We are living in a hyperactive world where technology quickly becomes obsolete, sometimes even before it is widely adopted. When it comes to cybersecurity, threats and attacks have evolved so that organizations must always be on guard to ensure their data and operations are not compromised.

This evolving landscape of cyberthreats demands the continuous development of employees’ skills. However, the common approach to security training is still inadequate. Organizations believe that they are prepared if they’ve brought a few information technology (IT) security personnel on board or shared best practices with employees.

To be prepared for cyberthreats, organizations must develop a comprehensive cybersecurity training plan that includes the continuous upskilling and reskilling of employees. Before diving into the details, let’s first describe the difference between upskilling and reskilling.

Upskilling to Stay Relevant, Reskilling to Stay Ahead in the Game

“Upskilling” refers to training employees on a set of skills that help them perform their job more efficiently or effectively. In a fast-paced, rapidly changing world, it only makes sense to upskill teams on the latest industry practices to stay competitive.

“Reskilling” refers to training employees on a set of skills that help them perform a different job. When an organization has a talented pool of employees whose area of expertise is becoming obsolete, it should reskill them to retain their talent and avoid going on a hiring spree.

The Cybersecurity Landscape

In an era of incapacitating cyberattacks and high-profile data breaches, cybersecurity impacts every organization and every individual. Many organizations face a widening cybersecurity skills gap. Let’s explore why this gap is growing and how organizations can create a realistic strategy for cybersecurity skills development, starting with a discussion of two common approaches.

The Capability-driven Approach

This approach focuses on having the right people in the right roles by upskilling their current talent pool those roles. The primary objective of this strategy is to cut back on the costs and effort of hiring by upskilling existing employees instead.

While this approach sounds good, there are a few drawbacks to using it without proper research. Since organizations using this model tend to define specific job roles narrowly, security personnel may find themselves siloed into rigid roles without having anything substantial to contribute to the organization on a regular basis. In addition, if an organization does not appropriate nurture its talent and reskill when necessary, it will likely turn to talent acquisition to fill its skills gap.

The Risk-driven Approach

High-risk organizations such as banks and health care companies usually follow this approach, which focuses on creating a security strategy that’s aligned to the threats the organization faces. Security professionals in these organizations need a diverse set of skills to mitigate specific cyberthreats to their business.

This approach includes the primary elements of a robust security strategy but often fails, because it can exclude vital employees and skills that aren’t connected to the identified risks. Moreover, the training is often not relevant and flexible enough for the real world of cyberthreats, where risks evolve with each passing day.

Both approaches have distinct strengths and flaws, but following either of these strategies without thorough research is taking a shot in the dark. To ensure that they cover a wide range of relevant risks, leaders must be proactive in discovering which risks they need to address and whether the requisite skills are present in the organization.

Thankfully, the emergence of cybersecurity frameworks such as the National Initiative for Cybersecurity Education (NICE) and MITRE ATT&CK are taking the guesswork out of, and streamlining, the skill development process by providing structure and context. With the right mix of upskilling and reskilling, organizations can make the most of their existing talent pools while ensuring greater employee satisfaction.

Methods for Upskilling or Reskilling Your Teams

There are many methods organizations can use to upskill or reskill employees on cybersecurity. The best method depends on the organization’s structure and training requirements, and a comprehensive and customized skill development plan can encompass a combination of methods.

Formal Training

Using an authorized training provider’s services can cover your skills lag and prepare a team of certified professionals in your organization. This approach can quickly catapult your organization toward increased efficiency and productivity, if the training provider can tailor the solution to your specific requirements.

Online Instructor-led Training

If a company cannot invest in a full-blown classroom training program, the next best option is to choose virtual instructor-led training. It eliminates the hassle and cost of travel, saves time and trains teams on the latest technologies with hands-on labs.

Peer Learning and Mentoring

Organizations can encourage a knowledge-sharing culture by pairing team members, offering job shadowing or organizing employee-led workshops. This kind of training can take multiple forms, including “train the teammate” sessions that develop employees’ skills while building a learning culture that fosters strong professional relationships.


Training doesn’t have to take the form of month-long courses. Especially given the current pandemic, eLearning is gaining popularity as a means of learning new skills. With self-paced online learning, employees can acquire a new skill gradually and at times that are convenient to them.

Webinars and Online Events

In terms of learning, it’s true that “seek, and you shall find.” Whatever we want to learn, there are thousands of online events and webinars available at the click of a button, and some are even free. Many organizations are encouraging their employees to enhance their skill sets through these events.

Deciding how and when to upskill or reskill the workforce depends on a company’s cyberrisk exposure and existing skills. There’s no one-size-fits-all solution. Organizations with standard cybersecurity requirements can upskill employees through any of the cybersecurity certifications available on the market.

However, reskilling is also inevitable, as there are always new skills to learn. Beginner-level cybersecurity certifications generally do not require prior technical knowledge. Therefore, selected employees can reskill on an array of cybersecurity skills relevant to a new role.

Cybersecurity training is not optional anymore. It is a vital component of any organization’s strategy to ensure a secure future amid our current health and economic crisis — and beyond.