Blog

Enterprise Security

Jun 5, 2023

4 Essential Strategies For Enterprise Cybersecurity Workforce Development

In our most recent webinar, we were joined by Jeremiah Roe, Field CISO at Synack. Paul Griffin, OffSec’s Head of Customer Success led the conversation about the cybersecurity talent gap and how it continues to present significant challenges for organizations across industries. Some of the key statistics shared indicate that the shortage of skilled professionals

6 min read

In our most recent webinar, we were joined by Jeremiah Roe, Field CISO at Synack. Paul Griffin, OffSec’s Head of Customer Success led the conversation about the cybersecurity talent gap and how it continues to present significant challenges for organizations across industries.

Some of the key statistics shared indicate that the shortage of skilled professionals has adverse consequences on organizations globally.

Fortinet’s 2022 Cybersecurity Skills Gap report found that 60% of organizations struggle to recruit cybersecurity professionals, and 52% struggle to retain them. Additionally, 80% of organizations suffered one or more breaches they could attribute to a lack of cybersecurity skills last year.

All of this proves that it is crucial for organizations to adopt strategies that foster the growth and development of their cybersecurity workforce. During the webinar, Paul and Jeremiah revealed four essential strategies that can help organizations address the talent gap and build a robust cybersecurity workforce.

Strategy 1: Identify Skills and Knowledge Gaps

During the webinar, Paul and Jeremiah emphasized the importance of conducting a thorough assessment to identify skills and knowledge gaps within the existing cybersecurity workforce. This involves creating a comprehensive skills inventory, evaluating certifications, and assessing practical applications through simulations or real-world scenarios. “Having an ability to use an environment that’s kept up to date, is pivotal in managing skills for your team.” shared Jeremiah.

By pinpointing specific areas of improvement, organizations can tailor their training and development programs to address these gaps effectively.

“In this industry, the moment you stop training and developing your skills is the moment you become ineffective. Technology is constantly evolving and increasing, new things are being released on a daily basis, and if you’re not keeping up, you become ineffective.” – Jeremiah Roe

Furthermore, organizations should establish mechanisms for ongoing evaluation and determination of job requirements. Red teams and penetration testing teams play a vital role in this strategy, as they possess specialized skill sets that differ from traditional security roles. Categorizing skills and aligning them with appropriate job requirements ensure that the right individuals are in the right roles, optimizing the effectiveness of the cybersecurity workforce.

Strategy 2: Instill Adversarial Thinking

The webinar highlighted the significance of instilling an adversarial thinking mindset among cybersecurity professionals. Encouraging individuals to identify flaws in systems, networks, and applications, and employing attacker methodologies helps in proactive threat detection and prevention. This mindset fosters a “try harder” approach, where professionals persistently explore new perspectives and innovative solutions.

“If you can gain the opportunity to learn from a failure, or failing forward, then you can get better.”

By embracing this mindset, organizations can enhance their ability to identify vulnerabilities and fortify their defense mechanisms.

Implementing the Cyber Kill-Chain, a seven-step process developed by Lockheed Martin to help organizations identify and stop malicious activity, starting from Reconnaissance and culminating in Actions on Objectives, can guide professionals in their approach to cybersecurity. This process can be taught through specialized training programs and hands-on certifications such as Offensive Security Certified Professional (OSCP). These certifications validate practical skills in offensive security techniques, equipping professionals with the necessary knowledge and mindset to combat evolving cyber threats effectively.

Strategy 3: Allow Your Team to Fail, Safely

Creating a safe environment for failure was another key topic discussed during the webinar.  Organizations should provide controlled environments, such as lab environments or dedicated training platforms, where professionals can conduct offensive exercises and simulations. These exercises allow professionals to explore new techniques, identify weaknesses, and learn from their mistakes without compromising the organization’s security.

It is essential to celebrate failures as opportunities for learning and development. By embracing a “fail forward” culture, organizations encourage professionals to take risks, explore new ideas, and push boundaries. Through failures, professionals gain invaluable insights into weaknesses within people, processes, and procedures, enabling organizations to address these vulnerabilities and improve their overall security posture.

To promote collaboration and mutual learning, organizations should facilitate interactions between red teams and blue teams. Red teams simulate attackers, while blue teams defend against their attacks. This collaborative approach helps identify gaps, refine defensive strategies, and strengthen the overall cybersecurity capabilities of the organization.

Strategy 4: Engage in Continuous Development

In the rapidly evolving landscape of cybersecurity, continuous development is essential for professionals to stay ahead of emerging threats and vulnerabilities. Organizations should establish a culture of ongoing learning and provide resources and opportunities for continuous development.

Jeremiah shared that investing in reputable training programs, such as OffSec’s training, can provide professionals with the necessary skills and knowledge to tackle advanced threats effectively. These training programs often involve hands-on exercises, allowing professionals to apply their knowledge in realistic scenarios. Additionally, organizations can promote knowledge sharing through initiatives like lunch and learn sessions, where employees can present and discuss new findings, techniques, or experiences.

“As part of continuous development, enterprise organizations should provide teams with access to resources, knowledge bases, experiences, buddy systems,  whatever it may be, somewhere where they can learn, develop and practice on a continuous basis.” – Paul Griffin

Continuous development can be further encouraged through participation in hackathons, industry conferences, and events like Synack’s “Exploits Explained” panel at RSAC. These platforms facilitate networking, expose professionals to diverse perspectives, and encourage collaboration within the industry.

Measuring Success in Continuous Development

Another key topic delved into during the webinar included measuring the effectiveness of workforce development efforts and how it requires a holistic approach. Organizations should set specific goals and track the progress of individuals in upskilling. This includes monitoring the acquisition of new certifications, completion of training programs, and involvement in hands-on exercises.

To assess the impact of training on operational effectiveness, organizations can track the

short-term reduction of risk through the discovery of more exploits and vulnerabilities, and long-term reduction in overall vulnerabilities found due to strengthened security posture. They can also evaluate cost savings achieved by upskilling existing employees instead of relying solely on external recruitment. Monitoring the ability of development teams to bridge gaps and address security challenges can provide insights into the overall effectiveness of workforce development initiatives.

Conclusion

The webinar provided valuable insights into strategies for closing the cybersecurity talent gap. By identifying skills and knowledge gaps, fostering an adversarial thinking mindset, embracing failure as a learning opportunity, and promoting continuous development, organizations can build a skilled and resilient cybersecurity workforce.

It is essential for organizations to prioritize workforce development efforts, as they not only address the talent shortage but also strengthen the overall security posture. By adopting these strategies, organizations can proactively address emerging challenges, fortify their defense against evolving threats, and ensure a secure digital environment.

Remember, the journey to close the talent gap is an ongoing process, requiring continuous adaptation and learning. By leveraging these strategies, organizations can bridge the cybersecurity talent gap and protect their critical assets and reputation in an ever-changing threat landscape.

Download the infographic for a summarized look at these 4 crucial strategies for cybersecurity workforce development.