Cybersecurity talent acquisition and retention is one of the biggest challenges security executives face in 2022. The need for skilled cybersecurity resources is ever-increasing, so competition for experienced cybersecurity pros is fierce. Meanwhile, the unpredictable and unrelenting nature of cybersecurity often leads to burnout and employee turnover issues.
At Immersive Labs, we’ve seen countless examples of how organizations solve both of these problems by creating career development pathways that align employee interests and strengths with future organizational needs. Cybersecurity professionals benefit from the opportunity to work on a broad range of activities and advance their careers. At the same time, security executives gain a quantifiable understanding of their teams’ strengths and knowledge gaps, so they can invest in human capital wisely.
But even security teams that do an outstanding job developing and retaining talent often struggle to bring qualified talent into the organization.
This led us to the following question:
Are there untapped sources of cybersecurity talent that organizations aren’t yet taking full advantage of?
To answer this question, we’ll revisit the data from our Cyber Workforce Benchmark 2022. If you haven’t yet read the full report, check it out. It summarizes our analysis of hundreds of thousands of exercises and simulations we’ve conducted with organizations globally.
But today, let’s focus on the backgrounds and experience levels represented in the data to try to answer the question above.
A lens into the talent of the future
While the Immersive Labs platform is used primarily by businesses and government organizations on a paid subscription basis, we offer Digital Cyber Academies (DCA) free of charge to university students, military veterans, and members of underrepresented groups. Over 22,000 individuals completed over 176,000 labs globally as part of the DCA initiative during the period we analyzed.
In addition to being a valuable public service, our efforts with DCA give us a unique view into how up-and-coming talent performs on the same types of labs and exercises that more experienced cybersecurity professionals use to expand and sharpen their capabilities.
What are the learning priorities of emerging talent?
Unsurprisingly, the up-and-coming talent who participated in DCA tended to focus more on security fundamentals. But many did advance into more specialized cybersecurity exercises in areas such as offensive skills, malware, and reverse engineering.
Another observation is that when these participants progressed to more specialized labs and exercises, they were drawn most often to Red Team skills, particularly infrastructure hacking and reconnaissance. Emerging talent was much less engaged on application security topics, reflecting a possible lack of awareness of the critical role that software vulnerabilities play in many large-scale security incidents. In fact, only 0.5 percent of the labs completed by up-and-coming talent were focused on this critical topic.
How does the performance of emerging talent stack up with more experienced professionals?
Some of the most eye-opening insights we discovered when analyzing the performance of up-and-coming talent came from looking at how their performance compared to more experienced cybersecurity professionals completing identical labs.
We did this by zeroing in on two metrics:
- How long exercises took to complete
The results were a bit surprising. While, as expected, experienced cybersecurity professionals outperformed emerging talent overall, the margin was not as wide as you might expect.
Echoing the point above, application security was where we saw the most significant disparity. Emerging talent, on average, took a minute and a half longer to complete these exercises while scoring four percentage points lower on accuracy. But even with this worst case, the performance gap was surprisingly small.
In other areas, the performance gaps were even narrower. Here are a few examples:
- In our “Challenges & Scenarios” category, emerging talent completed exercises a full two minutes and eight seconds faster than experienced pros, while only lagging on accuracy by 1.6 percent.
- When completing “Malware & Reverse Engineering” exercises, emerging talent finished 55 seconds faster than professionals with an accuracy gap of less than one percentage point.
So, while experienced cybersecurity professionals outperformed emerging talent overall, the emerging talent most definitely demonstrated that they are within striking distance. There is little doubt that the remaining gap could be closed with focused investment in capabilities development.