6 Days Left to Save $200 on SANS South Florida 2015

Critical Security Control: 9

Critical Security Control: 9

Security Skills Assessment and Appropriate Training to Fill Gaps

For all functional roles in the organization (prioritizing those mission-critical to the business and its security), identify the specific knowledge, skills, and abilities needed to support defense of the enterprise; develop and execute an integrated plan to assess, identify gaps, and remediate through policy, organizational planning, training, and awareness programs.

Why Is This Control Critical?

It is tempting to think of cyber defense primarily as a technical challenge, but the actions of people also play a critical part in the success or failure of an enterprise. People fulfill important functions at every stage of system design, implementation, operation, use, and oversight. Examples include: the actions of end users (who can fall prey to social engineering schemes such as phishing); IT operations (who may not recognize the security implications of IT artifacts and logs); security analysts (who struggle to keep up with an explosion of new information); system developers and programmers (who don't understand the opportunity to resolve root cause vulnerabilities early in the system life-cycle); and executives and system owners (who struggle to quantify the role that cybersecurity plays in overall operational/mission risk, and have no reasonable way to make relevant investment decisions).

Attackers are very conscious of these issues and use them to plan their exploitations by, for example: carefully crafting phishing messages that look like routine and expected traffic to an unwary user; exploiting the gaps or seams between policy and technology (e.g., policies that have no technical enforcement); working within the time window of patching or log review; using nominally non-security-critical systems as jump points or bots.

No cyber defense approach can begin to address cyber risk without a means to address this fundamental vulnerability. Conversely, empowering people with good cyber defense habits can significantly increase readiness.

How to Implement This Control

ID # Description Category
CSC 9-1 Perform gap analysis to see which skills employees need and which behaviors employees are not adhering to, using this information to build a baseline training and awareness roadmap for all employees. Quick win
CSC 9-2 Deliver training to fill the skills gap. If possible, use more senior staff to deliver the training. A second option is to have outside teachers provide training onsite so the examples used will be directly relevant. If you have small numbers of people to train, use training conferences or online training to fill the gaps. Quick win
CSC 9-3 Implement an online security awareness program that (1) focuses only on the methods commonly used in intrusions that can be blocked through individual action, (2) is delivered in short online modules convenient for employees (3) is updated frequently (at least annually) to represent the latest attack techniques, (4) is mandated for completion by all employees at least annually, and (5) is reliably monitored for employee completion. Quick win
CSC 9-4 Validate and improve awareness levels through periodic tests to see whether employees will click on a link from suspicious e-mail or provide sensitive information on the telephone without following appropriate procedures for authenticating a caller; targeted training should be provided to those who fall victim to the exercise. Visibility/Hygiene
CSC 9-5 Use security skills assessments for each of the mission-critical roles to identify skills gaps. Use hands-on, real-world examples to measure mastery. If you do not have such assessments, use one of the available online competitions that simulate real-world scenarios for each of the identified jobs in order to measure skills mastery. Configuration/Hygiene

CSC 9 Procedures and Tools

An effective enterprise-wide training program should take a holistic approach and consider policy and technology at the same time as the training of people. For example, policies should be designed with technical measurement and enforcement when possible, reinforced by training to fill gaps; technical controls can be implemented to bound and minimize the opportunity for people to make mistakes, and so focus the training on things that cannot be managed technically.

To be effective in both cost and outcome, security training should be prioritized, focused, and specific (for example, using a S.M.A.R.T. metrics program). A key way to prioritize training is to focus first on those jobs and roles that are critical to the mission or business outcome of the enterprise. One way to identify these mission-critical jobs is to reference the list prepared by the Council on CyberSecurity (which builds upon the work of the 2012 Task Force on Cyber Skills established by the Secretary of Homeland Security): 1) System and Network Penetration Testers, 2) Application Penetration Testers, 3) Security Monitoring and Event Analysts, 4) Incident Responders In-Depth, 5) Counter-Intelligence/Insider Threat Analysts, 6) Risk Assessment Engineers, 7) Secure Coders and Code Reviewers, 8) Security Engineers/Architecture and Design, 9) Security Engineers/Operations, and 10) Advanced Forensics Analysts. The Council has validated this list as consistent with the broader NIST National Initiative on Cybersecurity Education (NICE) framework, and with the needs of many enterprises in government and industry. Training for these mission critical roles should be supplemented with foundational security training for all users.


General awareness training for all users also plays an important role. But even this training should be tailored to functional roles and focused on specific actions that put the organization at risk, and measured in order to drive remediation.

The key to upgrading skills is measurement through assessments that show both the employee and the employer where knowledge is sufficient and where there are gaps. Once the gaps have been identified, those employees who have the requisite skills and knowledge can be called upon to mentor employees who need to improve their skills. In addition, the organization can develop training plans to fill the gaps and maintain employee readiness.

A full treatment of this topic is beyond the scope of the Critical Security Controls. However, the actions in CSC 9 provide specific, high-priority steps that can improve enterprise security, and should be a part of any comprehensive security training program.

CSC 9 Effectiveness Metrics

1. Participation rate for online training courses - percentage of staff completing security training (by business unit)

2. Average scores of online tests, compared to baseline (previous tests, industry data if available, etc.) by business unit

3. Average scores of periodic tests (e.g. click rates for test phishing emails) by business unit

4. Individual scores on skill assessment tests for individual mission critical roles by business unit

5. Retention (or job opening fill rate) of mission critical roles (org/unit metric)

CSC 9 Automation Metrics


CSC 9 Effectiveness Test


Creative Commons - Attribution-NoDerivs 3.0 Unported (CC BY-ND 3.0)

This work is licensed under a Creative Commons Attribution-NoDerivs 3.0 Unported License.

To further clarify the Creative Commons license related to the 20 Critical Controls content, (i) All persons are authorized to use the content as a framework in their organization or to sell professional services related to the content (e.g. a consulting engagement to implement the 20 Critical Controls), and (ii) sale of the contents as a framework model is not authorized. Users of the 20 Critical Controls framework are also required to refer to http://www.sans.org/critical-security-controls/ when referring to the 20 Critical Controls in order to ensure that users are employing the most up to date guidance.