With the ongoing shortage of skilled cybersecurity workers in the job market, finding qualified staff to replace vacancies or build out an expanding team can be a daunting task for Chief Information Security Officers (CISOs) who are already overburdened. However, one alternative they can consider is to look inward, instead of outward, to find capable, smart people already working at a company in other areas and train them to fill roles on the cyber team.
The benefits of upskilling employees over hiring new ones are numerous: current employees don’t need to adjust to the corporate culture, they have institutional memory, they have relationships within the company, and they’re already in the human resources channel. The drawback is their lack of training and certification, but that’s a small price to pay for gaining a talented team member.
Pam Nigro, vice president of security for Medecision, is an advocate of upskilling non-technical workers with complementary skills to extend her security team. In her previous job at Health Care Services (HCSC), she cross-trained employees who worked in audit and vendor relationship management to staff up a new third-party risk management program. After passing internal security fundamentals training, they received HITRUST certifications and were able to begin validating third-party vendor compliance.
Training the non-technical is only the beginning.
“At HCSC, we developed a career path for upskilling and recertifying employees with complementary skills, and I’ve carried that to my current job. Now my partners from IT and networking work with me on cross-training to move people forward,” Nigro says. Certification is part of the employee upskilling journey, she says, “but I never look at the certification as the end of skills building, I look at that as the beginning and a foundation to build on.”
Moreover, Nigro is an adjunct professor at Lewis University, where she teaches graduate-level security, risk, and governance courses. She is also board chair and vice president at ISACA, where she teaches the Cybersecurity Fundamentals course, specifically designed for upskilling people with no security background. It’s part of a larger set of certificates required to earn the more advanced Information Technology Certified Associate (ITCA) certificate that requires passing tests in five fundamentals: computing concepts, networking and infrastructure, cybersecurity, software development, and data science.
According to CompTIA’s Workforce and Learning Trends Survey, released in April 2023, 75% of respondents said they plan to increase the scope of their talent mobility programs and processes through increased training and certification. “Broadly speaking, this is a strong option for a lot of companies trying to solve their supply/demand skill imbalance,” says Seth Robinson, VP of industry research at CompTIA. “There are circumstances where you can take someone who’s not in a technical job and, with the right amount of training, you can get them to work in security. But they’d start at a foundation level and if they show strong aptitude they can advance to higher-level security and compliance roles.”
As more organizations seek to upskill employees to grow their security teams using internal talent, there are a variety of certifications and career paths available to employees depending on how their existing skills can align with different security roles. To be successful in upskilling non-technical employees into security roles, it’s important to properly map that pathway, advises Diana Kelley, CISO at Protect AI and founder of Security Curve, a cybersecurity advisory.
“If you are moving people into technical security from other parts of the organization, look at the delta between the employee’s transferrable skills and the job they’d be moving into. For example, if you need a product security person, you could upskill a product engineer or product manager because they know how the product works but may be missing the security mindset,” she says. “It’s important to identify those who are ready for a new challenge, identify their transferrable skills, and create career paths to retain and advance your best people instead of hiring from outside.” In most types of upskilling situations, Kelley recommends the CompTIA Security+ Certification, which also has no pre-requisites, although students would benefit from having a basic understanding of computer networks, perhaps starting with the A+ or Network+ certifications, which is mapped in CompTIAs career pathway.
The SANS Institute also has several courses geared toward upskilling employees who are new to cyber, including the new GIAC Foundational Cybersecurity Technologies certification, and the GIAC Information Security Fundamentals certification. SANS also has introductory classes for digital forensics and cloud computing. The latter is among the hottest training tracks in demand today, says SANS curriculum director Rob Lee. He also notes that for upskilling, there are niches within niches, for example, cloud architecture or cloud pen testing, and specific cloud environments such as AWS, Azure, or Google.
Specialty training can be key when upskilling. Other specialty areas include security skills for ICS or SCADA systems, as well as financial system auditors. To transfer skills to the specialty areas where talent is needed, Lee recommends using the SANS cyber talent skills assessments, which cost $200 each. “SANS cyber talent assessments provide managers with the ability to identify their team skills, performance, and training investment,” Lee says.
While upskilling and certifying existing employees would help the organization retain talented people who already know the company, Diedre Diamond, founding CEO of cyber talent search company CyberSN, cautions against moving skilled workers to entry-level roles in security that don’t pay what the employees are used to earning. Upskilling financial analysts into compliance, either as a cyber risk analyst or GRC analyst will require higher-level certifications, but the pay for those upskilled positions may be more equitable for those higher-paid employees, she adds.
In addition to the obvious certification bodies, there are a wide variety of other training programs to prepare non-technical employees for work in cybersecurity. For example, look to economic mobility programs, such as the Ventura County Digital Upskilling Training Program. The state-funded pilot program led by the Economic Development Collaborative (EDC) provides free certification training to local businesses, including CompTIA A+ and Security+ certifications. Additionally, critical infrastructure Information Sharing and Analysis Centers (ISACs) provide training courses for their member companies.
The UK’s Department for Science, Innovation, and Technology (DSIT) and the SANS Institute announced the second iteration of the Upskill in Cyber program to help UK professionals make a career change into cybersecurity. The program lasts 14 weeks and offers free training and advice to support UK workers looking to forge a cybersecurity career. Training is also available through cybersecurity boot camps at local universities such as Rutgers and the University of Texas.
Expect about a year for non-technical people to ramp up and achieve most of the basic certifications they need to move into cybersecurity, Lee advises. Most of the top certification bodies, SANS included, offer training and certifications across multiple countries and regions around the world, priced as in-class or virtual, with or without hands-on labs, and include additional costs.
To conclude, upskilling is a practical and effective way for companies to fill cybersecurity job vacancies, especially in the face of the ongoing skills shortage in the industry. Instead of relying solely on external hiring, CISOs should also consider investing in and developing their existing employees’ skills and talents to fill the gaps in their security teams. With various certification and training programs available, companies can tailor their upskilling efforts to their specific needs and identify transferable skills in employees to train them effectively for cybersecurity roles.