Why upskilling with practical experience can close the cyber skills gap

(Image credit: Image source: Shutterstock/Trueffelpix)

It is an inescapable fact of the cybersecurity industry that there are simply not enough skilled and experienced practitioners to go around. As with most technical fields, there has been a shortage for a number of years, but the cyber skills crisis has worsened as more companies have taken the risk of being hit by a major cyberattack seriously, motivated by regulations and mounting evidence of the threat.

(ISC)² reported in October that there are now roughly 3m vacant security positions around the world, and 63 per cent of businesses lack the skills needed to defend against threats. The shortfall has resulted in an extremely competitive market, with skyrocketing salaries and a mounting challenge in retaining experienced professionals against tempting offers from other organisations.

As it becomes increasingly challenging and expensive to recruit new team members, one of the most effective approaches to improving security capabilities is to focus on upskilling your existing team instead.

Upskilling or recruiting?

Recruitment is a difficult proposition at the best of times, particularly in a highly technical field like cybersecurity. Candidates must not only have the relevant certifications, technical skills and experience, but also need to have the right attitude and drive to fit with the business and the existing security team. Cyber professionals need to be armed with a high level of curiosity and motivation for self-directed learning and discovery.

With so many criteria to meet, upskilling can often be a better fit that recruiting. Developing an existing team member is much easier than finding the perfect recruitment candidate and current employees will presumably already be ticking all the right boxes when it comes to their personality, work ethic and capabilities.

While companies will generally need to continue their recruitment efforts as well, upskilling presents an opportunity to mould an employee to better meet the demands of the business, changing customer needs, as well as fulfilling their own career objectives and ambitions for growth. Alongside improving skill levels, upskilling will also help to make individuals more invested in the business and build a more cohesive and close-knit team. 

Directed development

One of the most important principles of upskilling is having a clear vision of what the company is looking for and how they will achieve it. Attempting to develop and mould employees without a clear direction can lead to a great deal of time and effort being expended without particularly tangible results for the business.

To prevent the training process from becoming too nebulous, an organisation should have a well-defined vision of how it wants its employees to develop, backed up by specific objectives, actions and time frames. This will provide a strong structure to direct the upskilling process and deliver the results the organisation needs.

In the security field, one of the most important areas to develop is an individual’s practical experience with real life IT networks. It’s one thing to have studied a security concept academically, but quite another to have actually dealt with the real thing in high pressure surroundings.

How can you become a trusted consultant on securing active directory infrastructure, for example, if you’ve never actually set one up yourself? Likewise, while automated tools are a mainstay of threat detection, security professionals need to have practical experience with the systems to provide context to the security alerts.

Putting skills to the test

One of the areas where practical experience is most valuable is red teaming. This is a crucial activity that sees a team of security professionals take on the role of cybercriminals and try their best to infiltrate the company’s network and access essential data and systems. The faux attack will expose gaps in the security strategy and highlight the potential paths of attack, enabling the company to better invest in improved defences.

For the best results, the attack needs to be as realistic and convincing as possible to test how the company would handle a genuine threat. If the target company is able to work out that it’s only a drill, their response will be dulled with a sense of complacency. It’s also important to stay hidden as long as possible as genuine intrusions will deliver better value the longer they remain undetected.

This means the red teamers need to be able to take on the attacker mindset, planning and executing their attack in exactly the same manner as a real criminal. Attitude plays a big role here, but playing the role of an attacker is only possible with a deep knowledge of IT networks. The red teamers must have the practical experience to move confidently and swiftly once the attack begins.

Red teaming also demonstrates the need for soft skills such as communication alongside technical expertise. While it can be thrilling to take on the mantle of an attacker and run rampant in the network, the point of the exercise is to help the company improve their defences. Red teamers must be able to communicate their activity and their findings clearly to their clients for the exercise to succeed.

This is particularly important as the reaction from clients can sometimes be challenging. Nobody enjoys having their systems breached, even if they requested it, and some IT and security heads will naturally become defensive to the red team’s activity. When training red teamers, it is good to include these types of ‘soft skills’ through role play sessions along with the technical training. You can assume the role of a defensive IT manager and deliver probing questions about what the team have done to the network. The team needs to be able to handle this kind of pressure smoothly.

Practice makes perfect

While it’s often best to learn by doing in cybersecurity, there are obvious limitations with what can be done in a genuine network belonging to a real company. Few IT directors will look kindly on having a practitioner experimenting inside their systems.

Fortunately, there are also many options for providing practical experience in a safe and controlled way by emulating real environments, ranging from web applications and Microsoft Active Directory networks to less well-known areas like mainframe systems.

Most recent cyberattacks exploit the organisation’s employees to gain access, so it’s important to emulate user activity as well as the network environment. To help deliver a more realistic training experience, I developed an opensource tool called ‘sheepl’ that is able to execute a variety of typical user actions. The tool creates multiple mock users – the titular sheepl – who perform activities such as typing, creating documents, accessing the web and interacting with PowerShell, essentially generating the “noise” typical in any enterprise environment that tends to mask threats.

By observing a network with emulated users, the security practitioner can develop their ability to look for ‘moments of opportunity’ to advance an attack, such as injecting code or stealing credentials with keylogging software.

Providing practitioners with the opportunity to trial and error inside an emulated network environment fused with real anxiety inducing scenarios enables them to rack up more practical experience in navigating systems and trying out new techniques. By combining this hands-on activity with other learning resources and a well-directed development scheme, individuals can be rapidly upskilled to take on more advanced work and improve the capabilities of the team – without having to run the increasingly challenge gauntlet of new recruitment.

Matt Lorentzen, Principal Security Consultant, Trustwave SpiderLabs
Image source: Shutterstock/Trueffelpix