Interview: How Upskilling And Cross-Training Can Help Businesses Battle The Cyber Skills Gap

Jim Chilton is the Chief Information Officer at Cengage Group and General Manager at Infosec Institute, a globally renowned security awareness and cyber skills training provider acquired by Cengage Group in March 2022. In these roles, and with over 23 years of experience in the cyber space, Chilton strives to influence cultural change within organizations, driven by innovative, effective training.

Kate Rodgers is Director of Brand Marketing at Infosec Institute. In her role at Infosec, Rodgers helps deliver the company’s core values to their clients across the world, ensuring that organizations of all sizes and within any sector are equipped with the knowledge, skills and confidence needed to achieve their security goals and combat cybercrime. 

At RSAC 2022, we spoke to Chilton and Rodgers to discuss the challenges presented by an increasing skills gap in the cybersecurity industry, and how Infosec Institute’s training and upskilling offerings can help organizations to overcome those challenges.   

The cybersecurity industry is facing an increasing talent gap, with 39% of organizations reporting a shortage in staff capable of operating and maintaining their security infrastructure (ISC2). Why is this such a challenge for so many businesses?

Chilton: There are two reasons—I’ll start with the CIO response. As someone who’s been a CIO for the last 25 years, one of the biggest challenges in getting and finding the talent is purely availability; are they at the right level, and do they have the right skills that they need for these jobs? There’s not a one size fits all, so bringing in the right talent, but also having them slotted into the right positions that we need to fill is very difficult. The second challenge is retention, because everybody wants to hire these people. So, we’re having to do regular changes in roles, responsibilities and pay to retain people.

CengageGroup is a global education technology company. In that spirit, we’ve actually grown and developed our own cybersecurity team by bringing in people from inside the company, who have worked on the Help Desk or other technologies, and we’ve used tools like Infosec to help prepare those people for the jobs that we need. We’ve also used our apprenticeship program, which has involved hiring people from outside and giving them apprenticeship level training. This approach allows you to retain the talent that you’re developing because there’s an affiliation to this growth that they’re having and the opportunity that they’re getting.

Where this is a perfect complement to our recent acquisition of Infosec, is that now we actually have a company that’s specifically targeted to this same exact thing that we’ve been doing, but to do it for the rest of the world. That’s what I’m super excited about from the Infosec perspective—we are the only company that really focus on doing this with a role-based approach. If you haven’t taken the test, I would encourage you to do so and identify where you fit. The opportunity for people to self-identify—whether they’re going through one of our employer-based programs, or they’re an individual that just happens to be interested in our materials—helps people figure out where they should grow and develop their skills naturally. You may think you’re right for one thing until you actually get into it, and then you find that your natural center is actually something very different.

You mentioned upskilling and cross-training there and spoke of retention as one of the benefits of doing that. What are some of the other benefits associated with upskilling and cross-training employees to help organizations fill the cyber skills gap?

Chilton: Beyond retention, you build a story within the technology team. As a company of learners built for learners, which is largely what Cengage and Infosec is now is, we believe that everybody should have the opportunity to be educated and developed, and it shouldn’t just be an opportunity for the elite. It should be affordable, and it should be available to everyone as a result of that. So, we’re walking the walk that we say is right for everybody. This demonstrates not only what’s possible inside the company, but also outside the company, when you see people that have grown and developed through these careers from other areas of the business or other disciplines.

A portion of our business focuses specifically on higher education and disciplines. Think economics, calculus, and such—we’ve actually taken people out of those groups and brought them over because of their interest in cyber, and then we enable them to develop the right skills within the right team to be able to do that work. There’s no level that we keep from people inside the company.

The point where it becomes interesting is that, in the CIO community, I’ve done a lot to share what we’ve done at Cengage, but also with apprentices and inside employees. This kind of sets the framework for what other companies can and should be doing. And since then, we’ve created a partnership with a number of the Boston area CIOs, where we’ve run a similar program and started sharing best practices around this. It’s about educating others on what actually is possible.

Going back to your point about how hard it is to find people and how, when you do find them, it’s really hard to keep them—when you take this approach, there’s a gratefulness in the people that are doing it, because this is an opportunity they wouldn’t otherwise have had. They’re getting this upskilling and training; they’re getting an opportunity and they’re changing their trajectory in life as a result of that. And that’s a core mission of the company.

Infosec Institute is globally renowned for its security awareness training courses, but you also offer cyber skills certifications. How can Infosec Skills help organizations upskill and cross-train talent?

Chilton: Companies buy our products today so that their employees can either achieve, maintain, or develop these certifications and the skills that they want them to have. Additionally, we do have the ability for individuals that are self-selecting to be able to go to a website and buy a course, then navigate their way through it themselves.

And at Cengage and Infosec, we recognize that not everybody learns the same. Some people—whether they’re coming through their employer or as an individual—can be self-taught and navigate way their way through their certifications on their own. Others cannot. So, there are two ways in which we’re offering our courses today. One is through the online Skills program that you mentioned, but in addition to that, we’re doubling down on what we do with boot camps, which combine both in-person and virtual training. By doing this, we’re providing the opportunity for both types of learners; the one that prefers to be self-taught, and the one that needs that classroom training and that focus. So, we have a really great success rate for the people that do go through our program and achieve these certifications.

That’s also important to me from a CIO perspective, because our customers have to meet lots of compliance-based requirements from a security and privacy perspective. Because of that, I need to have people on staff who are a very familiar, very capable and—in this case—certified and up to speed on the things that they should be delivering. Having a highly qualified, capable team allows me as a CIO to sleep at night, knowing that I have people that will continue to deliver regardless of new or changing requirements. Because unlike economics or calculus, which you can learn once as a discipline, the things that we’re talking about aren’t something you learn once. You are continually learning.

Who are your typical customers in this area? Are there certain business areas or types of employees that you would recommend your Skills courses to, or is there value for anyone to cross-train?

Chilton: Our solutions today have been remarkably successful in the SMB space and in the government space, particularly in US government and different agencies within the government. We meet the certification and training requirements that they’re expecting and the dose that they need to deliver. So, it makes a lot of sense.

We also have some very successful enterprise customers today. The role-based approach that the team has developed fundamentally aligns well with both communities, but while the education and content that we provide are absolutely spot on for large organizations, I want to make sure that our technical offering is more plugin ready, too, as we tiptoe into the enterprise space. When you think about our IQ phishing simulation product and how it plugs in, for example, a smaller business that has say 1000 or fewer employees had very different needs compared to an organization that has 400,000 employees.

Rodgers: I’d like to build on that. When we talk specifically about Skills Roles, the companies that are likely to get the most value from it are those that are tied to the NICE framework. A lot of companies either have to or want to use the NICE framework, and all 12 of our roles actually map back to the 52 NICE work roles, which makes that framework a lot more accessible to them.

For example, if a business gets their first government contract, and now needs to be compliant with the framework, but there are 52 work roles and 1000 KSAs, it can be difficult to know where to begin to make sure they’re actually meeting all of those requirements.

We’ve also seen this work really well with government contractors. They bring on a new client and that client says, “I need a team of cybersecurity professionals with X, Y and Z KSAs; they have to be able to perform these things or they need this specific NICE work role.” How is that business going to get their team trained quickly enough to meet those exact needs? Well, because our 12 roles are mapped to all of the NICE work roles and 600 of the KSAs, they know exactly what training can get them where they need to be to fit client needs.

I’ve seen this most recently in cloud security; a client will come and say, “We want to work with you, but you need a team of cloud security engineers,” and the contractor’s like, “Oh man, how are we going to do this?” And they pick a handful of people and say, “I know all the KSAs that we need to be able to secure this business. With Infosec, I can build this personalized, role-guided pathway for my employees, so we can train them in a matter of weeks to get the certs and KSAs that they need.”

And they’re also getting Cyber Range experience as well, so it’s not just a plug and play where you read the content and check the box. It’s a 360 approach so that they can feel confident that they’re going to send this to their customers.

So we cater to both sides of the spectrum: the people who are just starting to dip their toes into the NICE framework, or are starting a new business and want to build these frameworks within their own teams, and the customers on the more sophisticated side that fundamentally need those roles and KSAs built in.

Finally, what is the first step organizations should take, when considering upskilling their existing employees to help fill the cyber skills gap?

Chilton: I think that first step is self-identification. Take the examples that Kate shared; the training path really depends on the company, who you are and where you fit in your ecosystem, and it’s very different for each industry. But that self-assessment is a very valuable starting point for anyone to work out who they are and what they’re trying to build. And regardless of how they conclude that assessment, we have products, services and solutions that will help them.

So, if they come out of that assessment having discovered that what they really need is better cyber education, awareness and training across their employee base, we can do that with our IQ product. If they need to upskill their technology team or engineering team, we can do that in a multitude of ways, depending on each learner’s preferences. And if they see this training as a perpetual part of their business operations—for example if someone who wants to build consulting practice wants to deliver consistent, capable cyber professionals—we can help them continuously upskill and develop people so that, as they put them on into their customer sites, they have the right skills and capabilities.

Rodgers: Yeah, you need to start by having a really great understanding of where you’re at. And we do have a couple of tools that help companies do that. You then need to decide where you need to go from there. And I think that’s the same on the learner side as well as the business side. We have a lot of ways for people to self-assess, so they can see, “Here’s where I actually am and here’s how I can get towards wherever I want to go.” If they want to be a secure coder, a cloud security engineer, penetration tester, any of that good stuff—that’s almost always the first step. See where you fit and then re-evaluate and see how you’re changing over time.

Chilton: I think the part that’s interesting is that, in that talent development schemes, there’s one part for a company to assess itself: Who are we in business and what are we trying to accomplish? There’s also a department level, where you could have a similar based assessment. And finally there’s an individual one, for people saying, “I understand what the business needs to do. What do I need to do for my career and where I want to go next?”

Thank you to Jim Chilton and Kate Rodgers for taking part in this interview. You can find out more about Infosec Institute’s security awareness and cyber skills training solutions via their website.

Expert Insights provides leading research, reviews, and interviews to help organizations make the right IT purchasing decisions with confidence.