It’s well known in the security industry that we are constantly beating the drum of the cyber skills shortage, and trying to pose solutions to the problem: from machine learning and automation to diversity and decreasing reliance on professional certifications.
These are all good options and certainly can work within the parameters of an ever widening cybersecurity skills gap, but we often forget that sometimes, the very resources we need are sitting right under our noses - with talent waiting to be discovered, nurtured or learned within our very own organizations.
Upskilling staff can prove a viable piece of the solution to the skills shortage, particularly when the nature of the education system is considered. By the time students are sent out into the wide world looking for employment, the curriculum is past its sell-by date. Not all of it, of course, but when thinking about how rapidly the threat horizon morphs and mutates, it is only natural that education institutions provide the basic foundational groundwork for students, leaving the deeper learning up to individuals.
This is a learning process that must continue throughout the employment lifecycle; and arguably, organizations would be well placed to recognize and encourage this in order to maintain a satisfied, knowledgeable and top-class security workforce.
So what has been holding organizations back? Competition has historically been fierce between government agencies, consultancies, vendors and enterprise all seeking the same high level of skilled professionals for their own gains. This narrow focus on getting the “best of the best” right off the bat means organizations of all types can overlook the ones with the right attributes, such as proficiency for investigative work and an eagerness to learn and absorb information.
Individuals are more able to learn on the job in a practical environment and upskill as they work, which does take a little more effort on the part of the employer, but it can pay off in the long run.
In addition, skills development has long been thought of a responsibility of an individual and this is where the real risk-based debates start to kick in. Organizations who take on the role of educator as well as employer may find that they are upskilling staff, only for them to walk out the door for better opportunities after they have become more marketable.
This is the real crux of the problem; naturally, organizations want highly skilled, highly trained staff – they just want someone else to train them. But if the industry as whole starts to operate with a more altruistic attitude to skills – if they truly are serious about finding solutions to the skills shortage as they say – then we’d find ourselves in a less bleak situation.
What about the benefits of upskilling staff? The greatest benefit of upskilling is that it can be adjusted to the most relevant skills an organization needs or prefers and the classes or certification schemes can be set accordingly.
For example, if an organization is making steady progress into microsegmentation, then having skills for that environment is essential. Skills for microsegmentation include, but are not limited to: security policy design, exception management, infrastructural mapping, cloud architecture, and risk analysis. Each of these can be developed with an apprenticeship model within the organization or can be formal with online or campus-based courses.
Another benefit, which perhaps is not as easy to quantify, is the sense of gratitude or loyalty that is generally felt on the part of the trained employee, as the company is seen to be taking his/her career progression seriously, and where employees see themselves as valued assets to the organization.
This could help overrule thoughts of taking those new skills to greener pastures; a sense of fulfillment and worth as an employee within an organization is no small thing to be taken for granted.
Upskilling current staff is not without its risks and it is indeed a balance organizations will have to carefully weigh up. There is also the fear of the unknown for the organization itself in that an employee could end up being grateful for the skills their employer has helped them to develop, but still evaluate themselves as being more desirable in the broader market.
In other words, even though they are happy and contented with the opportunity to learn on the job, they still leave. In the broad sense and for the good of the industry as a whole, personally, I would rather take that gamble.