Mounting Skills Gap, Complex Threat Landscape Drive Surge in Corporate Security Learning
Fall is in full swing, and for many, this marks a time for breaking out the flannel shirts, indulging in pumpkin-flavored everything, and raking endless piles of leaves. But for those in the information security community, Autumn – and October more specifically – brings to mind Cybersecurity Awareness Month, an annual ritual dedicated to spreading education and awareness about cybersecurity.
After what seemed like an endless stream of malicious activity in 2020, this year has unfortunately brought even more of the same, with the number of 2021 data breaches already surpassing last year’s total by 17%. With that said, if there’s a silver lining to be found, it’s that cybersecurity is finally getting the mainstream attention and prioritization – from the U.S. government all the way to K-12 schools – that is required to start turning the tides.
In light of Cybersecurity Awareness Month and amidst today’s increasingly complex threat landscape, high rate of skills gaps, and growing talent wars, we were curious to learn how organizations and their respective team members are engaging in security training. Analyzing data from millions of users that have accessed security assets in Skillsoft’s learning experience platform (LXP), Percipio, we found that 2021 has been a true inflection point for security learning and development (L&D) in corporate environments.
Cybersecurity Training and Learning Reaches New Heights
Whether for professional development, to increase awareness of threats and learn risk mitigation best practices, to pivot career paths, or simply build skills sets, organizations and employees are spending significantly more time with cybersecurity training than ever before. Since 2019, we’ve observed a 53% increase in the total number of hours that learners are dedicating to security training content and courses on an annual basis.
Looking at this trend via a monthly view spanning the last two-and-a-half years, each month in 2021 – except January by a slight margin – has seen significantly higher rates of consumption for security training and education assets across all expertise levels. We see an especially large spike in March and April 2021, which coincides with the infamous Hafnium state-sponsored attack and the impacted party noting that the group behind it “primarily targets entities in the U.S. for the purpose of exfiltrating information from a number of industry sectors.”
Additionally, following a report in late May 2021 of a new wave of attacks involving phishing emails launched by Nobelium that could be used for data theft, we again see a direct correlation with spikes in employees’ security training content consumption.
Breaking this down further, analyzing 25 industries – ranging from aerospace to banking and finance to medical – 60% of all companies saw the total number of hours spent by learners annually on security training content increase in 2020 compared to 2019, with this number rising to 80% in 2021 compared to the year prior. The top five industries that have seen the largest relevant content consumption spikes?
- Energy and utilities
- Training & development
For these five industries, on average, they've seen a 59% year-over-year growth trajectory.
Security Pre-Certifications a Hot Commodity
Knowing learners are increasing the amount of security training they’re doing is valuable, but it begs the question of where they’re spending their time. Looking at the 10 most frequently completed security courses so far in 2021, OWASP Top 10 related lessons take the lead spot, followed by cloud security fundamentals, which could be attributed to the COVID-19 pandemic spurring a rapid global shift to the cloud.
Rounding out the top 10 are a variety of CompTIA Security+ pre-certification courses, ranging from social engineering techniques to basic cryptography principles. With Skillsoft’s Global Knowledge finding that more than 75% of IT-decision-makers are struggling with existing skills gaps, and cybersecurity and cloud certifications being the two most in-demand skills and technology areas for organizations today, there’s a natural parallel between these findings and where this data shows learners gravitating toward in their upskilling journeys.
Security Training Can’t Be a “Stop and Start” or One-Month Priority
While these findings paint a positive picture surrounding security training and upskilling in corporate environments, malicious actors’ continued success with “preventable” hacks and a continuously widening skills gap show that there is still a lot of work to be done.
Cybersecurity Awareness Month is an important annual reminder that, as an industry, we must focus our collective efforts on addressing security issues and spreading awareness and education. In order to drive true change, security professionals and all people must maintain a mindset of continuous learning and curiosity beyond October. Keys to building a lasting culture of cybersecurity include:
- Outline the role each employee plays, where everyone works together to achieve a common objective rather than simply checking a box;
- Implement a blended learning approach, combining traditional course content with real-world scenarios, practice labs, and team-oriented lessons;
- Encourage employees to pursue certifications to expand their skillsets, become more cyber-aware, and reduce skills gaps; and
- Provide employees with the tools needed to train and upskill in their natural flow of work, with a gamification component to help keep individuals interested and motivated.
See how Skillsoft’s immersive learning platform, Percipio, can help make all forms of learning – especially security – easier, more accessible, and more effective. And check out our Challenge Labs, where we provide teams with safe and genuine AWS or Azure cloud environments to practice and master your newfound skills.