The widening gap in cybersecurity skills is among the biggest threats confronting IT enterprises. It's being felt throughout companies in practically every sector around the globe, with about three-quarters of organizations in a 2020 Stott and May cybersecurity survey saying the shortage is affecting them. While organizations are striving to recruit and retain cyber talent in a number of ways, they can also close some of that gap by giving their current cybersecurity personnel better skills for dealing with cyberattacks. Enterprise decision-makers need not focus so much on the quantity but the quality of training, by "skilling"-- that is, giving cyber personnel firsthand experience through the use of live-fire cybersecurity exercises.
An argument for cyber skilling
A lack of sufficiently trained cybersecurity professionals exists across the board but is most severe among cyber analysts who are new to their position -- 100% of whom will face their first actual cyberattack while on the job in a security operations center (SOC). And they won't be prepared for it.
University courses, external programs and even a lot of in-house training programs within enterprises are largely based in theory over practice. These individuals learn about cybersecurity tools, tactics and the threat landscape, but they're not given team-driven experience with real-world situations that would allow them to build holistic skills -- both hard skills rooted in technical expertise, and soft skills, such as effective communication and leadership -- that would help them deal with a crisis. This training gap may lead to ineffective response, remediation and recovery or even an attack going undetected, unidentified and therefore unmitigated.
A recent Cyberbit survey of analysts who are engaged in cyber skilling -- who vary from holding less than a few years’ experience to 10+ -- found 65% reporting that, at most, 50% of applicants are qualified for the positions they are applying for. Further, 67% of them say that HR departments only occasionally understands the requirements to work in a cybersecurity team. Significantly, 70% of those working in SOCs say they were never given a quiz or simulation before they were hired. Their interviews were entirely verbal. They never had to prove they could do what they said they could before being hired in a cybersecurity role. And 41% said they received all their legitimate training by navigating real breaches while on the job.
The struggle of theory vs. practice for cybersecurity skills
Whether SOC analysts come from college or from another IT-related job, they often have no real-world experience responding to an actual attack. Even in programs where they receive some hands-on training, it's individualized -- they learn how to use a tool, but not how to use it in a real-world setting that often mixes dozens of security products, and not while working with a team.
That failure on the front lines can ricochet around an organization, affecting other processes, ranging from onboarding time and assessments to productivity and morale, all of which can further put an organization at risk. A recent survey conducted by Fortinet found that 73% of organizations reported having at least one intrusion or breach over the previous year that could be partially attributed to a gap in cybersecurity skills, and almost half (47%) reported as many as three such events.
Organizations should offer live-range "skilling" of their cyber personnel that reaches beyond traditional training. Training could be described as teaching someone the components of a job to help them become qualified for the task. And it's fine as far as it goes. But skilling goes further, giving them a learned power to perform the task competently, developing their aptitude for a physical task as well as the personal dexterity to perform that task in coordination with others -- all in a safe, low-stakes environment. The way to do that is by making live-fire exercises an essential part of their training.
Into the fire: Providing simulated exercises for cybersecurity professionals
In live-fire exercises, participants face simulated-live attacks from malicious actors and they have to counter them in real time. It reduces the "first attack experience" they otherwise would have to face when they're new to the job. The exercises not only give users the look, feel and sense of urgency of a real-world attack, they also help candidates develop the skills they'll need to successfully respond to and remediate an attack -- whether it be something like a DDOS onslaught or a more subtle data-exfiltrating exploit.
Skilling exercises allow analysts to develop hard skills, such as technical acumen and a solid understanding of their environment, as well as the too-often overlooked soft skills, such as working effectively with a team, staying calm under pressure, or confidently adapting to changing circumstances. Being the most knowledgeable member of a team doesn't count for much if the individual doesn't know how to interact with other team members.
Employees respond positively to such skilling. Participants in a recent ESG research report, when asked whether hands-on experience or security certifications were most important to their career development, underscored the advantages of first-hand knowledge. Just over half (52%) chose hands-on experience, and another 44% say that hands-on experience and certifications are equally important.
Readying your cybersecurity team for the real world
As seen in the Fortinet survey, which found that cyber pros see many benefits in certifications, a lot goes into training cybersecurity specialists, including certifications. But there is still no substitute for experience. SOC analysts can get that experience either through live-fire skilling exercises in preparation for the job, or by being thrown into the fire fully live, when networks, sensitive personal information or enterprise data -- in short, an organization's lifeblood -- is at stake.
Real-world, live-fire cyber skilling must become an essential part of the cybersecurity education curriculum and on-the-job training for enterprise security teams. It can be thought of as an equivalent of the simulated training that the military or police go through before taking the field. People in quite a few occupations are well aware that education can get you a job, but you don't really learn the job until you do it. But in the case of cybersecurity, there's too much at stake to go in without experience. Live-fire skilling empowers employees, so when they do experience their first attack while on the job, they're ready and able to respond.
About the author
Adi Dar, CEO and founder of Cyberbit, is an experienced cybersecurity leader and chief executive who has repeatedly led the development and launch of successful products and services in highly competitive markets. Prior to founding Cyberbit, Dar was CEO of ELOP (Israel's largest Electro Optics company and a global leader in this market), where he led the company's growth to over $500 million annual revenues and 1,800 employees. During this period, Dar also served as an Executive VP at Elbit Systems, Israel's largest defense company as well as a chairman and board member of numerous companies. Notably, Dar founded and managed the Intelligence and Cyber division at Elbit for two years. A veteran of a Military Intelligence unit, Dar holds a B.Sc. in industrial engineering from the Technion and an MBA from Tel Aviv University.