How to foster an upskilling culture for improved cybersecurity


30 May 2024

Image: Max Vetter

VP of cyber at Immersive Labs, Max Vetter argues for continuous learning to ensure cybersecurity teams are as dynamic as the threats they face.

As cyberthreats continue to evolve at breakneck speed, security professionals are expected to keep up and defend their organisations. Despite this, many organisations report feeling ill-prepared to face future cyberattacks.

A report by Immersive Labs unveils a surprising trend – junior cybersecurity staff are engaging with more challenging content than their seasoned counterparts, shining a light on a critical gap in skill development among industry veterans. This discrepancy may well be a contributing factor to the perceived vulnerability of organisations.

Identifying training gaps

There can sometimes be a complacency issue among seasoned professionals when it comes to training, which means they are falling behind junior colleagues. Our research shows that junior cybersecurity personnel are proactively engaging with content that is, on average, 5pc more challenging than the material tackled by their more experienced colleagues.

The underlying issue may be related to the cyber team culture, which often emphasises systems and processes over individual capability enhancement. Seasoned staff, possibly anchored by past successes, might not pursue new learning opportunities as vigorously, partly due to a workplace culture that views ongoing education as redundant for them.

‘Staying abreast of the latest trends and threats is crucial’

This environment inadvertently fosters a training gap, as it encourages junior staff to seek out more challenging content to establish their competence, leaving a void in the collective knowledge and preparedness of the team.

So, it’s not just an issue of complacency, the commitment to continuous skill enhancement has been forgotten. Organisations are not fully recognising the vital role continuous learning plays in effective cyberthreat response. Such findings are an urgent wake-up call to all organisations about the importance of encouraging and developing the skills of their entire workforce.

Are you prepared for a cyberattack?

Staying abreast of the latest trends and threats is crucial. While this might seem obvious to some, there’s an observed tendency for some senior professionals to lag in keeping up to date with new challenges. This undermines the effectiveness of an organisation’s response to security incidents and casts doubt on its overall cyber resilience.

The key to building cyber resilience is to build the human edge. Despite pouring funds into cutting-edge security solutions, a staggering 80pc of cyber leaders remain plagued by doubt about their team’s capability to confront future cyberthreats. Moreover, 82pc concede that more robust preparation could have drastically reduced the fallout from previous cyber incidents.

So, what’s the bottom line? It’s clear that investing in technology, while essential, is insufficient without equally investing in the workforce. Cybersecurity isn’t just about having the latest tools; it’s about having a team that’s adept at using them. If the people aren’t prepared for a cyberattack, then, frankly, the business isn’t either. Organisations need to shift their focus on ensuring that their teams are as resilient and dynamic as the threats they face.

‘The key to building cyber resilience is to build the human edge’

This mindset needs to be applied throughout the organisation. To enhance cyber resilience effectively, it is important that all team members, irrespective of their tenure, engage in continuous learning and adapt to the evolving cyberthreat landscape.

Getting prepared

To better prepare for cyberattacks, organisations must recognise and act on the critical importance of the ‘people’ aspect in cybersecurity. With the workforce’s behaviour being the root cause of 74pc of breaches in 2023, it’s clear that cybercriminals are exploiting individual vulnerabilities, often through phishing attacks, social engineering and increasingly sophisticated AI-driven threats such as deepfakes. This reality underscores the need for a robust culture of awareness and developing a resilient workforce capable of identifying and mitigating such threats.

Training and educating employees at all levels become indispensable in building this culture. Organisations should focus on integrating cyber resilience as a strategic priority, transforming cybersecurity from merely a defensive posture to a proactive, strategic focus. This approach not only strengthens an organisation’s defences against immediate threats but also contributes to a significant reduction in risk exposure over time.

Here are some steps that organisations can take to foster an environment where ongoing education and vigilance are paramount.

Strategically reinforce cybersecurity defences

Organisations need to craft an all-encompassing training approach that transcends the boundaries of IT, embedding it deeply within the corporate governance framework. Elevate cybersecurity to a pivotal strategic concern that captures the board and C-Suite executives’ focus.

Cultivate a robust cybersecurity culture

Foster an environment where every employee is acutely aware of their role in protecting the organisation. Encourage vigilance and a collective sense of responsibility, creating a security-first mindset across all levels.

Challenge complacency

Address the hazards of overconfidence, especially prevalent among senior staff. Implement a continuous learning paradigm, driven by key performance indicators (KPIs), to remain aligned with the ever-changing cybersecurity threat landscape.

Ensure consistent and practical training

Shift away from sporadic training sessions to a structured regimen of realistic, simulation-driven exercises. Regular drills are essential to identify skill gaps, assess response protocols and maintain operational readiness.

Embrace proactive and reactive preparedness

A well-rounded training programme should cover all aspects of the cyberattack life cycle, from prevention to recovery. This prepares the team for diverse cyber scenarios and fortifies the organisation’s resilience, equipping it to tackle and thrive amidst the complexities.

By embracing a comprehensive and strategic approach to cybersecurity training, organisations can ensure that their defences remain robust, adaptive and capable of confronting the complexities of the cyberthreat landscape, thereby securing their digital assets and the trust of those they serve.

By Max Vetter

Max Vetter is VP of cyber at Immersive Labs, a cybersecurity platform that focuses on building cyber skills. He has 20 years’ cybersecurity experience in the public and private sectors across a range of online threats including hacking, cyber-stalking and fraud. He has expertise in ethical hacking, open-source intelligence (OSINT) and internet investigations specialising in darknets and cryptocurrencies.

Find out how emerging tech trends are transforming tomorrow with our new podcast, Future Human: The Series. Listen now on Spotify, on Apple or wherever you get your podcasts.