Want to scale cyber defenders? Focus on AI-enabled security and organization-wide training

It’s safe to say that the cyber threat landscape has never been more complex than it is today. Security teams are dealing with a near-constant barrage of attacks that are only continuing to increase in both frequency and sophistication. According to the Microsoft Digital Defense Report 2023, attempted password attacks increased more than tenfold last year — jumping from 3 billion attempts per month to more than 30 billion.

This flood of security alerts and incidents makes it difficult to effectively drive organization-wide security. For starters, many organizations lack the number of cyber defenders they need to respond to alerts. ISC2 estimates that the gap between the number of security professionals needed and qualified personnel available grew 13% from 2022 to 2023 — translating to an estimated 4 million new workers required to meet current demands.

Additionally, we also must consider the impact that a single employee’s actions can have on the entire organization’s security posture. Human error, whether unintentional or a deliberate insider action, is one of the leading causes of cyber breaches and plays a role in 76% of incidents. If already overburdened security teams are to properly protect their organization’s digital estate, then employees at all levels must do their part by consistently following security best practices to reduce the risk of a breach.

When combined with a holistic security awareness and education program, generative AI is one potential lever organizations can pull to scale human-led cyber defenses across the enterprise. Here’s how.

Scale security knowledge and best practices with AI

Generative AI holds enormous potential in the security space, able to scale institutional knowledge and security best practices for less experienced defenders by prompting them with automated remediation steps and guidance.

With generative AI, they don’t need to focus as much on teaching a specific remediation technique or providing instructions for how to use a particular technology. Instead, the focus is on teaching cyber defenders what AI workflow or prompt they should call on for which scenarios. This model allows security practitioners to automate repetitive and time-consuming tasks, saving their brainpower for more strategic scenarios that require creative problem-solving or a novel approach. Generative AI isn’t taking anyone’s job. Rather, it’s simply offloading the security problems that we already know how to solve.

At Microsoft, we use Copilot for Security to help increase defender efficiency and capabilities to improve security outcomes at machine speed and scale. Because Copilot for Security uses natural language processing (NLP) to support cyber defenders in end-to-end scenarios like incident response, threat hunting, intelligence gathering, and posture management, it’s easier for less-experienced security practitioners to achieve more and take on unfamiliar security tasks.

This knowledge-scaling capability also has the dual benefit of lowering the time and barrier to entry for new cyber defenders. AI can level the playing field for cyber defenders’ understanding of specific attack types, remediation techniques, security platforms, and more. This AI-enabled shift reduces time-intensive hiring requirements—such as experience and academic study—and fosters skill-based hiring for entry and mid-level roles. This skill-based approach addresses both the cybersecurity skill gap and the headcount gap, and empowers human resource and cybersecurity managers who report valuing certification-based training over traditional degree-based education for mid-level roles by a 2:1 ratio.

Reducing the barrier to entry also opens the security profession to more candidates, enabling our industry to promote diversity of thought and background which is crucial to countering the increasing sophistication and creativity of attacks. According to the 2024 SANS GIAC Cyber Workforce Research Report, 71% of respondents are committed to prioritizing the recruitment of diverse candidates within their cybersecurity workforce. Today, 69% of cybersecurity professionals believe an inclusive environment is essential for their team to succeed, while 53% report that diversity within the security team has contributed to its success.

Equip employees at all levels to become cyber defenders

In addition to using generative AI to increase cyber defenders’ effectiveness and scale their impact, organizations must also work to proactively reduce their human attack surface through security awareness and education programs. There are four key pillars organizations should focus on when structuring these trainings:

1. Identify your most pressing organizational risks: In the past, security training has often been positioned as a compliance requirement that organizations must complete to “check a box.” However, this one-size-fits-all approach misses the mark on equipping employees with the tools they need to change specific risky behaviors.

At its core, security awareness training is simply a security control that addresses human risk within your organization. When building a training program, start by identifying the human risk. Examine previous cybersecurity incidents across your organization. What was the cause of each incident and how did it unfold? From there, you can begin to extrapolate which specific risks you need to address with employees and create a plan for preventing similar incidents from occurring in the future. Industry research and comprehensive security reports are other resources to use when evaluating which risks to include in your training program.

2. Establish metrics to quantify risks and measure progress: Once you have identified your organization’s specific risks, it’s time to quantify them and create a plan for measuring employee progress.

Start by looking at risk or impact to quantify why the behavioral change is important. What was the cost of each incident to your organization? Did your organization or customers experience downtime while the threat was remediated? Was sensitive customer data leaked? To properly incentivize behavioral change, you have to start by identifying and communicating the “why.”

Next, quantify the desired behavior change in a measurable way that will allow you to track employee progress. For example, say your organization realized risk with employees frequently downloading email attachments from unknown contacts. By training people about the risk of downloading attachments from unknown contacts and measuring the number of attachments downloaded from external contacts pre- and post-training, you can measure the program’s impact.

Measuring progress is one way to hold employees accountable and confirm whether the education provided was effective at changing behavior or if a different approach is needed.

3. Incentivize behavioral change: The core reason why organizations conduct regular security awareness training is to drive behavioral change. Not only must employees complete the training, but they should also continue to follow its teachings long after the education module is completed. Otherwise, your training program didn’t reduce your risk posture.

Measurement is one way to track behavioral change, but incentives are an effective way to encourage employees to continually adhere to security best practices. Get creative with your incentives; it’s ok to make security fun! Create internal challenges to see which division can score the highest, or distribute digital badges to employees who complete their training within the first 30 days. Encouraging behavior doesn’t need to be anything costly or overly time-intensive. They should simply act as a vehicle for recognizing and reinforcing the desired employee behavior, thus getting you closer to your intended result of sustained behavioral change.

4. Create a self-sustaining culture of security: Perhaps the most challenging and most important pillar of all is to create a broader culture of security awareness within your organization. For this to work, organizations and leaders must continually reinforce security teachings to ensure the knowledge remains top of mind.

This is primarily a marketing and branding problem. Focus on creating an internal message that communicates why security awareness training is crucial for all employees, not just the security team, and the impact a single employee’s actions can have on the integrity of your organization as a whole. Then, identify spokespeople at various levels of the org chart who can champion this messaging and encourage their peers to take a more active role in cybersecurity—thus embedding security more deeply into your organization. The end goal is for employees to understand the core concepts of good security practices versus unsafe ones, and to have the necessary skills to proactively apply that understanding to other types of security risks they may witness.

When used in concert, generative AI-enabled security solutions and broad-reaching security and awareness training can supercharge the effectiveness of your defenders.

Security awareness and education programs reduce human risk factors by embedding security best practices at all levels of the organization and ensuring employees understand the “why” behind specific positive security behaviors. This is crucial given that more than three-quarters of security incidents involve unintentional human error or insider risk. Meanwhile, organizations can enable existing security practitioners by leveraging generative AI to increase defenders’ knowledge base and drive faster times to threat detection and resolution.

Learn more about advancing federal threat protection and cybersecurity best practices at  https://aka.ms/FedCyber.