Cybersecurity Training: From Money Pit to Modernity

Solutions Review’s Expert Insights Series is a collection of contributed articles written by industry experts in enterprise software categories. Max Vetter of Immersive Labs marks out how to get cybersecurity training in enterprises from money pit to modernity.

When it comes to making informed, evidence-based decisions, proof should be a non-negotiable element. From court cases to professional sports teams to governing policies, to scientific studies, the proof is the grounding force that dictates the reality of our modern world. In business settings, in particular, professionals’ efficiency and productivity has to be proven.

Given this acceptance of proof as a necessary indicator of capability and an explicit jumping-off point to inspire drastic organizational change, it is strange that there is a notable lack of a consistent, enforced element of proof in the cybersecurity industry. With the costs of cyber-attacks rising exponentially, on average exceeding well over a million dollars, organizations can no longer ignore this lack of provability regarding workforce cyber resilience.

Often, if you ask cyber leaders how to prove that their staff is ready to deal with a cyber-attack, many will say they’ve done their cyber training. But it’s worth considering if simply clicking through a video and/or sitting through a days-long traditional training session is really evidence of preparedness for the next attack.

Traditional Training is Financially Unsustainable

Every high-stakes, the high-cost industry is built upon proof, which makes me wonder where the disconnect could be for the cybersecurity industry. The security awareness market was worth $1.8 billion last year and is set to grow to $10 billion by 2027, with in-person training often costing over $10,000 per person per week after factoring in course fees and travel costs. That’s big money we’re talking about, and with big money should come big responsibility and even higher standards.

Companies are inadvertently spending billions of dollars on this investment without being able to quantify its true worth with tangible data. Cybersecurity training boot camps can range from $10,000 to $18,000 per person. This hefty price tag often comes as a “check-the-box” completion approach rather than a legitimate roadmap of what an organization should do from there to continue strengthening its posture. Instead, organizations use their spending as a validator, rationalizing that their security must be equally elevated if their investment is high. This is a mistake.

CISOs and other security leaders know this mentality is not sustainable, as simply completing training does not prove training outcomes. Compliance regimes are similarly to blame, since proof that training occurred is often enough for organizations to be compliant, but isn’t representative of improved outcomes or increased overall cybersecurity.

Cybersecurity Certifications are a Feedback Loop

Other forms of proof are delivered in the form of a certificate of session attendance or by passing a “certified” exam, which is often as simple as a hundred multiple-choice, theory-based questions. As a cybersecurity instructor in my previous life, I know that earning a certificate or passing an exam has little bearing on capability in the event of a cyber-attack or the ability to secure your network proactively.

There is an inherent conflict of interest with pay-to-play cybersecurity certifications. Course attendees who spend thousands of dollars and miss days at the office will not accept a non-passing score. This attitude breeds a race to the bottom on standards required of technical experts, as well as the available training. In my experience, many of my class attendees were excellent cyber professionals, but proof of capability wasn’t achieved through certifications or symposiums–it came from ongoing real-world experience. It’s hard to believe that board members, CISOs, and other business leaders don’t feel the same way, and it’s just a matter of time before they realize their current approach is counterintuitive.

The Proof is in The Practice

Until executives and CISOs demand tangible proof of cyber capabilities, they will continue to burn budgets without truly increasing resilience against cyber-attacks. With the performative certifications and lessons already in place, it may seem difficult to add yet another element to an organization’s broader cybersecurity efforts, but getting a strategic pulse-check on their workforce’s current strengths and weaknesses, up-leveling human capabilities and resilience, and developing the right path forward will wind up being the most strategic and efficient initiative a CISO could put in place.

To truly assess organizational capability, executives must look to hands-on people-centric measurement methods, rather than standardized certification processes and programs. Just like all other performance-based aspects of the world, it’s crucial for leaders to have a clear picture of their teams’ abilities and to understand strengths and weaknesses. By gaining visibility into cybersecurity capabilities across teams, organizations can identify skills gaps, ultimately eliminating them with targeted, engaging material and strengthening their overall cybersecurity posture.