Less than 30% of organizations have formal workforce development plans in place for their IT and security staff, according to Gartner.
With training consistently ranking among the most requested benefits by employees, especially those of younger generations, the lack of commitment to workforce development is particularly surprising.
This problem, of course, is not unique to cybersecurity. But because of the staggering lack of skilled, experienced cybersecurity job seekers, the failure to effectively train those already in the field has a more serious impact. A failure to train cybersecurity professionals can result in a failure to protect an organization and its critical data.
Fortunately, the industry appears to be changing course. Roughly half of security organizations plan to increase their budgets for cybersecurity training in 2020. If you’re in this group (and we hope you are), there are four important pitfalls to avoid as you transition from traditional training models to a high-performing workforce development program:
1. Relying on an Ad Hoc Training Strategy
With increasing pressure to wring every ounce of value out of the cybersecurity budget, many security leaders are faced with tough choices about how to divvy up available training dollars. This leads to one of several predictable but haphazard methods of assigning training to cybersecurity employees:
- The “Who Wants it Most” Model – When training is given to the employee who just won’t stop asking for training. Often times, without a formal plan in place, the employees who get sent off for training are the ones who talk the loudest, bring up the topic during performance reviews, or just generally ask for it the most.
- The “Please Don’t Leave” Model – When training is used to incentivize an unsatisfied employee to stick around a little longer. This may work in the short term, but it almost never has a meaningful impact on retention or your team’s actual performance.
- The “Plug the Hole” Model – When training is used to close a skill or technology gap, often at a hurried pace, before something bad happens. Like the “Please Don’t Leave” model, this can have some positive short-term impacts, but it’s not sustainable.
- The “What Happens in Vegas” Model – When training is used to reward high-performing employees. Las Vegas (and other vacation hot spots) have built a cottage industry of hosting security training. Why? Because many companies and employees view training as a “reward,” equal parts vacation and learning.
The issue with all of these models is that they simply don’t achieve any of the long-term goals of training. Training shouldn’t be a bribe, or a reward, or a precious resource to be doled out once a year – training should be about building new skills, gaining new experience, career development, and demonstrating an investment in your employees’ futures. It should be part of the day-to-day culture of your team, and it should align employees’ career goals with company objectives.
Building a cyber workforce development strategy that elevates training to the program level can be a game changer. It lets your employees know that there’s an expectation of constant improvement, that all employees are included, and that a culture of development has the explicit endorsement of company leadership. It also dramatically improves security outcomes – and isn’t that the goal in the end?
2. Under-budgeting for Talent Development
In most organizations, cybersecurity roles are among the most difficult to fill. There are few departments with a greater imbalance between available talent and open positions, few departments that experience change at a greater pace, and few departments with such stringent technical requirements.
These challenges necessitate a different approach to budgeting for training initiatives. Standard, HR-driven training budgets (often 1-3% of total annual salary costs) may not adequately fund complex, technical security training needs. Training for your security team is not a “nice-to-have” perk – it’s a “must have” for enterprise security, and it needs to be treated that way.
One financial consideration working in your favor, however, is the astronomical costs of recruiting, hiring, and onboarding new employees into your team. The Society for Human Resource Management (SHRM) reports that, on average, it costs a company 6 to 9 months of an employee’s salary to replace them. In many cases, doubling down on your commitment to developing your existing workforce can dramatically reduce turnover on your team, and with it the downstream costs that come with attrition. In LinkedIn’s recent Workforce Learning Report, 93% of employees said they would stay at a company longer if it demonstrated an investment in their careers.
Given those staggering figures, adding a few percentage points to your annual security team training budget makes strong fiscal sense. Regardless of the ultimate number, it’s important to discuss your training allotment during your annual budgeting cycle, ensuring that it is sufficient to equip your team to protect and enable the business.
3. Misunderstanding the Role of Certifications
Certifications are important – they’re a part of the fabric and culture of modern cybersecurity. Focal Point employees have them. Our clients’ employees have them. They’re often the culmination of years of hard work, experience, and late nights in front of a textbook. In many security teams, they’re also important rungs on the career ladder.
But what they’re not is just as important as what they are. Certifications are not evidence of skills. Most certifications on the market measure what a person knows, not what they’re able to do. And that’s a critical distinction.
In the early days of information technology, certifications were a shorthand way for employers (who knew very little about technology risks) to identify IT workers who could do the job. “I don’t know what he’s talking about, but at least he’s got a certification!” In too many organizations, certifications continue to play a similar role – too often taken as evidence of skills, rather than knowledge.
The industry is rapidly moving away from this approach. As dynamic skills testing (often hands-on practicals in lab environments) becomes more affordable and accessible, the strict reliance on traditional certifications will begin to wane.
Leading organizations can get ahead of the curve now by prioritizing student assessments, both for new hires and existing employees, that measure skills and abilities in addition to knowledge.
4. Pushing One-Size-Fits-All End User Training
Up until this point, we’ve focused primarily on the roadblocks to effectively developing your cyber workforce. But the challenges extend well beyond the SOC.
Fortunately, most organizations have adopted some form of security awareness training – often annual, short, and generic. This type of awareness training is a useful baseline for many employees, reminding them of the hazards of clicking suspicious links, trusting unknown email senders, and putting your credentials where they don’t belong.
But it’s not sufficient for all populations of end users. There are many teams within your company that likely require more advanced cyber training to effectively manage their job functions. All should be considered as part of a holistic cyber training program.
- IT Operations – IT resources need more security training than the average employee, but likely less than your security team. Finding a good middle ground for your IT team is critical, particularly if you (like many companies) hope to one day build a talent pipeline from IT into the cybersecurity organization.
- Internal Audit – Auditors are increasingly being asked to assess a broader range of processes, policies, and governance issues related to cyber and privacy risk. To effectively provide that oversight, these employees may need supplemental training on cyber risks, technologies, and threats that are relevant for your organization.
- Executives – Your executive team must have a baseline understanding of the cyber threats facing your organization and the strategies you’ve employed to counter them. If they lack that understanding, security leaders must prioritize a cyber education plan for the executive team. Finance, risk, and functional leaders all have specific roles to play in funding, managing, and operationalizing your security program, while other executives (including the CEO) have important oversight and reporting obligations.
End-user awareness training is critical to enterprise security, as is technical training for your cybersecurity employees. But don’t discount the importance of the training in between.
Well over half of cybersecurity professionals plan to work in cybersecurity for the rest of their careers, but they also say unclear career path opportunities and a lack of knowledge about cybersecurity skills needs within their organizations are holding back their career progression. These factors also limit what security teams are capable of and can put organizations at risk.
Cybersecurity is led by professionals who are passionate about their field and about expanding their skills and knowledge. The organizations that employ them have the opportunity to invest in them and see immense, rapid change within their own security capabilities as well as the industry.
To see this change, cybersecurity leaders must shift their approach from an ad-hoc training to a well-planned cyber workforce development program, which will help their employees build successful careers and improve the security posture of the entire organization.
Want more cyber workforce guides and insights?
Subscribe to Focal Point's Risk Rundown below - a once-a-month newsletter with templates, webinars, interesting white papers, and news you may have missed. Thousands of your colleagues and competitors have signed up! You can unsubscribe at any time.