We know you’re tired of reading about the cyber skills gap; many organizations are obviously facing challenges in recruiting, skilling, and retaining security professionals. We haven’t written this cheat sheet to tell you what you already know. Instead, we will outline a realistic strategy for workforce-wide cyber skills development, focusing on the solution, not just the problem.
The state of cybersecurity skills
Even though cyber threats are constantly evolving and attacks come from everywhere, most training for security teams is stuck in the 90s.
Classroom-based courses don’t only fail to keep pace with the nature of threats; they also limit research and discovery. These courses, which comprise one-dimensional teaching and require significant time commitments – often in uninspiring environments – are impractical and expensive, moving only as fast as the slowest learner in the room. Worse still, the content is outdated within days of completion, sometimes sooner.
The evolving threat landscape demands continuous development of skills. You cannot take a snapshot in January and publish those findings in March because the content expires; however, many training providers still prepare content this way. The average data breach costs $3.86 million. By studying security fossils instead of active threats, organizations are putting themselves in financial peril.
Traditional courses don’t only lack up-to-the-minute content; they disengage inquisitive minds. Cybersecurity is highly technical and cannot be mastered in the classroom, which focuses on instruction rather than facilitation. Those who excel in the field are analytical, curious and creative – the sort who break things just to understand how they work. They learn by doing and respond best to experiences that are interactive, challenging and fun.
Constraining modern learners by time and space – i.e. classroom sessions – is archaic. They can order food or watch their favourite TV show on demand, so developing cyber skills should be no different. LinkedIn’s Workplace Learning Report 2019 found that 74% of employees want to learn in their spare time. One-shot training simply cannot facilitate this.
Two cybersecurity training myths
There are two main reasons businesses still risk wasting money on training that doesn’t really meet the demands of their cybersecurity:
1. There’s a reliance on certifications. Employees who are ‘qualified’ in cybersecurity tick certain boxes for an organization and prove that the company has addressed the issue. The perception is that they can be left in control with no additional training because, technically, they are qualified. The truth, however, is that most cybersecurity certifications are theory based, requiring little demonstration of real-world skills.
2. Organizations are not aware of the viable alternatives. And until recently, there weren’t any. But purchasing dry, static training courses that lag behind threat actors and their tools is no longer the best (or only) option. With on-demand access to the right learning experiences, employers can nurture cyber talent across an entire workforce.
Cyber skills development philosophies
Addressing the challenge of skills in cybersecurity is not as simple as uploading training content to an intranet or even mandating classroom-based courses for individuals and teams. Your approach to enhancing cyber skills will be most effective when it aligns to your overall security strategy. This means deciding the expertise you want staff to develop (and understanding why) while considering effective methods to ensure that it sticks.
The following sections will help you understand how your security ethos can be effectively mapped to your cyber skills development efforts.
The capability-driven organization
Build your own security pros
Most organizations today are capability driven, concerned with having the right people in the right places; they rely on their staff having industry-recognized skills and qualifications, and look for individuals to fill specific functional roles (SOC Analyst, Incident Responder, Vulnerability Management, etc.). The effectiveness of their security strategy is measured against having the right people in these roles.
This approach relies on making the right training available to the right individuals at the right time. Executed effectively, a capability-driven strategy can be deployed to focus on upskilling existing talent to fill particular roles by meeting specific training objectives. The ultimate aim of this philosophy is to scale back on the significant effort and investment required to hire in individuals with these skills.
Potential drawbacks to this approach:
- Security professionals may end up siloed in roles that are too tightly defined
- Where talent isn’t nurtured, hiring in may become the default