Organizations turn to in-house training to close cybersecurity skills gap
Real-time, real-world instruction makes up for lack of qualified job candidates
By Melanie Grano, ThirdCertainty
Organizations are finding that security professionals are ill-equipped to address evolving cyber threats head on.
There is a growing skills gap between what the industry needs and the level of capabilities available. So much so that only one in four candidates is considered qualified for each open position. Up to this point, enterprises have had no “choice” but to hire “the best” that they can get.
Frank Schettini, chief innovation officer at ISACA, an international nonprofit association of IT professionals in cybersecurity and IT governance, says: “Currently, the level of confidence within organizations that they can handle more complicated cyber attacks is 46 percent. This means that improving that percentage in a cost-effective, current and timely basis should be of paramount importance.”
For this reason, ISACA has launched its Cybersecurity Nexus Training Platform and Assessment Tool, which has several distinct advantages over traditional training solutions. While other courses are lecture or simulation based, this platform lets users tackle threats in a live network environment.
This latest addition to ISACA’s portfolio of resources aims to train current employees to a sufficient standard and keep them up to date on the latest threats. It provides participants with real world knowledge and expertise.
Related story: Security awareness training gets a much-needed reboot
As measures are developed to detect and respond to cyber attacks, new ones are created or old ones are repackaged and deployed. The key is to have cybersecurity professionals who have the underlying skills and competencies to handle whatever is presented. It also requires a commitment to ongoing training to ensure they stay up-to-date and have the right controls in place as well. Traditional teaching methods provide significant challenges in this area.
Efficient training for all levels
ISACA’s online platform has been designed for users of all levels. And instead of employees being away from the office to attend courses for several days, training can be accessed via a browser from anywhere in the world. This means that practitioners can bypass firewalls on company computers that block software installation or the use of flash drives.
“Many small and medium businesses cannot afford to ship someone off to a training class for a week. Now a course participant can work on it in off hours, and it [the training] can be done on any machine because there is no footprint,” Schettini says.
The CSX platform includes 100 hours of performance-based learning, divided between beginner, intermediate and advanced levels. It also features virtual versions of CSX’s three practitioner courses, the CSX practitioner boot camp and the cybersecurity fundamentals course.
“It’s a constantly evolving platform that’s growing over time,” Schettini says. The courses will be updated regularly and new ones will be added as the threat landscape evolves.
Expertise lacking as threats multiply
With cyber threats growing in number and severity, enterprises are focusing on building talented in-house cybersecurity teams to prevent and respond to threats quickly. But up to now, hiring competent talent and training current staff has been a challenge. Some 55 percent of U.S. organizations report that open cybersecurity positions take at least three months to fill, while 32 percent say it takes six months or more, according to a recent report from ISACA.
On average, a fifth of organizations get fewer than five applicants for open cybersecurity positions. And even if candidates were well trained coming into the job, their skills could quickly be made redundant by new and innovative attacks. To compound the situation, organizations have had to rely on training systems that are expensive and quickly out of date because cyber attacks are always innovating.
According to Schettini, the platform also has had the benefit of being a staff retention tool. So the attraction of an individual to an organization that already is a member of the platform, with new labs being introduced every quarter, is huge.
Another training option
Pluralsight, a technology training services supplier offers another option. Its program enables employees to go online to access professional-grade training videos—to self-train themselves and one another. Taking an online, “on-your-own” approach enables IT staffers to schedule training as needed and in sync with their operational duties. And when a refresher course is needed, he or she can log in and get it immediately.
According to Gary Eimerman, Pluralsight vice president of IT Ops content: “You search for what the challenge is, pull up a lesson, and continue the evolution. You don’t have to go from beginner to advanced all in one sitting. It’s an as-you-need-it model.”
Offerings such as these are part of efforts to raise the competency levels of cybersecurity professionals. Schettini concludes: “We can get to a much higher level of comfort [past the 46 percent], though it is unlikely to be 100 percent given the amount of funding and backing available to the cyber hacking industry. Ultimately, it’s about equipping professionals and organizations with the skills to be better able to handle attacks.”
More stories related to cybersecurity training:
Scholarships aimed at closing cybersecurity talent gap
More organizations find security awareness training is becoming a vital security tool
Self-training programs for IT staff, execs effectively boost cybersecurity