As cybersecurity needs continue to rise, it’s no secret that organizations are having to do more with less. In any given company one can find modern-day use of the old adage, “Patch it up, wear it out, make it do or do without.” That make it do part is exactly what upskilling and reskilling is all about.
As companies respond to growing threat appetites with fewer qualified personnel in the job market, they are forced to re-evaluate their cybersecurity focus as well as the team they have at their fingertips. With an increased emphasis on bolstering offensive security efforts, decision makers are now asking themselves: Can web developers moonlight as pen testers? Can systems analysts advise on vulnerability management? Can Help Desk technicians become ethical hackers? Considering the current climate, the short answer is: Yes. By combining upskilling and reskilling efforts with the right tools, these personnel will take your security to the next level.
The Cybersecurity Skills Gap
Yet another year finds the job market still suffering under the slump on an ongoing cybersecurity skills crisis. There are too many cyber-oriented jobs that came up too fast and not enough people qualified to fill them. The industry has been beating this drum for a long time, and in response, droves of new cybersecurity positions have been filled. Unfortunately, it hasn’t been enough.
Per data in the 2022 Cybersecurity Workforce Study by (ISC)2, the need greatly outstrips the supply. Now that “every company is a software company,” organizations are rushing to snatch up whatever cyber talent is still out there. The report states that despite growing by an additional 464K workers this past year, the cybersecurity workforce gap has still managed to eclipse that progress and grow by 36.5% YoY; twice the amount of the non-cyber workforce.
As global organizations absorb the hit–from the UK to South Africa to Brazil–security leadership looks for answers on how to fill the gap. As unfilled positions linger on external job boards, many have found their answer by turning inward—investing their security spend in upskilling and reskilling their current IT workforce.
What is Upskilling?
Upskilling is the act of teaching employees additional job-related skills. Thanks to the cyber talent shortage, it's coming into play more than ever in the realm of Information Technology.
"Every IT position is also a cybersecurity position now," notes Steve Morgan, founder of Cybersecurity Ventures. "Every IT worker, every technology worker, is (or should be) involved at some level with protecting and defending apps, data, devices, infrastructure, and people." Companies are indeed finding that the shared skillset of IT is a huge untapped boon when looking to fill gaps in cybersecurity. Rather than spending the resources to look elsewhere, they can simply add skills to the workforce they already have without adding additional onboarding overhead or downtime.
Not only is upskilling convenient, it can be more cost effective to put your budget towards training instead of increased recruitment efforts. Not only this, offering upskilling opportunities to employees can also improve retention rates, which is another top concern as the cybersecurity skills shortage endures.
This could mean training your software developer in vulnerability management, adding the ability to determine if her OS-based code is safe to their programming knowledge. Upskilling builds on core competencies and also enables an organization to demonstrate how invested they are in nurturing their employees’ career growth.
What is Reskilling?
Reskilling involves employees changing lanes. You take someone already working at the company and allow them to switch tracks, developing a new career within the organization. In context, this could be a finance manager trains to be a SOC analyst, or someone in human resources reskills in cloud security or penetration testing.
Not only does this save on hiring overhead, but it allows employers to leverage the institutional knowledge and cultural know-how of their employees. Cross-training enriches the departments involved with additional insight, and those who reskill not only increase their job security and value to the company, but in the case of cybersecurity, usually their paychecks as well.
This seems to be a trend that is catching on. Bill Reynolds, research director at Foote Partners, a workforce research firm, notes:
“With the significant shortfall in the marketplace for skilled cybersecurity professionals, the sense I'm getting by talking to hundreds of employers ... is that they're focusing more right now on training and developing talent from within.”
Targeting Offensive Security with Upskilling and Reskilling
A key area in which many companies are looking to optimize is offensive security. Offensive security is defending the enterprise by assessing the state of security and actively seeking out vulnerabilities and weaknesses. In other words, by playing the part of the criminal adversary and actively “attacking” your own network.
As threats continue to evolve, organizations find that it's no longer enough to be safe on paper. Offensive practices like vulnerability management help identify security weaknesses that may be putting you at risk. Additionally, security assessments like pen testing use real-world threat actor techniques can determine just how damaging an attack would be and whether security controls work in practice, not just in theory.
However, given the shortage of skilled cyber workers, many companies find it cost-prohibitive to hire out for twice-yearly penetration tests or red team engagements and instead look for more sustainable solutions in-house. As organizations face accelerated patterns of exploit generation, coupled with new technology, they increasingly want to see how well security controls perform under stress.
The growing popularity of offensive security makes it a prime candidate for the focus of upskilled and reskilled workers.
Strategic Upskilling and Reskilling with User Friendly Tools
It’s one thing to talk about branching into a new field, and another entirely to get it done. Companies looking to save money by investing in their current workforce need to do so carefully, investing in tools that will optimize time and training – not waste it.
The right tools will enable on-the-job training and streamline employee transition. Luckily, there are plenty of tools out there that already force-multiply small security teams and are designed to do a lot with a little.
Fortra’s Core Impact is designed to streamline penetration testing for in-house teams. It uses guided automation and certified exploits so, regardless of experience, your team can launch the same types of attacks you’d be facing in the real-world. With the ability to execute these tests across the infrastructure –endpoints, web applications, and client-side—you can centralize testing efforts and maximize your investment.
Using Fortra VM, organizations can simplify vulnerability management, running automated scans with proprietary technology to get an up-to-date picture of the security of their environment. The latest release also offers users the ability to scan remotely, receive threat reporting in real-time, and immediately report malicious activity to third parties for remediation.
The only way to test if your security strategy really works is to test if your security strategy really works. As organizations make offensive security a priority, Fortra provides the tools that enable upskilled and reskilled workers to optimize their training, creating enterprise-ready vulnerability management programs and performing real-world, exploit-current penetration testing.
Want to Jumpstart Your Upskilling and Reskilling Efforts?
Explore the Offensive Security Essentials Bundle, which combines the power of vulnerability management with Fortra VM and pen testing with Core Impact, all for a reduced price.
