Finding qualified staff to replace vacancies or build out an expanding team can be a nightmare for already overburdened CISOs, especially given there’s a pernicious and ongoing shortage of skilled cybersecurity workers in the job market. One creative alternative to frustratedly trolling job-search sites is to look inward, rather than outward — to find capable, smart people already working at a company in other areas and train them to fill roles on the cyber team.
There are many benefits to upskilling over hiring anew: current employees don’t need to adjust to the corporate culture, they have institutional memory, they have relationships within the company, and they’re already in the human resources channel. The downside is their lack of training and certification — but that’s a small price to pay for gaining a talented team member.
Pam Nigro, vice president of security for Medecision, is no stranger to upskilling non-technical workers with complementary skills to extend her security team. In a previous job at Health Care Services (HCSC), she cross-trained employees who worked in audit and vendor relationship management to staff up a new third-party risk management program. After passing internal security fundamentals training, they received HITRUST certifications and were able to begin validating third-party vendor compliance.
Training the non-technical is only the beginning
“At HCSC, we developed a career path for upskilling and recertifying employees with complementary skills, and I’ve carried that to my current job. Now my partners from IT and networking work with me on cross-training to move people forward,” Nigro says. Certification is part of the employee upskilling journey, she says, “but I never look at the certification as the end of skills building, I look at that as the beginning and a foundation to build on.”
Nigro is also an adjunct professor at Lewis University, where she teaches graduate-level security, risk, and governance courses. And she is board chair and vice president at ISACA, where she teaches the Cybersecurity Fundamentals course, specifically designed for upskilling people with no security background. It’s part of a larger set of certificates required to earn the more advanced Information Technology Certified Associate (ITCA) certificate that requires passing tests in five fundamentals: computing concepts, networking and infrastructure, cybersecurity, software development, and data science.
Upskilling is a “strong option” to solve staffing issues
According to CompTIA’s Workforce and Learning Trends Survey, released in April 2023, 75% of respondents said they plan to increase the scope of their talent mobility programs and processes through increased training and certification. “Broadly speaking, this is a strong option for a lot of companies trying to solve their supply/demand skill imbalance,” says Seth Robinson, VP of industry research at CompTIA. “There are circumstances where you can take someone who’s not in a technical job and, with the right amount of training, you can get them to work in security. But they’d start at a foundation level and if they show strong aptitude they can advance to higher-level security and compliance roles.”
As more organisations seek to upskill employees to grow their security teams using internal talent, there are a variety of certifications and career paths available to employees depending on how their existing skills can align with different security roles. To be successful in upskilling non-technical employees into security roles, it’s important to properly map that pathway, advises Diana Kelley, CISO at Protect AI and founder of Security Curve, a cybersecurity advisory.
Identify transferrable skills
“If you are moving people into technical security from other parts of the organisation, look at the delta between the employee's transferrable skills and the job they’d be moving into. For example, if you need a product security person, you could upskill a product engineer or product manager because they know how the product works but may be missing the security mindset,” she says. “It’s important to identify those who are ready for a new challenge, identify their transferrable skills, and create career paths to retain and advance your best people instead of hiring from outside.”
In most types of upskilling situations, Kelley recommends the CompTIA Security+ Certification, which also has no pre-requisites, although students would benefit from having a basic understanding of computer networks, perhaps starting with the A+ or Network+ certifications, which is mapped in CompTIAs career pathway.
In addition to CompTIA and ISACA certification, the SANS Institute also has several courses geared toward upskilling employees who are new to cyber, including the new GIAC Foundational Cybersecurity Technologies (GFACT) certification, and the GIAC Information Security Fundamentals certification (GISF).
SANS also has introductory classes for digital forensics and cloud computing — the latter is among the hottest training tracks in demand today, says SANS curriculum director Rob Lee. He also notes that for upskilling, there are niches within niches; for example, cloud architecture or cloud pen testing, and specific cloud environments such as AWS, Azure, or Google. (Google has also recently added a new six-month cybersecurity certificate to its Google Career certificate program).
Specialty training can be key when upskilling
Other specialty areas include security skills for ICS or SCADA systems, as well as financial system auditors. To transfer skills to the specialty areas where talent is needed, he recommends using the SANS cyber talent skills assessments, which cost $200 each. “SANS cyber talent assessments provide managers with the ability to identify their team skills, performance, and training investment,” Lee says. “If you have someone new to a cyber role and want to identify who is going to be the superstar, assessments will help identify them and then you can put them on a fast track to more training and certifications.”
While upskilling and certifying existing employees would help the organisation retain talented people who already know the company, Diedre Diamond, founding CEO of cyber talent search company CyberSN, cautions against moving skilled workers to entry-level roles in security that don’t pay what the employees are used to earning. Upskilling financial analysts into compliance, either as a cyber risk analyst or GRC analyst will require higher-level certifications, but the pay for those upskilled positions may be more equitable for those higher-paid employees, she adds.
CyberSN is a free search platform with standardised job requirements for 45 security roles, all of which require some networking and security experience, and most of which require certifications, including the analyst roles, which are the most searched for, followed by DevSecOps and security engineers.
Train outside the box
In addition to the obvious certification bodies, there are a wide variety of other training programs to prepare non-technical employees for work in cybersecurity. For example, look to economic mobility programs, such as the Ventura County Digital Upskilling Training Program. The state-funded pilot program led by the Economic Development Collaborative (EDC) provides free certification training to local businesses, including CompTIA A+ and Security+ certifications.
Additionally, critical infrastructure Information Sharing and Analysis Centers (ISACs) provide training courses for their member companies. For example, the Financial Services ISAC offers training for boards and employees of member companies on cyber fundamentals, offense, defense, intelligence, applications, and cloud.
Similarly, in the UK, the National Cybersecurity Centre provides training and certifications at a reasonable price for beginners, such as its BCS in information security management principles, which applies to those with cybersecurity backgrounds wanting to learn more, but also to business unit information asset owners and those with legal compliance responsibilities.
Some governments offer cyber-upskilling programs
In addition, the UK’s Department for Science, Innovation, and Technology (DSIT) and the SANS Institute announced the second iteration of the Upskill in Cyber program to help UK professionals make a career change into cybersecurity. The program lasts 14 weeks and offers free training and advice to support UK workers looking to forge a cybersecurity career.
Also, look into cybersecurity boot camps at local universities such as Rutgers and the University of Texas. In its literature, the University of Texas boot camp shares examples of upskilling people from technical writing, project management, law, finance, corporate security, and law enforcement. It also cites statistics showing that certifications are useful to both employees and employers.
Expect about a year for non-technical people to ramp up and achieve most of the basic certifications they need to move into cybersecurity, Lee advises. Most of the top certification bodies, SANS included, offer training and certifications across multiple countries and regions around the world and are priced as in-class or virtual, with or without hands-on labs, and include additional costs for taking the tests to earn the certifications.
“Think of upskilling and certifications as a way to support employees that are ready for a new challenge because they've outgrown their existing role,” Kelley says. “More organisations should look at what’s right for their employees' future success by building on the transferrable skills they already have and helping them skill up from there.”