In recent years, we’ve heard a lot about the global cybersecurity skills gaps and staffing shortages. The gaping talent gap of over 3 million open positions persists and remains a concern given how great a struggle it still is for those looking to break into the field.

Last year, I published research about the many roadblocks these prospective practitioners must overcome — stemming, most often, from rigid HR practices and prohibitively expensive early-career certification test prep. In this research, I urged security leaders and their peers in HR to rethink their reliance on security certifications (and degrees, for that matter) and invest in tools and processes to home-grow security talent. Often, this starts at hiring by taking a chance on internal and external candidates who don’t meet hard requirements but have relevant, transferable skills and the fire in their bellies to learn and grow in the security organization.

Remove Requirements Rigidity With CS&T Platforms

One of the recommendations I made in this research was to evaluate and invest in cybersecurity skills and training (CS&T) platforms. Forrester defines this emerging category of cybersecurity training tools as:

Online learning and simulation platforms used by organizations throughout the security talent management lifecycle to help individual practitioners and teams develop or refresh security skills.

For hiring and recruitment, CS&T platforms are enablers of unbiased skills challenges for candidates with or without preferred certifications or degrees. They are also a vital upskilling resource for team members preparing for promotion or exploring potential career paths in security as part of a larger succession planning program.

And for security teams, many CS&T platforms can deliver nail-bitingly realistic attack simulations in their org’s replicated environment, testing technical skills, documented processes, and communication to better understand organizational resilience.

For more information on this growing alternative to the once monopolistic certification industrial complex, check out my recently published overview of the CS&T market, The Cybersecurity Skills And Training Platforms Landscape, Q3 2023, to see how even some of those certification bodies are evolving to teach beyond the test. And stay tuned for our first ever Forrester Wave™ evaluation of this market, publishing before the end of the year!

What Skills Will Pay The Bills?

In my research into CS&T platforms, I found that, on average, most platforms are releasing courses or labs on a weekly or biweekly basis to help security practitioners and teams keep up with the barrage of vulnerabilities, exploits, and adversarial tactics affecting organizations. This kind of continual learning and hands-on practice of fundamental skills keeps security talent on its toes — and they have to be. They also have to acquire new skills as the threat and tech landscapes evolve beyond point-in-time test prep.

In my upcoming Security & Risk Forum session, “Skills S&R Programs Need In The Next Five Years Now,” I’ll lay out six security and risk skills that, as security leaders, you either need to 1) improve upon or take to the next level right now or 2) acquire net new right now to keep pace with attackers and AI. This session is part of our broader security leadership track, “Trust Demands Leadership: A CISO Playbook For Competitive Advantage,” which has sessions on cyber insurance, executive influence, and the important role that CISOs play in winning business with trust.

Upskill Yourself While You’re At It

In addition to my track talk, we’re featuring five “learn a skill” sessions throughout the event, starting on Monday, November 13. These interactive sessions, led by my colleagues, will include hands-on exercises designed to equip you with the skills needed to lead change within your organization, including:

And there’s no better way to gain knowledge as a security leader than from your peers. We’re hosting a series of Executive Leadership Exchange gatherings during the event, emceed by yours truly and focused on the sharing of best practices and insights between those who, regardless of industry, geography, and company size, share a common mission.

I look forward to seeing and speaking with you in Washington, D.C., on November 14–15! Register for the Security & Risk Forum here, and if you’re a client and want to discuss security talent management and my latest research on cybersecurity skills and training platforms, please reach out to set up a guidance session.