level of study have they previously completed (e.g., high school, undergrad or grad school)?
Your cyber managers or trainers can adapt these questions to the cohorts they’re planning for:
• When was the last time the cohort received cyber training?
• How much experience do they have with new tools in the system?
• What are the varying degrees of competency and skill among the cohorts?
Once managers or trainers understand where their cohorts are starting, they’ll be ready to map out a training curriculum that suits their staff needs (and the needs of the company).
Second, don’t try to teach it all. Educators don’t need to teach everything about a subject in one course. Spread it out so courses can be taught in-depth equally as they’re taught broadly. For example, in cybersecurity, it’s important to understand practices like scripting and automation but both don’t need to be taught in the same foundations course.
For cyber instructors who train teams of practitioners, the same applies. Select an area in which your team needs the most improvement. Don’t try to fix it all at once because it’ll become too overwhelming. Most cyber managers and trainers don’t have the adequate resources they need to run full-fledged training programs anyway, so there’s no shame in starting small with one or two subject focus areas.
Third, make time for activities that help students learn by doing. Practicing aspects of a subject in a hands-on manner reinforces the learning concepts discussed in readings, videos and lectures. It’s one thing to read about an autopsy in a textbook but actually using the tools is concrete and specific. Sufficient practice takes students from introduction to reinforcement to mastery of a subject.
You can see how hands-on practice in a sandbox environment for cybersecurity professionals would be valuable in their training program. Having the opportunity to break stuff and use real tools to make repairs goes a long way in improving response times and communications when urgency is required.
Circling The Wagons
Curriculum mapping is one of many practices that professional educators use to teach effectively. In the business world, we can learn from their expertise and approach, paying particular attention to their methods and the “science of teaching” to identify how we can model the successful training and development of our greatest corporate asset — our people — especially in cybersecurity.
Forbes Technology Council is an invitation-only community for world-class CIOs, CTOs and technology executives. Do I qualify?
