Opinion

Cybersecurity experts can learn from their junior colleagues

How continuous learning can bridge the cybersecurity skills gap between junior and more seasoned professionals
By
Max Vetter
Cyber team

Recent findings from Immersive Labs revealed a rather surprising disparity in cybersecurity training between junior and experienced professionals. We are talking to Max Vetter, VP of Cyber at Immersive Labs, who discusses the potential risks of this disconnect and how businesses can bridge the skills gap and build a truly cyber-resilient workforce, across all positions. 

What issues are you seeing when it comes to training?

One of the biggest issues when it comes to cybersecurity training is complacency, particularly among more senior professionals. For example, we found that, on average, junior professionals were tackling and completing content 5% more challenging than their more seasoned counterparts. This clearly shows there are gaps and disparities between employees in their approach to continuous learning and development.

Diving deeper, we see this trend across various domains of cybersecurity. In application security, team members with less than two years of experience were narrowing the gap with their more experienced colleagues in terms of content difficulty. This problem is not just a departmental issue but an organisational problem. Senior professionals across different departments are showing a lack of urgency and motivation when it comes to upskilling, which sets a dangerous precedent.

Senior leaders are the ones expected to lead an organisation’s response to a security incident. However, they may not be keeping pace with new threats, and that reflects negatively on the business’s cyber resilience. These inconsistencies mean that businesses won’t be prepared to effectively deal with an incident when they’re targeted.

This lack of preparedness is also directly affecting the confidence levels of cyber leaders. We saw that 80% of leaders are uncertain whether their teams could handle an attack in the future. So, even though companies have heavily invested in advanced technologies to bolster their defences, a lack of workforce capabilities is still affecting their overall cyber resilience.  

Why is there a gap between junior and seasoned staff when it comes to training?

There is a clear lack of organisational focus when it comes to encouraging industry veterans to develop or upgrade their skills. There are several factors for this oversight, including human psychology and cyber culture. Organisations often fail to recognise the critical role of the workforce in effective threat response, which leads to prioritising systems and processes over individual training and development. 

Unlike systems, people can't automatically recover from setbacks. We’re prone to biases that impact our ability to detect threats and hinder effective responses during crises. For instance, overlooking critical threat factors or risk perception in order to align with our preconceived ideas or our previous experience. This is particularly true of more experienced staff, who might rely too heavily on their past experiences rather than seeking out new learning opportunities.

Moreover, the culture within many cybersecurity teams can inadvertently discourage continuous learning, particularly for seasoned professionals who are expected to already "know it all." This cultural expectation can create an environment where ongoing education is seen as unnecessary or exclusively for those new to the field. Consequently, this mindset contributes to the training gap, as junior members often engage more proactively with challenging content to prove their competence. 

Why is training employees around cyber threats so important?

The vast majority of cyber incidents today exploit human behaviour rather than technological vulnerabilities. In fact, the human element was the root cause of 74% of breaches in 2023. From phishing attacks to social engineering tactics, cybercriminals look to manipulate individuals and exploit human trust. Even, new AI threats, such as deepfakes, rely on tricking people.

People are just as important as an organisation’s sophisticated security stack. So, without developing a culture of awareness and building a resilient workforce, businesses can’t expect to improve their security posture, no matter how advanced their defences are. 

Organisations that integrate cyber resilience as a strategic focus not only bolster their defences against immediate threats but also achieve measurable improvements in reducing their risk exposure over time. This commitment to resilience transforms cybersecurity from a reactive action to a proactive strategy, significantly enhancing an organisation's ability to withstand and recover from major incidents.

Our research found that businesses that verified the skills of new talents (i.e. assessed the security team’s capability in realistic scenarios and strengthened executive decision-making in cyber crises) were ultimately most successful in increasing their cyber resilience. So, training employees at all levels is critical for effectively addressing the human-centric nature of cyber threats today.  There are plenty of online cybersecurity courses out there, so it shouldn't be difficult to find one that fits your needs. For one, there are Lumify Learn's cybersecurity courses and also Coursera's as well.

What do organisations need to do to provide effective training?

Effective cybersecurity training requires a holistic, comprehensive and strategic approach. I always recommend organisations consider a plan that includes five crucial steps. 

  1. Elevate cybersecurity to a strategic level: Make it a priority not just within IT departments but with the board and C-Suite executives. It must be integrated into the highest levels of decision-making. 
  1. Build a strong cybersecurity culture across the entire workforce: Create an environment where every employee understands their role in maintaining the organisation's defences. Businesses should promote best practices, encourage vigilance, and foster a sense of shared responsibility. 
  1. Be aware of overconfidence or complacency, particularly among senior staff: Experience is invaluable, but it doesn't grant immunity against the evolving threat landscape. Continuous skill development is essential for all staff members to stay ahead of new threats. Key Performance Indicators (KPIs) must be established that promote lifelong learning and ensure everyone keeps updating their knowledge and skills to effectively respond to cyber threats.

  2. Don’t be irregular in training: A workforce needs to continuously exercise and prove its capabilities to combat ever-evolving threats. Regular realistic simulation-driven cybersecurity drills should be conducted to identify skill gaps, assess the effectiveness of response protocols, and ensure that the workforce is prepared to deal with actual cyber incidents.

  3. Prepare both proactive and reactive measures: Addressing every stage of the cyberattack lifecycle is critical to ensure an organisation’s workforce is equipped to handle threats from initial access to exfiltration and beyond. This means establishing a robust training program that prepares the team for all stages of a cyber incident, thereby minimising potential weaknesses and enhancing overall resilience.

Adopting these strategies can help leaders to drive an organisation-wide culture for continuous learning and development. This will ultimately help businesses to fill the skills gap, build better workforce resilience and respond more effectively to the evolving cyber threats. 

Written by
Max Vetter