Skills are not a narrowly defined set of steps that unlock the next piece of paper, but abilities that are continually advanced. To use a (potentially corny) phrase, it is a journey, not a destination.
It is critical for organizations to train their teams regularly and against the threat landscape, not just on an intermittent basis like we often see. The best way to do this, is to arm people with the ability to learn, not just pass tests.
Take crisis exercising for example, where 40% of security leaders are not confident in their team of responders due to a failure to adapt to today’s modern threat techniques. Things need to change.
Continuous learning is done by teaching humans to think for themselves and be creative, and by making it OK to challenge accepted wisdom. Giving people the ability to pass exams does none of these things. They need to feel the heat of a real-life experience so that when they are under pressure, they are better prepared to react. I learned a long time ago that the very best talent in our space is not those who merely retain information, but people who thrive when challenged to discover answers themselves.
Crisis exercising is a good example of this shortfall in continual skills development. Despite the rapid increase and sophistication of the threat landscape, over a third of organizations leave a year or more between cyber crisis simulations. This leads to teams that aren’t equipped to respond when put under pressure, especially if thrown a curve ball and asked to react to a situation outside of what has been drilled. Only a continued honing of human capabilities across an organization can teach the kind of independent thought necessary to react effectively.
When security teams are challenged in this way, the change in results is noticeable. Providing the spark that sets off a chain reaction builds valuable neural pathways that aid future problem solving, at the same time as creating a sense of ownership of achievement that encourages further development. This is the same sense of achievement that motivates attackers, and any defending force needs to learn from their adversary.
Done often enough, muscle memory can be built which helps people think their way out of any problem, not just the narrow few they face in an exam or cyber crisis drill. By comparison, teaching people to pass exams just gets them a piece of paper. It might increase their appeal to recruiters or drive up their day rate, but it won't necessarily make better cybersecurity professionals in the long run.
It is this flawed idea that we need to fix in our industry. By pushing people to learn in a way they enjoy and mapping this to the threat landscape, they equip themselves with the ability to evolve and stay relevant. Removing the pre-determined 'finish line' mentality provided by static certifications is crucial if we want to build strength in depth. As a sector we have to ask ourselves the question, when the heat is on, would we rather have an adaptable talent pool full of original ideas on our side, or one which has a certificate? I know which way I lean.