2a. It is incumbent on employers of cybersecurity personnel to vet prospective employers more thoroughly than in non-security positions because these employers will be handling sensitive information and initiating identity checks, so this evaluation will prevent future threats. With the increase of cyberattacks, companies need to ensure they place strong recruitment measures, especially for those who will be working with sensitive data and safeguarding vital networks and devices. Pre-employment background checks will verify all the information provided by the applicant about their experience, education, criminal records, and more are all accurate. This process for hiring cybersecurity personnel will ensure the employer is trustworthy and qualified. Overall, with the rise of cyber threats and security breaches, conducting initial evaluation will ensure the employer is a highly qualified with no criminal records and will not put the company at risk.
2b. The workplace perusing applicants through social media is popular and inexpensive (McCrie & Lee, 2022). An organization will usually post the position with information about the role including job description, responsibilities, qualifications, sometimes salary, position level, etc. For example, if an organization posts a position on LinkedIn and includes all the above information, the applicant can apply directly through LinkedIn or it will take the applicant to company’s website to apply. Using social media to hire for a position can attract many applicants and gain a large volume of applications. Following successful interviews and screenings, as well as background checks for some roles. I believe if the job role was posted on a social media site and an applicant has their social media profile being viewed by the public then this isn’t invading their privacy. However, if an applicant has their social media profile on private mode and an employer hacks into the applicants account or poses as another person, then this is an invasion of privacy and the company can be in trouble. Overall, this depends on the company whether they require viewing an applicant’s social media based on the position level, but there should be rules for exceeding their privacy. LinkedIn is commonly known for searching for a job and users may have their education, experience, certificates, or skills on their profile. As well as an open to work feature which means they are looking for a job and open to recruiters viewing their profile.
2c. Ongoing training is an approach of training where employees are trained on a regular basis over multiple sessions instead of a single training session. Ongoing training will help employees remain compliant with updated regulations, remain up-to-date on security best practices, and have a better learner retention and job performance. While in-service training is professional training development effort as it will train the employee to meet organizations policies and develop certain skills.
• Board of Directors: Training will include budget planning, organization mission and goals, importance of building strong relationship with stakeholders, corporate social responsibility, governance practices, and how to make effective decisions for the organization.
• Senior Management: Training will include group leadership development experience, training on organizational culture, training to build a cohesive team training on mentoring new employees, and training related to time management. Also, training that will help them understand different areas of cybersecurity challenges and how they can respond to these incidents with a strategic plan in protecting the organization.
• Chief Information Security Officer (CISO): Training in the areas of security standards such as NIST, ISO, COBIT, etc. Ongoing training in data privacy regulations and information security risk management technologies and strategies. Also, training in risk assessment approaches, methods in safeguarding the company’s information assets, and training on new techniques to prevent and recover from cyberattacks.
• IT Management (CIO, IT, Director, etc.): Training will include managing security teams, understanding various information on security issues and terminology, various cybersecurity frameworks, and different security standards. Also, training in network and data security to increase technical skills.
• Functional Area Management: Training will include project management, risk analysis, leadership on facilitating teams, various ways for process enhancements to improve efficiencies, and more.
• Information Security Personnel: Training will include methods of monitoring the IT system to view for threats, training on various vulnerabilities that can occur in the network, and sessions on how to perform effective penetration tests.
• End Users (employees in the organizations): Training consists of security awareness training that consists of videos that educates them on suspicious emails, not to share passwords, phishing emails, and the importance of keeping data secure by following security policies. Also, understanding the organization security policies and rules that must be followed.
2f. The article “Security Awareness Training for the Workforce: Moving Beyond Check-the-Box for Compliance” by Haney and Lutters, explains the effectiveness of cybersecurity training. Cybersecurity training is the strategic measure in introducing and presenting security practices to an organization’s workforce (Haney & Lutters, 2020). In cybersecurity today, with the quickly changing threat landscape, training will allow employees to obtain skills and tools to prepare good security hygiene (Haney & Lutters, 2020). Effective cybersecurity training should include connecting the business objective of security best practices to the organization, periodically conduct presentations to employees through creative approaches, providing actionable steps on how to protect themselves and the organization, and make security training mandatory for all employees (Haney & Lutters, 2020). The challenges with cybersecurity training is lack of employee participation, in which they wouldn’t understand the importance of security policies (Buege, 2021). Other challenges include incidents that aren’t being reported, employees being vulnerable to phishing, employees aren’t interested and lose focus as they complete the training, and security content gets quickly outdated due to the latest techniques and threats (Buege, 2021). The cybersecurity training programs at my workplace educates all employees on cybersecurity landscape and how to protect the organization from security breaches. The cybersecurity training consists of mandatory videos which include topics on phishing emails, malware, ransomware, password security, suspicious emails or contacts, compliance requirements, and more.