The shortage of cybersecurity professionals worldwide is a growing concern for organizations of all sizes, as threats mount and attack vectors become more difficult to defend against.
CyberSeek.org counts nearly 770,000 open jobs in cybersecurity, and the data is showing that employer demand for cybersecurity workers is growing 2.4 times faster than the overall rate across the US economy.
To adequately train the next generation of cybersecurity pros, organizations need to start thinking more collaboratively, using virtual technologies as learning tools, and turning to upskilling to offer opportunities to in-house talent.
Teaching the Why Along With the How
Some of the changes in training and education approaches are fundamental, argues Andrew Hay, COO at Lares Consulting, an information security consulting firm.
“We often teach people the ‘how’ but never the ‘why’ when it comes to cybersecurity training,” he says. “For example, we’ll show someone how to run a tool to detect a vulnerability, but we won’t educate them on why the vulnerability surfaced in the first place.”
He says if you don’t show people how to prevent vulnerabilities from occurring, you’re doomed to keep showing them how to detect them after the fact.
“We have an entire team dedicated to showing our customers how to detect, mitigate, and prevent attacks within their organization,” he says. “Not only do we show effect, but we also show cause.” Hay says by training people to prevent insecure configurations in the first place, you can help them reduce their attackable surface area.
He adds that cyber-range and capture-the-flag (CTF) events are fantastic learning environments to hone your skills and grow as a cybersecurity professional.
“You’ll get to experience how others think about attacking a system, what tools and techniques they use, and their thought process,” Hay says. “It’s invaluable.”
Danielle Santos, manager of communications and operations for NIST’S National Initiative for Cybersecurity Education (NICE), says investing in cybersecurity training and education now is critical to meet this growing demand.
“We are coordinating with government, academic, and industry partners to build on existing successful programs, facilitate change and innovation, and bring leadership and vision to increase the number of skilled cybersecurity professionals,” she explains. By facilitating a mechanism whereby the educators, trainers, and employers can come together as a community, they are better positioned to have training that meets the workforce demand.
NICE is also responsible for maintaining the Workforce Framework for Cybersecurity, which describes tasks, knowledge, and skills that are needed to perform cybersecurity work. It provides a standard for training and certification providers to establish knowledge and skill requirements according to tasks in the workplace.
Smashing Training Silos
Mika Aalto, co-founder and CEO at Hoxhunt, a Helsinki-based provider of enterprise security awareness solutions, says that the motivation for training today is compliance-driven, not security-driven, which leads to training implementations that can’t address human cybersecurity risk.
He argues that organizations should take a risk-based view of the actual attacks employees face and focus on building the right culture and driving the adoption of the correct habits.
“When it comes to the core sins, organizations are running punitive programs that fail to capture employees’ hearts and minds,” he says.
Making matters worse, training frequency is occasional, and curriculum is built with a one-size-fits-all mentality. “Today’s technology allows us to automatically develop and deliver individual training experiences at scale, driving behavior change rather than raising awareness,” he says.
From Aalto’s perspective, another core sin is that the training often gets siloed. “Awareness professionals are blind to the attacks and metrics managed by security operations,” he says. “They lack the cohesive processes and technology to share intelligence and augment detection and response capabilities.”
He says that modern teams should work in harmony, with effective training platforms that enable employees to hunt attacks that have infiltrated the organization and integrate that data into operations to mitigate the threats in real time.
“Extending awareness into the center of the security stack is a game-changer in how training is conducted and leveraged,” he adds.
Innovations in Training
Santos notes that over the past several years, simulated training has shown promise as a mechanism to learn new cybersecurity skills. Training offered through cyber ranges, for example, allows learners to experience simulated real-world scenarios and demonstrate applied knowledge and skills.
“Additionally, apprenticeships, while not new to the broader workforce, but relatively new as they apply to the cybersecurity workforce, is a proven approach to expanding cybersecurity talent,” she says.
She highlights the US Departments of Commerce and Labor’s recent partnership on a 120-day Cybersecurity Apprenticeship Sprint to promote the Registered Apprenticeship model as a way to develop and train a skilled and diverse cybersecurity workforce.
Moving to New Training Models
Kelly Albrink, Bishop Fox practice director for application security, points out that cybersecurity training has historically culminated in a multiple-choice test that relies on memorization.
“With the Internet at our fingertips, memorization is far less important than problem solving,” she explains. “So, training should be more focused on hands-on exercises that directly map to what real cybersecurity work looks like.”
She mentions her company’s Bishop Fox Academy, an internal training program to help people gain both technical skills and soft skills. “Bishop Fox is one of the few companies with actual entry-level roles for junior consultants,” Albrink says. “We have a formal mentor program that matches consultants based on their interests and specializations.”
She says that in earlier iterations of the mentor program, the company received a lot of feedback from both mentors and mentees that they wanted more structure and guidance on how to get the most out of the program, which led to the creation of a worksheet to help guide initial conversations. It included both “getting to know you” questions to help pairs build an immediate connection, as well as guidance on goal setting.
“We also understand that not every mentor match is the best fit so, 2-3 times a year we give people the opportunity to get a new match or extend their current pairing,” she adds. “I typically encourage people to have multiple mentors and receive mentoring on more than one topic.”
The Benefits of Upskilling
“When you upskill existing cybersecurity, staff you can cut down the learning curve within your organization and often fill gaps faster,” Ron Culler, vice president cyber learning officer at CompTIA, explains.
However, it’s not just existing cybersecurity staff that should be the focus — he says organizations should be looking across their workforce and at all its IT staff. “Many of these individuals have strong foundational knowledge of the organization,” he says. “They can be some of the best candidates to work in cybersecurity, simply because cybersecurity encompasses all aspects of an organization.”
Santos agrees that upskilling is an effective approach to filling talent gaps more quickly in an organization. “It utilizes the existing workforce, many of whom have transferrable skills that can be applied to a cybersecurity,” she says.
Cybersecurity Touches All Aspects of an Organization
CompTIA offers education, training, and certification options for individuals interested in working in cybersecurity and those already in the profession. Four certifications are specific to cybersecurity skills at different career levels — entry, mid, and advanced. Cybersecurity is also embedded in the company’s other certifications in networking, data, cloud computing, and other disciplines.
Culler points out that traditional approaches have often focused on individuals with a heavy background in technology.
“While this is still needed, cybersecurity encompasses much more than just tech,” he says. “Diverse experiences and skills are needed to fill gaps in cybersecurity roles throughout organizations.”
As he puts it, cybersecurity is not a technology issue, but rather something that touches every aspect of an organization.
Training the Next Generation of Hackers
From Albrink’s perspective, you can’t buy enough senior talent to meet the demands of the market. The only viable solution is to train the next generation of hackers.
“In terms of best practices, newcomers often want to learn everything and get overwhelmed,” she says. “If they pick two focuses, and those two things synergize well, they’ll be much better set up for success.”
She adds that learning in a vacuum, like simply reading a book or watching a video, doesn’t lead to good results. “I always recommend that you pick a hands-on project to apply what you’re trying to learn,” she says. “For example, every webapp hacker should build and deploy their own app.”
She says that gives you a much better perspective on how difficult it can be to put common defensive recommendations into practice and helps you to better understand the struggles that developers face.
More Flexibility, More Investment
Albrink says she’s seen a trend of publicly available training moving to a more on-demand subscription-based model. “This gives learners the flexibility to fit their training schedule to their busy lives,” she says. “So, instead of trying to knock out a red team lab in 30, 60, or 90 days, they get access for a year.”
The downside is the training has become a lot more expensive and out of reach for most people paying for it themselves.
Santos explains the US Department of Commerce supports a workforce development model, to include training, that leans on an employer-driven regional approach. “An employer-driven approach aims to ensure that the supply of cybersecurity talent is job-ready,” she says.
Culler agrees it’s important to invest in cybersecurity training now because cybersecurity threats aren’t going away or lessening. “We need a cyber aware and cyberskilled workforce for organizations to remain competitive and thrive in the current environment and into the future,” he says.
From Aalto’s perspective, the key word is “invest.” He points out that around 90% of breaches contain a human element, almost always initiated by a phishing attack, and yet only 3% of security budgets go to awareness.
“That imbalance tilts the advantage towards the threat actors, whose attacks get more relentless and sophisticated by the day,” he says.
In a risk landscape where cybersecurity is increasingly expensive and hard to get, and where regulations tighten all the time, it’s up to organizations to take a risk-based approach to protect themselves where they’re most vulnerable — their people.
“It works, if your training is done right,” Aalto says.