Closing the cyber skills gap requires a culture of continuous learning

The ongoing cyber skills gap affects organizations worldwide and ultimately affects the entire digital economy. And cybersecurity changes and evolves at break-neck speed, which makes it harder to keep up with training and learning. On top of this, as remote work increasingly becomes the norm, and infrastructures become more distributed, the need for IT pros with up-to-date security skills and knowledge will continue to grow.

At Fortinet, a survey we conducted prior to the pandemic found that 76% of respondents agreed that the skills shortage has created additional risks for their organization. There simply aren’t enough professionals to fill the open positions, so organizations can’t completely cover their threat landscape. This skills gap has existed for years, and clearly needs new solutions. Solving this requires the industry to come together to create more cybersecurity pathways and a diverse pipeline of security professionals, but it also demands a culture of continuous learning.

The perpetual cybersecurity skills gap

There’s no shortage of statistics and information about the skills gap in security – while they differ slightly, the point is the same: the gap continues to grow, and it’s having significant impact on organizations. A survey from ISC(2) in 2019 estimated that the number of additional trained staff needed to close the skills gap was more than 4 million professionals worldwide.

Respondents to the aforementioned Fortinet survey reiterated a widely known truth about the cybersecurity skills gap: this issue affects organizations everywhere. 68% of respondents reported that their companies struggle to recruit, hire and retain cybersecurity talent.

The need for continuous learning

Because cybersecurity technology and attacks continue to evolve, organizations don’t set up security measures once and then stop. As tools and techniques change, so must cybersecurity skills. The half-life of skills continues to drop – current estimates put the half-life of a professional skill at just five years, and it’s even shorter for technical skills.

New technologies and situations can introduce new attack vectors, while bad actors are enterprising and always looking for new and different ways to infiltrate the network. The shift to remote work and the rise of IoT devices are just two examples.

These examples illustrate why continuous cyber learning is essential. Without it, cybersecurity professionals fall behind and can be less effective in as little as three months. It’s a prerequisite of the industry to engage in ongoing education to stay proficient. Ongoing learning is also essential to career success.

With the cybersecurity field continually changing, certifications can be a valuable way to stay on top of the evolving threat landscape and enable those who lack a technical background to get the needed training to transition to a cybersecurity career.

What needs to happen next

Despite clear evidence of its need, continuous cybersecurity training is lacking. In a recent report from Enterprise Strategy Group and ISSA, more than half of respondents said their employer didn’t provide the cybersecurity team with the right level of training to keep up with business and IT risk. This likely means their organizations needs to offer more or significantly more training for the cybersecurity team.

The industry has to come together to solve this skills gap. The corporate sector can cooperate with nonprofits and academic institutions to create new opportunities by providing training, certifications and mentoring.

A comprehensive training and education strategy needs to incorporate strategic partnerships within government, academia and non-government organizations (NGOs.) For cybersecurity vendors, this is an opportunity for their subject matter experts to share their knowledge and vision with other thought leaders through public and private sector collaborations and prepare the next generation of cybersecurity experts.

That includes expanding the talent pool beyond the traditional set of candidates to create an equitable, diverse and inclusive pipeline of security professionals. This is achievable as private companies partner with academic institutions and nonprofits. Companies can make their training and certification programs available to a wider swathe of individuals who might not otherwise have access to these learning opportunities. Because the cyber skills gap is happening worldwide, the solution should be, too.

Stopping the skills gap insanity

Staying ahead of threats requires continuous learning, but the onus cannot rest entirely on employees. Leaders must create and instill a culture of continuous learning, empowering employees to get the training they need and making learning core to the company culture. In addition, companies must extend their training and certifications to the wider world, casting a larger net to create a more diverse and inclusive cybersecurity workforce. Partnerships with academia and NGOs will help in this endeavor. Without such efforts, the cybersecurity field will always get what it’s always gotten: too few workers, too many threats to respond to and insufficient network security.

Rob Rashotte is the vice president, global training & technical field enablement at Fortinet. He has 20 years of experience developing training and education strategies for startups as well as complex global organizations. He also has 15 years of experience working with some of the most innovative, fast-paced companies in the high-tech industry. Rob has an MBA from the University of Ottawa.

ON DEMAND: Business-impacting events such as severe weather, man-made disasters, and supply chain disruption are increasing in frequency and making impacts around the globe.

In today's rapidly evolving security landscape, organizations face an ever-growing array of disruptive events, security threats and risks. Traditional reactive approaches to security intelligence often leave businesses vulnerable and ill-prepared to anticipate and mitigate emerging threats that could impact the safety of their people, facilities or operations.