Closing the Gap Between Perception and Proven Cybersecurity Capabilities

Keatron Evans, the VP of Portfolio and Product Strategy at Infosec, explains how companies can close the skills gap between perception and proven cybersecurity capabilities. This article originally appeared in Insight Jam, an enterprise IT community that enables human conversation on AI.

Cybersecurity is the backbone of digital trust, from safeguarding critical data and user identities to defending systems in an increasingly connected landscape. But there’s a problem: the industry is in dire need of skilled workers; in fact, it needs 4.8 million more workers globally. Highly qualified talent is primed to successfully address challenges like the rapid progress of artificial intelligence (AI) and ongoing security breaches. 

To close the long-standing cybersecurity skills gap, a growing number of companies are offering various certificates, credentials, and training programs that help current employees and job seekers enhance their industry knowledge. However, it’s becoming overwhelming for hiring managers to keep track of all the different learning programs available and which ones build the real-world skills your organization needs.  

For organizations to truly understand a candidate’s skillset and experience, they have to go beyond credentials and ensure candidates can actually perform the required skills. So, let’s dive further into why validating security skills has been a difficult process, the risks employers face if they don’t understand the level of expertise candidates bring to the table, and the different approaches employers can take to verify said qualifications. 

Validating Cybersecurity Skills is a Challenging Process 

Employers generally agree on the specific skills that are important for the security field, like penetration testing, human risk management, and incident detection. However, not every course or certificate on the market teaches the same depth, level of skilling, or type of content. Some may just focus on understanding key concepts, whereas others dive deeper into applying, analyzing, and evaluating those same concepts. 

We’re seeing hiring managers continue to rely on tried-and-true standardized certifications like CompTIA Security+ and ISC2 CISSP to gauge a candidate’s knowledge. Now, as companies also require various accreditations for specific products and solutions–like Fortinet’s NSE (Network Security Expert) Certifications or Microsoft’s SC-200, for example–hiring managers must be more wary about the type of assessments these learning pathways entail, and how many of those skills candidates are proficient in.  

Additionally, as technology rapidly evolves, so do the tactics of those who exploit it. Threat actors are ahead of the curve—using new tactics like deepfakes and generative AI or new ways to exploit new tools like this recent campaign abusing Google Calendar to evolve their social engineering, phishing, scamming, and more. This means that security candidates’ skills must also keep pace, and employers must evaluate the skills of new hires and current employees on an ongoing basis. 

Making Skills Validation Frictionless  

According to Fortinet, more than half of technology leaders believe that some of the leading causes of security breaches stem from employees’ lack of necessary skills, training, and awareness–another example of why validating candidates’ skills is essential to ensure the cybersecurity workforce remains healthy.  

Thankfully, there are several tactics employers can leverage in skills verification, including:   

Utilizing AI to dive deeper into credentials

Every organization requires its workforce to have unique skills and experience. However, it can be challenging to narrow down what that expertise should look like to meet their security and business needs. Thankfully, there are AI solutions on the market that help organizations determine the top skills they need their employees to have, and flag existing cybersecurity skills gaps so that employees can embark on the right training opportunities. AI can play a pivotal role in validating those skills. For example, AI can look at how employees approach problem-solving and task-completion, and use real-world data to judge how employees perform and utilize their skillset. 

Understanding the expertise needed

Hiring and cybersecurity managers need to assess what the real need is. They’ll need to check for what is a priority in the short- and long-term for their teams to look for the specific expertise in candidates. It needs to be clearly positioned as titles and responsibilities usually vary between organizations. For example, SOC analysts in smaller companies may be well versed in open-source tools or limited SIEM setups. At the same time, those working at the enterprise level would be adept at more complex platforms and environments (e.g., diverse cloud environments or having more in-depth skills with platforms like Splunk or QRadar).  

Offering hyper-personalized training

In addition to researching the courses and learning experience cybersecurity candidates tout on their resumes, using AI tools can help map out highly specific skilling pathways for new hires. This ensures employees can immediately receive training that meets their needs and individual goals. This will help to effectively hire people that are also highly trainable for companies’ unique needs. This process will go beyond the interview by using data about a candidate’s current skillset and the responsibilities the open role requires. Hiring managers can use AI to determine what the candidate will need to learn if they step into the job and what learning resources their employer has readily available. 

Risks of Skipping Skills Validation 

As hiring managers scramble to fill open positions, skills verification often slips into an optional “nice to have.” This needs to change.  

Skills validation must be seen as an essential part of the hiring process because overlooking it can put the wrong people in charge of handling issues that are too complex or niche for their level of experience. In fact, forgoing skills validation can lead to several workplace and security challenges, including: 

• Underequipped workforce: Placing candidates in roles for which they lack the skills or expertise to succeed can dip productivity and morale, waste time, and potentially tarnish an organization’s competent reputation. 
• Increased security issues: Undertrained employees tend to let red flags and suspicious activity fall to the wayside. The outcome? Far more breaches with greater reach. 
• Setting a bad hiring precedent: If companies don’t develop a process for skills validation soon enough, they risk cementing poor hiring processes that will be harder to untangle later. This unnecessarily uses money, time, and other resources to fix preventable issues. 

Amid ongoing labor market volatility, increasingly expensive data breaches, and cybersecurity skills gaps in the industry, hiring managers must place a greater emphasis on skills verification and its ability to attract higher-quality talent.  

While skills verification may introduce an extra layer to the hiring process, it plays a critical role in reducing the risks of mis-hires. By validating their knowledge before entering a role, organizations can build stronger teams and decrease the risk of potential security issues while contributing to a more resilient security industry.