Mitigating security risk with continuous employee training and development
Category: Best practices, Professional development
October 22, 2019
The cybersecurity skills gap is one of the most pervasive security challenges facing organizations across the world. From basic employee security awareness to underdeveloped technical competencies like secure coding, it’s clear that employees in nearly every sector and role are not getting enough ongoing cybersecurity education to protect sensitive data at their organizations.
Earlier this month, Infosec surveyed 180 IT and security pros about the challenges they face in developing and retaining their organization’s cybersecurity talent, how they track impact from training, and the critical — but non-traditional security skills — they prioritize the most.
Read on to explore key findings from Infosec’s Fall 2019 Cybersecurity Skills Gap Survey.
Organizations struggle to keep up with changing demand for new security skills
When asked what challenges they face developing and retaining cybersecurity talent, 54% of all respondents ranked “keeping up with the changing demand for new security skills” as the top concern facing their organization.
A closer look at responses by organization size reveals interesting insights:
- Small organizations struggle to fund training, allocate adequate staff time: With smaller team sizes and even smaller resource pools, organizations with less than 1,000 employees are having difficulty finding the time and money to fund cybersecurity training.
- Large organizations impacted more by employee attrition: Following “keeping up with the changing demand for new security skills,” the top-ranked employee development challenges at large organizations directly correlate to employee attrition and transition. This may be due to two factors:
- 62% of respondents from large organizations (1,000 or more employees) have more than 25 employees on their IT and security teams, compared to just 11% of small organizations. With larger teams, employee attrition and transition may occur more frequently.
- Large organizations typically compete for talent in tighter, more established labor pools, and experience greater competitive pressure from recruiters.
- Large and small organizations not concerned with skill erosion: Interestingly, “skills attrition or obsolescence” was ranked last by all respondents regardless of their organization size — with just 17% reporting this as a top concern. Previously acquired skills still need development, especially if infrequently used. This finding suggests organizations may be hyper-focused on developing new skills and less concerned with preventing erosion of existing capabilities.
Top skills gap related challenges by organization size; n=156
Risk management, communications and project management important emerging skills
Security leaders are placing more emphasis on non-traditional security skills like communication and leadership — and for good reason. These critical skills help get buyin for major security initiatives and ensure important stakeholders understand the business value of wider-reaching security initiatives like security awareness and training.
When asked what non-traditional skills or competencies are important to developing and retaining cybersecurity talent, respondents ranked risk management (66%), communications (49%) and project management (41%) skills the highest.
Most important non-traditional skills; n=155
While the majority of responses did not vary widely by organization size, two interesting outliers emerged. Respondents at smaller organizations were more likely to place importance on ethics and leadership than those at larger organizations. This could be due to organizational maturity, or a reflection of the more distinct functional units dedicated to developing these employee qualities often seen at larger organizations.
Investments in employee development return real business value
Effective investments in IT and security require similar, large-scale investments into the teams responsible for their implementation, maintenance and optimization. Google co-founder Avinash Kaushik recommends investing $90 in employees for every $10 spent on technology. While this might seem aspirational to many, investments into employee training and development will increase returns from your technology spend — while also preventing costly losses from preventable security incidents.
Respondents in our survey share similar perspectives when it comes to measuring the value of training investments. Below are the top six metrics respondents use to tie business value to employee training (multiple selections allowed).
Measuring the business value of training; n=150
Where does training fit into your security strategy?
Regardless of the cybersecurity challenges facing your organization, ongoing employee training and development will help bridge your team’s skill gaps and mitigate business risk. When considering the root causes of most major breaches stem from employee knowledge gaps, it’s easy to see why an effective security strategy should include cybersecurity training for everyone at your organization.
From basic password security to patch management best practices, it’s important to remember that you can’t have security without first investing in your employees’ cybersecurity skills. Starting your plan with a role-based risk assessment — which employees have access to what, and what do they need to know to protect it — will help you build and optimize an employee development program that yields measurable business value.