The cybersecurity skills gap is nothing new, and the gap continues to grow. Given this expanding chasm between the current skilled workforce and the jobs—and requisite skills—of tomorrow, an argument must be made for prioritizing long-term learning alongside short-term productivity in any organization. As the cybersecurity field's surface area grows proportionately to the increasing attack surface of the modern world, staying abreast of this growth is not just a winning move. Staying ahead of threats is imperative.
Unfortunately, there is no silver bullet to solve this increasingly important problem, but this problem does present an opportunity—organizations must prioritize training and reskilling their workforces by implementing learning and development (L&D) initiatives. To implement a successful L&D initiative in a team requires careful consideration, deliberate implementation and a growth-mindset that embraces iteration. One way to do this is to implement a monthly Cybersecurity Learning Day.
Why Is Reskilling Necessary?
With the accelerating pace of technological progress, there has been a global sea change in the technology landscape: The cloud is the world's computer, artificial intelligence (AI) is ascendant, and cybersecurity is a factor in every technology decision.
Just as the cloud and AI have rapidly expanded the capabilities of organizations, cybersecurity too has evolved—mutated, even. Ransomware is a prevalent threat, zero trust is the identity and access management (IAM) paradigm of the future, and AI prompt injection attacks are coming into focus. None of these were on the radar a decade ago. To stay ahead of these continuing mutations in the threat landscape, a mindset of continuous learning is essential.
In addition to growing the skills of employees, a systematic approach that fosters a culture of learning and sharing can boost employee morale, engagement and productivity. In addition, there is an inherent positive feedback loop resulting from the fact that employees who feel their organization is invested in their professional growth are likely to be more motivated and committed.
Implementing Retraining—Who and When
In the tree data structure representation of an organization, learning and development can be driven top-down from leadership to individual contributors or pushed bottom-up as a grassroots initiative. The choice of approach varies based on many factors, such as the size of an organization and the growth mindset of its leadership and employees. The former approach allows for more strategic training as leaders often have visibility into further horizons than individual contributors. The latter approach is more grounded in the applied skills of individual contributors, as they are the boots on the ground dealing with the day-to-day deliverables and outcomes. They tend to have a unique perspective that has a smaller atomicity, often with a focus on tools and techniques.
As with most any positive change, consistency is key. Having a successful one-off learning or training program is not enough to continuously move the needle over time. It is necessary to have a repeatable set of smart learning goals with a predictable cadence that becomes part of the circadian rhythm of the team—goals the team looks forward to accomplishing and can reference when planning work and growth.
Developing a scalable rhythm is tricky: With a weekly schedule, there is the risk of running out of content or speakers in a few months. Training sessions that are held once a quarter are too far apart to promote shorter-term learning. A monthly rhythm, with an entire day of the month set aside as a Cybersecurity Learning Day, is likely the best middle ground.
How to Get Started
The visual, aural, read/write and kinesthetic (VARK) model categorizes learners into four main learning styles based on the primary senses utilized in learning. To effectively scale across a diverse workforce, the lineup in a Cybersecurity Learning Day should incorporate multiple types of media to ensure that everyone, regardless of learning style, benefits from the initiative.
For visual learners, who learn best by seeing and observing, a Cybersecurity Learning Day could include activities such as viewing presentations. These could be previously recorded cybersecurity conference talks or technical talks presented by other employees, which visually demonstrate hyper-applicable topics to the team. Visual aids can help these learners understand complex concepts and ideas more effectively.
Aural learners, who learn best by listening, can also benefit from talks. They can listen to speakers, absorb information and engage in discussions.
The interactive nature of these talks can help aural learners grasp the concepts more effectively.
For read/write learners, who learn best by reading and writing, a Cybersecurity Learning Day may include activities such as book clubs and paper discussions. These activities provide opportunities to read about the latest developments in cybersecurity and engage in discussions with peers, which can help deepen understanding and retention.
Finally, for kinesthetic learners, who learn best by doing, a Cybersecurity Learning Day may include labs such as ad hoc capture the flag (CTF) exercises and syllabus-oriented learning. These hands-on activities provide opportunities to apply newly gained knowledge in practical settings, enhancing understanding and building skills. Teams can leverage labs and learning paths curated by talent assessment organizations that offer learning opportunities in offensive and defensive cybersecurity paths.
By catering to varied learning styles, a Cybersecurity Learning Day ensures that all employees, regardless of their learning preferences, may benefit from the program. This inclusive approach to learning can significantly enhance the effectiveness of the initiative and ensure that all employees are equipped with the latest knowledge and skills in cybersecurity.
Having a successful one-off learning or training program is not enough to continuously move the needle over time.
A Framework-Driven Approach to L&D
To be optimally effective, a structured approach that energizes employees and instills a culture of collaboration is an essential component of a successful L&D strategy. The virtuous feedback loop that results can enhance the skills and brand of both the employees and the organization.
One such approach is McKinsey & Company's ACADEMIES Framework, which is a comprehensive approach that emphasizes the importance of continuous learning in today's fast-paced business environment.1 The Cybersecurity Learning Day initiative demonstrates tenets of this framework as it reinforces its key principles and objectives:
- Ensuring that the Cybersecurity Learning Day's goals and content are in alignment with the organization's business strategy empowers leadership to prioritize and encourage participation. For instance, they could institute a meeting-free day to allow employees to dedicate distraction-free time for learning.
- Co-ownership between business units and human resources (HR) ensures a stronger partnership with business leaders by utilizing a shared-responsibility model for the Cybersecurity Learning Day's success.
- An assessment of gaps can give learning coordinators a measurable baseline that planning and measurement can reference.
- With a clearer picture of a baseline and aspirations, Cybersecurity Learning Day coordinators can design learning journeys that cater to the varied VARK learning styles of employees.
- Once initiated, the Cybersecurity Learning Day initiative can execute and scale up the program to widen its impact across the organization.
- While the feedback loop with learners is essential to the success of the initiative, being able to measure the impact on business performance helps with continued leadership sponsorship and prioritization.
- Second-order benefits of the learning initiative may be unlocked by integration into HR processes. An organization that can demonstrate opportunities for continued career growth can help attract, onboard, grow and retain employees.
- The Cybersecurity Learning Day should help in enabling the 70:20:10 framework,2 as it slots nicely into the 10 percent of time dedicated for formally defined learning.
- To scale over time, the Cybersecurity Learning Day embraces learning management systems and learning technology applications. These platforms offer content across skill levels, learning methodologies and learning goals.
Conclusion
L&D initiatives need to be top priorities for a cybersecurity team, and the advantages of a Cybersecurity Learning Day are manifold. It ensures that employees are continually equipped with the latest knowledge and skills, enabling them to effectively combat emerging cybersecurity threats. It is a proactive approach to learning, which can significantly enhance an organization's cybersecurity posture. It can boost employee morale, engagement and productivity by providing a measurable sense of skill growth over time. It can also serve as a platform for knowledge sharing and collaboration, fostering a sense of community and teamwork among employees. In a field as complex and dynamic as cybersecurity, such collaboration can be invaluable in timely identifying and addressing potential vulnerabilities.
Endnotes
1 Brassey, J.; L. Christensen; N. van Dam; “The Essential Components of a Successful L&D Strategy,” McKinsey and Company, 13 February 2019, http://www.mckinsey.com/capabilities/people-and-organizational-performance/our-insights/the-essential-components-of-a-successful-l-and-d-strategy
2 Training Industry, “The 70-20-10 Model for Learning and Development,” Training Industry, “The 70-20-10 Model for Learning and Development”
ARJUN GOPALAKRISHNA
Is a senior software security engineer at Microsoft with more than a decade of experience in cloud and artificial intelligence security. His work has been instrumental in fortifying Microsoft's Azure platform against myriad cyberthreats. His expertise lies in developing and implementing robust security measures to protect cloud-based systems and data. His deep understanding of the cybersecurity landscape coupled with his technical acumen have made him a trusted figure in the field. He has presented numerous security talks internally at Microsoft. In addition, in 2021, he presented at DEFCON. Gopalakrishna's commitment to continuous learning and development, coupled with his passion for cybersecurity, continues to drive his contributions to the field.