Putting NICE Guidelines into Practice: Training Insights

Small and medium-sized businesses (SMBs) frequently become targets for cyberattacks despite operating with limited financial resources. A recent study conducted by Cleveland State University explored how these companies could effectively train their employees without becoming overwhelmed by the extensive NICE Cybersecurity Workforce Framework. The outcome is a streamlined, scenario-focused training program that offers valuable insights for security leaders in much larger corporations.

The research team tackled the challenge of simplifying the vast framework by posing a straightforward question: What if training focused only on the components that defend against the most frequent attacks targeting smaller enterprises? By analyzing data from sources like Verizon, the Ponemon Institute, CISA, Hiscox, and ENISA, they pinpointed three primary threats responsible for the majority of SMB security incidents: phishing and social engineering, malware and ransomware, and web-based attacks.

This analysis allowed them to reduce the framework to a more manageable set of 88 technical and 54 non-technical elements. Even in its condensed form, the curriculum addresses essential areas such as risk management, malware analysis, web services, privacy legislation, insider threat investigations, and supply chain risk management.

With this focused list, the researchers developed training centered around realistic scenarios. Rather than presenting abstract ideas, learners engage with simulations modeled after actual cyberattacks. These exercises include ransomware distributed via the EternalBlue exploit, attacks leveraging Spectre and Meltdown hardware vulnerabilities, PBX hacking, website fingerprinting, DDoS campaigns, and phishing operations associated with the Thallium group.

Each scenario integrates technical skills with relevant legal knowledge. For instance, the EternalBlue simulation covers both hardening operating systems and compliance with breach notification laws. Similarly, the PBX hacking exercise examines access control measures alongside the Computer Fraud and Abuse Act.

Virtual machine laboratories provide hands-on opportunities for learners to execute and defend against these attacks, while accompanying legal case studies illustrate how regulatory requirements influence technical responses.

For Chief Information Security Officers (CISOs), the study highlights two critical takeaways. First, it demonstrates that even a comprehensive framework can be distilled to address genuine risks. Many security leaders manage training programs that are extensive yet unfocused. Adopting a selective approach helps ensure that training remains pertinent and actionable.

Second, the model successfully merges legal and technical responsibilities. Incident response within large enterprises invariably involves coordination with compliance and legal departments. Training that mirrors this reality better equips staff for the interdisciplinary collaboration required during an actual security crisis.

Martin Walsh, Chief Legal Officer at Daon, observed a similar deficiency in smaller organizations. He noted that SMBs often lack internal specialists or reliable external advisors. “Frequently, these critical issues are assigned to a general IT employee who possesses neither the expertise nor the experience, and who receives little support from management,” Walsh explained. “These are significant problems that demand appropriate attention.”

Walsh also cautioned against operating in isolated departments, emphasizing that “cross-functional cooperation among security, IT, legal, regulatory, and privacy teams is essential.” A siloed approach, he warned, heightens the risk of exacerbating already difficult situations.

Although the project was designed for SMBs, larger organizations can adopt a similar methodology. CISOs can identify the most urgent threats within their industry, align them with the NICE Framework, and construct targeted scenarios. This strategy provides employees with practical experience while ensuring training is directly tied to tangible business risks.

The scenario-based method may also enhance training engagement. Employees often disengage during abstract policy discussions, but navigating a simulated attack that demonstrates legal repercussions tends to be far more impactful and memorable.

Walsh further recommended strengthening collaboration through structured routines. “Establish a Security or Privacy Working Group and hold monthly meetings without exception,” he advised. “Involve key personnel such as your in-house attorney, Head of IT, and Head of Information Security, and ensure senior management participates as well. I also suggest engaging an external, independent data protection officer to provide an objective review. A false sense of security benefits no one.”

He also advocated for regular desk-based scenario exercises. “Outline a hypothetical data breach and conduct a walkthrough to evaluate your performance and identify strengths or weaknesses,” Walsh added.

The research team believes this approach could be expanded to other domains, including the Internet of Things (IoT). As organizations integrate connected devices faster than they can train their staff, a focused, scenario-driven curriculum could help bridge the resulting skills gap.

While frameworks serve as useful starting points, their true value emerges when they are refined to address what matters most and when training is directly linked to real-world incidents.

(Source: HelpNet Security)