If You Aren’t Making Security Workforce Training Real, You’re Doing It Wrong

Security Talent is a Precious Commodity

A growing gap between available qualified cybersecurity professionals and unfulfilled positions will reach 2.0 million by 2019. Even more staggering, 70 percent of organizations have low confidence that in-house IT workforces have the right security skills to deal with today’s cybersecurity challenges.

As discussed in our recent perspective, Security Talent is a defining asset and top priority for leaders across industries and sectors. Understanding your unique talent challenges is key to defining and correcting the talent problem. We believe this understanding can be built with:


  • A skills-based approach with skills mapped to security disciplines
  • A plan designed around industry-specific requirements
  • Creative employee hiring, training, and retention practices focused on meaningful human engagement

Training is a critical element of activating and preserving the sustainability of, a security workforce strategy. In this blog post, we will focus on actionable training considerations that organizations can apply to help build resilient organizations equipped to face the growing threat of cyberattack.

No Train, No Gain

Having a skilled and well-trained security team is critical to many core functions, such as incident response. There has been a lot of progress maturing ideas about training, such as NIST’s National Initiative for Cybersecurity Education (NICE) framework, to help guide curriculum development. But how does that translate into corporate training programs for the security workforce?
The NICE framework’s identification of tasks in work roles gives us insight into the specific knowledge, skills, and abilities (KSAs) necessary to perform cybersecurity tasks. These KSAs form the foundation of learning objectives that develop capability at both individual and organizational levels. A well-structured training program will utilize learning objectives as the building blocks, ensuring that each role or track of the curriculum delivers on the capabilities necessary to drive performance. For example, in the NICE framework, a resource specializing in Incident Response will need to be prepared to Protect and Defend. Specific tasks, knowledge, skills, and abilities are detailed to indicate the capabilities necessary to be effective.

Broken out across the seven key work categories outlined above, the NICE framework can be a great starting point to identify training needs or gaps, design activities to address role-specific learning objectives, and craft an end-to-end training experience that builds capabilities for areas of responsibility. Designing experiential learning journeys and simulations that include both development and maturity of skills is an important step to foster workforce/organizational readiness while building and developing confident cybersecurity professionals.

Making the NICE Framework Real through Training

According to Travis Paakki, the current Interim Senior Director of Technology for the Portland Public Schools district, “simulated capture-the-flag exercises are the only real way to test incident response knowledge and plans without putting organizational assets at risk.” Experiential learning is used to augment employee skill development traditionally obtained in classroom instruction and on-the-job training. Red team/blue team exercises are designed to simulate cybersecurity incidents, giving the security team opportunities to exercise learnings in real time while measuring their skills and abilities.

Ronald Kantor, Ph.D., a strategist in the security learning and development space, believes the business case for experiential learning is a critical component of any mature security program.

“Most companies and governmental agencies hiring cybersecurity talent directly out of university programs have discovered that these new hires lack practical experience and capability to apply theory in practice. Developing a standard experiential learning component that augments traditional, academic classroom instruction can also enhance certification programs of industry stalwarts like ISC(2) who offer security certification courses such as their CISSP or CCSP.  This enriches the KSAs needed to perform today’s critical security team roles.”

A recent news report highlighted the addition of simulations to company training programs to augment instruction for their cybersecurity professionals:

“A growing number of so-called cyber ranges across the country are providing facilities [that]… allow participants to experience a real-world cyberattack in a controlled environment, an exercise that helps tech workers spot holes in their firewalls, identify warning signs and strengthen data-security practices.”

“The emphasis on these exercises is that they are a training event,” said Dr. Joe Adams, the vice president of research and cybersecurity at Merit Networks and director of the Michigan Cyber Range.

Whether it is a cyber range or in-house training programs that include an experiential element, there are many great resources to help your team prepare for the next attack.  Cultivating security talent is an important priority for security leaders and designing a training program around key security skills can help. Novel approaches that balance experiential and classroom learning can engage learners in diverse ways, resulting in a stronger, better prepared, and more resilient security workforce.