Already the first publication of the PECB Insights Magazine in April, 2016, highlighted the importance of training and awareness as an essential support factor to increase the (result driven) effectiveness and (cost driven) efficiency of information security.

Obviously not only in information security, but also for other management systems and business operations, the success of the implementation and the support greatly depends on the people managing, supporting, and operating the system. If they do not understand the core principles, or even more importantly the criticality of their knowledge, skills and awareness to make it work, the system will quickly collapse and fail because it requires company wide support in all layers.

If people aren’t convinced that they need the system, the management system won’t work.

Many will call people ‘the weakest link’ as referenced in Magazine 1. But if you take a step back and consider the essential mechanisms of ISO best practices (PDCA, Plan-Do-Check and Adjust, or Act), the human factor is not the weakest link but the last line of defense.

Because: if anything else in the process and system fails, the people should have the capability, skills, and knowledge to be creative and save it from total loss.

And since 2016, almost a decade ago, lots of things changed. Rapidly, and the pace only goes up. So, the importance of awareness and training only increased.

And this article will make clear why you need a long term plan for learning and how to build it, not only booking the next training course because you need it now. (Just you know, while I will mainly focus on information security and cybersecurity, you can simply apply the same principles, hints, and tips to other sectors).

Looking Back for Almost a Decade

With the first publication in April, 2016, looking back at 50 editions of the PECB Magazine, there are a few remarkable things that happened which clearly impacted the approach to training and awareness in 9 years, almost a decade.

One of the most important black swan events we all experienced, is the Corona pandemic, which had a major impact on the learning experiences, as many of us had to shift to work from home and eLearning and the classic methods had to be reinvented.

But there is a secondary effect of the pandemic, which is equally important, as the global economic effect stressed the importance of well-performing management systems to make businesses more resilient. Most economic sectors had a hard time, our jobs changed one way or another.

And sadly enough, during the pandemic, cybercrime became more violent and visible. Lots of Corona pandemic principles (like business continuity) have become a clear guidance in the management of cybersecurity. You can simply apply a lot of lessons learned from the pandemic in the protection of internet-connected systems. For example the various waves of Corona virus generations is a perfect metaphor for malware infections in the digital world.

And after cloud, the next technology wave of AI is promising to get complicated, rapidly.

Last but not least, we all had a lot of time to think about our future and about our current and future jobs and roles. So, the learning targets changed for many of us.

From a personal learning perspective, April, 2016, was personal milestone too, for two reasons.

Right at that time, I started my career as freelancer and also: I changed direction from pure technical expert into management systems. Extending my experience in technology, process design, and teaching skills.

Until then I just had a highly technical background in computer science, with a bunch of certifications in Microsoft technology, and I had built a strong experience in Identity and Access Management (IAM). But in IAM, technology is not just enough, you need to integrate complex IAM processes in the business processes in all layers of the company on operational, tactical (departmental), and strategic level, including “selling” the solution to head of departments and end users.

I initially launched my freelancer journey with my Microsoft expertise. But I quickly realized that the accidental combination of my Microsoft technical architecture certifications with my ISC2 CISSP certification (2011) and ISACA CISA auditor certification (2007) actually already covered half of the learning investment into my ISO certifications.

Even today, I try to take smart steps in my learning planning, maximizing the knowledge of my past track, even cross vendor.

Many certifications, like for example the ISC2, ISACA, IAPP, SANS trainings have a solid baseline to speed up your PECB learning track. In some of the cases they are considered equivalent, you can always ask PECB for your particular case.

Side note: I actually started my ISO track with an ISO/IEC 27001 Lead Auditor certification, (yes, auditor not implementer) because as implementer I had to guide a customer to ISMS certification and I wanted to know how to please an auditor, to make sure the customer’s ISMS system delivered the minimum evidence requirements to pass the test.

I also immediately registered as a PECB trainer, as I learned that teaching classes is a perfect way to learn from participants, who ask questions. Sometimes difficult questions, you need to investigate and explain. I’ll come back to the power of teaching as method of learning later in this article.

Where Do You Want to Go Today?

One of the typical questions from participants on the end of each training course is: “Ok, right I got this now, what’s next”?

The short and easy answer is (in most of the cases) fairly easy. Take this training course, then go to the next, simply pointing to reference material from the training course, or the next level of the training course, or incrementing a training course with additional skills.

For example learning ISO/IEC 27002 security controls as follow up to a ISO/IEC 27001 Lead Implementer (ISO/IEC 27001 Annex = ISO/IEC 27002). Or after the implementer training course you go for the auditor in case you aim for a ISO certification track. Easy peasy.

A typical training course of this principle is the PECB NIS2 training course, which is essentially an advanced combination of the ISO 2700x training course series, plus a clear pointer to NIST cybersecurity. And in reality, the Belgian Cyberfundamentals, does the same, combining best practices from ISO/IEC 27001 + NIST CSF + other standards.

See below a snapshot from the PECB NIS2 training course, demonstrating the knowledge track:

But the stepping stone mechanism is purely a short term thinking, only planning the next step forward from the previous, what you need now.

Are you sure that’s what you need for the bigger plan?

Maybe not the best option for you, nor the most efficient one.

I remember a moment, my most-inspiring manager ever at Microsoft, Celine, rephrasing the well-know Microsoft marketing slogan (from the mid-90’s) while we were planning the next year training budget.

“Where do you want to go tomorrow?” She made clear that next to training courses in my comfort zone, there were other options like managerial or communication skills, that would help me grow to the next level. To grow your comfort zone, you need to cross borders.

Don’t just think about the next training but plan what you need for the next job or profile you want to go to. How does the next training fit in your career?

A quick but important tip here; consider your training plan as building a business case for your manager, what steps do you plan, what does it cost, and what do you get out of it…

A nice example is the ECSF framework (European Cybersecurity Skills Framework (ECSF).

NIST (US) has a similar framework, NICE: The NICE Workforce Framework for Cybersecurity (NICE Framework) (NIST SP 800-181 rev. 1) establishes a standard approach and common language for describing cybersecurity work and learner capabilities.

Another interesting source, supported by NIST NICE, is Cyberseek. It’s based on the most popular certification, but you can easily map it to similar certifications, as Paul Jeremy demonstrated on his website. You can find the references to Paul’s work further in the article.

As I mentioned before, this is also available for other sectors, but for the sake of time I focus on information security and cybersecurity.

Before You Start – What Is Your Learner Profile?

One of the first steps is to document your current situation and learning style, create a learner profile.

What’s your background, what’s your experience, what are your interests, and what are your most effective learning methods?

While many people can guide you to plan training, no one else can define for you what methods you like and what works best for you.

For example, I’m personally not much of a fan of video based training, I usually play them at 2x speed and then dive into the training course material and exercises. Plus I usually try the exams first, before jumping into the training course, so I by preference focus on training courses with sample questions and test-exams.

Hint: Sometimes you don’t know and simply need to try and find out what doesn’t work. Failure is a productive experience.

And recheck once in a while (> 1x year).

Complexity of Discovering Your Learning Map

Recently I discovered a massive interactive mapping of certifications to skills levels and the areas of interest, by Paul Jeremy.

Source: https://pauljerimy.com/security-certification-roadmap/

Please be aware that it’s nearly impossible to map all and every certification available and keep this mastodont up to date, but it’s a good overview to start with.

Certainly when you’re new on the job or freshly starting your professional cyber career, it can be quite hard to find your way.

It demonstrates the complexity of discovering your options.

Instead of starting the discovery and planning your learning map yourself, it might be helpful to have a coach or a mentor. If that option is not available in your company or in direct network, don’t be afraid to use professional networks like LinkedIn or security user groups and ask for coaching.

Many of the companies I work with provide a mentor or coaching program as part of the hiring process. So when you plan to move jobs, ask for it.

Planning Learning Options

Paul Jeremy already used an interesting mapping strategy for cybersecurity jobs: the experience levels (beginner, intermediate, and expert) vs subject areas: communication and network security, IAM, security architecture and engineering, asset security, security and risk, assessment and testing, software security and security operations.

A while ago I did a similar mapping sourcing from the ISO/IEC 27001 into the related master standards of other areas like Business Continuity, Governance, and audit.

The principle is fairly simple: all ISO/IEC 27001 clauses and annex controls are supported by a ISO/IEC 27X substandard, which are sources from a parent standard like ISO 22301 (BCMS), ISO 31000 risk management, ISO 37000 corporate governance.

Interesting learning map, isn’t it?

The same applies to the new kid in town, AI, for example.

Simply looking at the ISO/IEC 42001 (and the PECB training course), you get similar hints.

• ISO/IEC 42001: Requirements for AIMS
• ISO/IEC 42005: Guidance for impact assessment
• ISO/IEC 42006: Audit requirement
• ISO/IEC 22989: Terminology and concepts
• ISO/IEC 38507: AI governance
• ISO/IEC 23894: AI risk management principles
• ISO/IEC TR 24028: AI trustworthiness
• ISO/IEC 23053: framework for Machine learning

Have a look at the new PECB Certified AI Professional, and the AI technical trainings from the various vendors.

Learning Plan Parameters

What are the parameters you need to consider in setting up your learning map?

This is not an exhaustive list but still helpful to build a plan to consider:

• Current experience vs Target experience: Many courses set a required level of experience to achieve certification. But don’t let it block you to pass the exams, because in most of the case you can upgrade your certification level once you achieve the required level of experience. Get started!
• Hard skills vs Soft skills focus: Get out of your comfort zone. When you build experience, you’ll need to master additional skills like management communication, crisis management, incident management, budget and project management, teaching skills that extend the value of your technical skills.
• Responsibility area: Check the level of responsibility: governance trainings focus strategic management level (CxO level), administration and managerial trainings focus on playing your role as manager on tactical And operational training focus on daily operations. Where do you want to go next?
• Subject area: What area of content do you need? Technical & Operational Implementation, Planning & Architecture, Governance & Administration, Compliance, Audit & Assessment, Risk management, etc.
• Learning methods: As explained earlier in building your learning profile. What are your favorite and most effective methods of learning? Class training, self-learning eLearning, video based, etc.
• Training course methods: Theory, hands-on, live-tests, practical use cases, etc.
• Budget: of training course, all parameters above will impact the cost.

Some Practical Hints and Tips when Implementing Your Learning Plan

Negotiate learning budget as part of the (new) job

As continuous learning is essential to stay on top, did you ever consider to leverage learning budget as part of the job discussion for an opportunity?

Please be aware that in many cases learning budget is financially more interesting than salary e.g. for tax reasons.

Continuously Review Your Plan

Once or twice per year review or reset your plans. Some technology areas move fast, education and training is continuously updated. It’s quite important to choose some channels or target communities and monitor the learning opportunities.

Ask Peers What They Learn

The easiest way to get information about learning option is to ask professional network peers, colleagues, or coaches and mentors what they learned.

Getting first hand feedback is an important and easy way to evaluate quality of the training courses.

Budget and Quality

Quality comes with a price. There is nothing for free, in best case it’s sponsored. Building quality learning content requires resources and time.

The good news is, though, that there is a lot of free material you can use as starter material, including the PECB webinars.

And recently, PECB launched the PECB Skills platform, which offers an interesting continuous learning options, split in 15’ capsules for microlearning at your convenience.

Keep Learning – The Next Level

·       Walk the talk, teach the walk

It might sound a contradiction at first sight, but when you start to teach the lessons learned, you learn how to master the communication skills. And the interactions with your participants will provide your very interesting insight and educational examples to build your experiences yourself.

·       Walk the talk, audit the walk

Ever considered becoming an auditor? For certain areas, certainly in ISO standards, it’s pretty rewarding to audit various situations, as you quickly learn how (badly) others implement the standards.

·       The power of coaching and mentoring

When you get at the intermediate or even expert level, you might feel that choices for your experience level become limited. In that case, consider changing your role to become a coach and/or mentor.

If this is not an option within your company or current role, you’ll find plenty of local or online communities that are looking to engage with coaches and mentors.

Expanding your skills while passing on your skills and experience to others is a very satisfying way to keep learning.