Last month, we focused on the key takeaways from Immersive Labs’ 2022 Cyber Workforce Benchmark report. Those takeaways boiled down to this: Security practitioners across industries are taking too long to remediate vulnerabilities and are making snap decisions in response to high-profile threats that don’t always lead to an adequate defense.
In this post, we take a deeper dive into what it might take to close the cybersecurity talent gap – or at least make meaningful progress.
About the report
First, a refresher on how the report was put together: It is based on data from over 300,000 simulations completed by security teams in 2,100 organizations around the world. Immersive Labs took the data about completed exercises and mapped it against the MITRE ATT&CK framework.
In a follow-up blog post, Immersive Labs zeroes in specifically on what can be done about the talent gap. It starts by asking the question: Are there untapped sources of talent organizations have yet to tap into? The short answer is yes.
After reviewing activity from its free Digital Cyber Academies (DCA) program, some key points emerged. Note: More than 22,000 individuals completed over 176,000 labs globally as part of the DCA initiative during the period analyzed.
Here is what emerged from the DCA data:
- Up-and-coming talent who participated in DCA tended to focus more on security fundamentals, but many did advance into more specialized cybersecurity exercises in areas such as offensive skills, malware, and reverse engineering.
- When participants progressed to more specialized labs and exercises, they were drawn most often to Red Team skills, particularly infrastructure hacking and reconnaissance.
- Far fewer engaged in application security topics, reflecting a possible lack of awareness of the critical role that software vulnerabilities play in many large-scale security incidents.
- While experienced cybersecurity professionals outperformed emerging talent overall, the margin was not as wide as one might expect. Application security was where Immersive saw the most significant disparity. Emerging talent, on average, took a minute and a half longer to complete these exercises while scoring four percentage points lower on accuracy. But even with this worst case, the performance gap was surprisingly small.
- In other areas, the performance gaps were even narrower: In its “Challenges & Scenarios” category, emerging talent completed exercises a full two minutes and eight seconds faster than experienced pros, while only lagging on accuracy by 1.6 percent. When completing “Malware & Reverse Engineering” exercises, emerging talent finished 55 seconds faster than professionals with an accuracy gap of less than one percentage point.
“While experienced cybersecurity professionals outperformed emerging talent overall, the emerging talent most definitely demonstrated that they are within striking distance,” Immersive said in the blog post. “There is little doubt that the remaining gap could be closed with focused investment in capabilities development.”
To close the talent gap, Immersive recommended organizations:
- Engage promising talent from non-traditional populations.
- Use labs and exercises to assess their innate strengths and map them to organizational needs.
- Implement an ongoing program to help team members reach their full potential and address pressing cybersecurity capability gaps for the organization.