The widespread shortage of cybersecurity expertise is forcing many organizations to put new recruits on the proverbial front line before many of them are up to the challenge.
A global survey of 100 cybersecurity professionals working in enterprise IT organizations conducted by Cyberbit, a provider of a platform for training cybersecurity professionals, finds 41% use on-the-job training to train new team members. That compares to just over a quarter that provide access to security courses and 22% that make use of simulation-based training tools such as cyber labs, cyber ranges, or red vs. blue training.
Not surprisingly, only 45% of respondents said they felt their team was adequately skilled in intrusion detection, while even less (42%) said they adequately understood network monitoring.
As is the case in any crisis, new personnel are being pressed into service with inadequate training in the hopes that one day they will become hardened veterans. The trouble with that approach is, of course, poorly trained workers are much more likely to suffer from poor morale. Each security incident that goes undetected for months exacts an emotional toll. One of the reasons cybersecurity turnover rates are so high is that many cybersecurity professionals become disheartened. The percentage of new recruits that eventually become invaluable veterans is relatively small.
Overcoming cybersecurity training challenges
The challenge, of course, is access to training is no guarantee of future success. Cybersecurity threats are evolving faster than training programs can keep pace with. Nevertheless, some form of structured training will go a long way toward setting career expectations. No matter how talented any cybersecurity professional may be, there will always be days when the bad guys have developed some new technique that has never been seen before.
More challenging still, the need for many of the skills that new recruits are being taught today are likely to become unnecessary in the months ahead as cybersecurity becomes more automated. Advances in, for example, artificial intelligence (AI) will not replace the need for cybersecurity professionals anytime soon. However, the bar in terms of the knowledge that will be required will soon be higher as more low-level tasks that allowed entry-level cybersecurity professionals to be trained on the job are simply no longer required. Entry-level cybersecurity tasks such as log monitoring, maintaining backups, and managing updates are all increasingly becoming automated.
Unfortunately, many human resources professionals are out of touch with what’s actually required to fill those positions. Instead of hiring a candidate willing to be trained, they post entry-level positions that, for example, require certifications that take years to acquire.
Only a third (33%) of the respondents to the Cyberbit survey reported that human resources recruiters for their company usually or always understand the requirements for working on a cybersecurity team. Additionally, 70% of respondents said that cybersecurity candidates are being assessed in the same way as other workers — through interviews — rather than using tools to assess their practical skills. The most important thing to evaluate when it comes to hiring cybersecurity professionals is always going to be attitude. After all, skills can be acquired by the willing and able. The most important thing is to determine as early as possible who has the fortitude to do the job not only as it is know today but how it will inevitably evolve tomorrow.
Mike Vizard has covered IT for more than 25 years and has edited or contributed to a number of tech publications including InfoWorld, eWeek, CRN, Baseline, ComputerWorld, TMCNet, and Digital Review. He currently blogs for IT Business Edge and contributes to CIOinsight, The Channel Insider, Programmableweb, and Slashdot. Mike also blogs about emerging cloud technology for SmarterMSP.