Organizations turn to in-house training to close cybersecurity skills gap

Real-time, real-world instruction makes up for lack of qualified job candidates

Share on FacebookShare on Google+Tweet about this on TwitterShare on LinkedInEmail this to someonePrint this page

Orga­ni­za­tions are find­ing that secu­ri­ty pro­fes­sion­als are ill-equipped to address evolv­ing cyber threats head on.

There is a grow­ing skills gap between what the indus­try needs and the lev­el of capa­bil­i­ties avail­able. So much so that only one in four can­di­dates is con­sid­ered qual­i­fied for each open posi­tion. Up to this point, enter­pris­es have had no “choice” but to hire “the best” that they can get.

Frank Schet­ti­ni, ISACA chief inno­va­tion offi­cer

Frank Schet­ti­ni, chief inno­va­tion offi­cer at ISACA, an inter­na­tion­al non­prof­it asso­ci­a­tion of IT pro­fes­sion­als in cyber­se­cu­ri­ty and IT gov­er­nance, says: “Cur­rent­ly, the lev­el of con­fi­dence with­in orga­ni­za­tions that they can han­dle more com­pli­cat­ed cyber attacks is 46 per­cent. This means that improv­ing that per­cent­age in a cost-effec­tive, cur­rent and time­ly basis should be of para­mount impor­tance.”

For this rea­son, ISACA has launched its Cyber­se­cu­ri­ty Nexus Train­ing Plat­form and Assess­ment Tool, which has sev­er­al dis­tinct advan­tages over tra­di­tion­al train­ing solu­tions. While oth­er cours­es are lec­ture or sim­u­la­tion based, this plat­form lets users tack­le threats in a live net­work envi­ron­ment.

This lat­est addi­tion to ISACA’s port­fo­lio of resources aims to train cur­rent employ­ees to a suf­fi­cient stan­dard and keep them up to date on the lat­est threats. It pro­vides par­tic­i­pants with real world knowl­edge and exper­tise.

Relat­ed sto­ry: Secu­ri­ty aware­ness train­ing gets a much-need­ed reboot

As mea­sures are devel­oped to detect and respond to cyber attacks, new ones are cre­at­ed or old ones are repack­aged and deployed. The key is to have cyber­se­cu­ri­ty pro­fes­sion­als who have the under­ly­ing skills and com­pe­ten­cies to han­dle what­ev­er is pre­sent­ed. It also requires a com­mit­ment to ongo­ing train­ing to ensure they stay up-to-date and have the right con­trols in place as well. Tra­di­tion­al teach­ing meth­ods pro­vide sig­nif­i­cant chal­lenges in this area.

Effi­cient train­ing for all levels

ISACA’s online plat­form has been designed for users of all lev­els. And instead of employ­ees being away from the office to attend cours­es for sev­er­al days, train­ing can be accessed via a brows­er from any­where in the world. This means that prac­ti­tion­ers can bypass fire­walls on com­pa­ny com­put­ers that block soft­ware instal­la­tion or the use of flash dri­ves.

Many small and medi­um busi­ness­es can­not afford to ship some­one off to a train­ing class for a week. Now a course par­tic­i­pant can work on it in off hours, and it [the train­ing] can be done on any machine because there is no foot­print,” Schet­ti­ni says.

The CSX plat­form includes 100 hours of per­for­mance-based learn­ing, divid­ed between begin­ner, inter­me­di­ate and advanced lev­els. It also fea­tures vir­tu­al ver­sions of CSX’s three prac­ti­tion­er cours­es, the CSX prac­ti­tion­er boot camp and the cyber­se­cu­ri­ty fun­da­men­tals course.

It’s a con­stant­ly evolv­ing plat­form that’s grow­ing over time,” Schet­ti­ni says. The cours­es will be updat­ed reg­u­lar­ly and new ones will be added as the threat land­scape evolves.

Exper­tise lack­ing as threats mul­ti­ply

With cyber threats grow­ing in num­ber and sever­i­ty, enter­pris­es are focus­ing on build­ing tal­ent­ed in-house cyber­se­cu­ri­ty teams to pre­vent and respond to threats quick­ly. But up to now, hir­ing com­pe­tent tal­ent and train­ing cur­rent staff has been a chal­lenge. Some 55 per­cent of U.S. orga­ni­za­tions report that open cyber­se­cu­ri­ty posi­tions take at least three months to fill, while 32 per­cent say it takes six months or more, accord­ing to a recent report from ISACA.

On aver­age, a fifth of orga­ni­za­tions get few­er than five appli­cants for open cyber­se­cu­ri­ty posi­tions. And even if can­di­dates were well trained com­ing into the job, their skills could quick­ly be made redun­dant by new and inno­v­a­tive attacks. To com­pound the sit­u­a­tion, orga­ni­za­tions have had to rely on train­ing sys­tems that are expen­sive and quick­ly out of date because cyber attacks are always inno­vat­ing.

Accord­ing to Schet­ti­ni, the plat­form also has had the ben­e­fit of being a staff reten­tion tool. So the attrac­tion of an indi­vid­ual to an orga­ni­za­tion that already is a mem­ber of the plat­form, with new labs being intro­duced every quar­ter, is huge.

Anoth­er train­ing option

Plu­ral­sight, a tech­nol­o­gy train­ing ser­vices sup­pli­er offers anoth­er option. Its pro­gram enables employ­ees to go online to access pro­fes­sion­al-grade train­ing videos—to self-train them­selves and one anoth­er. Tak­ing an online, “on-your-own” approach enables IT staffers to sched­ule train­ing as need­ed and in sync with their oper­a­tional duties. And when a refresh­er course is need­ed, he or she can log in and get it imme­di­ate­ly.

Accord­ing to Gary Eimer­man, Plu­ral­sight vice pres­i­dent of IT Ops con­tent: “You search for what the chal­lenge is, pull up a les­son, and con­tin­ue the evo­lu­tion. You don’t have to go from begin­ner to advanced all in one sit­ting. It’s an as-you-need-it mod­el.”

Offer­ings such as these are part of efforts to raise the com­pe­ten­cy lev­els of cyber­se­cu­ri­ty pro­fes­sion­als. Schet­ti­ni con­cludes: “We can get to a much high­er lev­el of com­fort [past the 46 per­cent], though it is unlike­ly to be 100 per­cent giv­en the amount of fund­ing and back­ing avail­able to the cyber hack­ing indus­try. Ulti­mate­ly, it’s about equip­ping pro­fes­sion­als and orga­ni­za­tions with the skills to be bet­ter able to han­dle attacks.”

More sto­ries relat­ed to cyber­se­cu­ri­ty train­ing:
Schol­ar­ships aimed at clos­ing cyber­se­cu­ri­ty tal­ent gap
More orga­ni­za­tions find secu­ri­ty aware­ness train­ing is becom­ing a vital secu­ri­ty tool
Self-train­ing pro­grams for IT staff, execs effec­tive­ly boost cyber­se­cu­ri­ty


Posted in Best Practices, Featured Story