Security Think Tank: Getting the training and development mix right

What training do we need to provide to cyber security professionals to keep them ahead of the bad guys? And how do we retain talented security professionals in such a competitive recruitment market? These two important questions may seem different, but they are intrinsically linked. Both are connected to the statement we always hear at the start of a vendor pitch: “The cyber threat landscape is continuously evolving.”

The truth is, we rely on the fact that we work in an industry where a significant percentage of the workforce comprises highly driven, motivated individuals who finish work and then often sit and create, or try out, new tools. They investigate new sources, compete in ‘capture the flag’ events and debate in online forums. But this is not possible for all due to a myriad of reasons.

This level of dedication and constant casual learning can also make the career transition path pretty scary for some. Keeping up with innovations, technology and the ever-changing threat landscape is certainly daunting. However, there are now some fantastic resources available, many free, for cyber security professionals to train more easily and hone their skills, with certified proof.

One of the most important things we need to do as an industry is create the time, space, environment and budget to enable talent to continuously improve. Where some industries push continuous development for people to become more senior or certified, we in cyber security must also do this – because “the cyber threat landscape is continuously evolving.”

Personally, I love resources like Immersive Labs and Hack the Box. Why? Because they can quickly reflect the real threat landscape, with practical labs that can test both defensive and offensive skills against the newest techniques, quickly aligning an individual’s skills with real life situations.

Many of these platforms also align to career development and certification pathways – so the work is mostly done for us. That said, variety is the spice of life. There will always be a place for classroom-based, tutor-led, intensive training.

It is about getting the right recipe for the individual, which also helps with retention.

The psychological construct of the average cyber security professional means they put a lot of weight on their employers caring about their training, knowing they have a dedicated training budget and a detailed training plan set out for them. The more effort we put into our talent’s training and development plans, the more effort they will put into the role and our companies.

This does not have to cost the earth.

A training plan should not just contain big, expensive courses, but subscriptions to platforms, academies and even free online tutorials and webcasts, for example. Training offerings should not be a ‘one-type-suits-all’ scenario, we must be mindful that different people learn in different ways, and everyone benefits from variety.

While lab-based training, such as HTB and Immersive, has driven cyber security skills of late, and certification bodies such as Crest have made sure these skills are used in a safe, professional, ethical and legal manner, for the future, I am excited to see what virtual and mixed reality can bring to cyber security training.

Some of us are highly visual or auditory learners. Labs where we can learn with the help and support of friends or strangers, pointing at visual representations of networks and network traffic, will bring a whole new understanding and possibly even new people to our industry. This will also fuse the separation between classroom, tutor-led training and practical labs.

Also interesting is the evolution of AI-based chatbots, many of which have hit the news recently. There is the opportunity for these bots to act as tutors and ‘sounding boards’. This allows for students to ask questions, clarifications and seek advice, for example with script and ruleset development.

Overall, the training environment in cyber security is strong and continues to develop. What is more important is making sure individuals have the time, support, plan and budget to make it happen. Want to retain staff? Do the above. Want to be ahead of an evolving threat? Do the above.  Want to do the right thing about the individual and the industry? Then do the above.