Security staff are being forced to upskill in their own time

An unidentified person coding on a laptop placed on a bright desk
(Image credit: Shutterstock)

Many IT and security professionals are working to improve their skills in their own personal time rather than through opportunities provided through their workplace, despite concerns over cost and lack of time.

With a skills gap widening, security workers aren’t able to fully develop their skills at work and are instead turning to development training in their free time. Around half of employees (48%) have committed time before and after work to improve their skills, for example, with 20% also training themselves on weekends.

Professionals are also spending a great deal time per week on upskilling themselves outside of work hours, with 40% spending time every day, and another 38% at least once a week, according to research by Cybrary.

The volume of staff spending time on upskilling outside of work hours is high, despite 33% reporting cost and 28% reporting lack of time as a barrier to getting the development training they need. Disturbingly, according to the findings, 40% say these barriers have a major or severe impact on developing their skills.

“While cybersecurity is often considered a top priority, the industry lacks urgency when it comes to skills development practices for individual team members,” the report claimed. “Organizations need to establish continuous cybersecurity education and professional development not only for security teams but across multiple disciplines, including HR, IT and management.”


IT Pro 20/20: The learning revolution starts now

The eighth issue of IT Pro 20/20 looks at the rise of self-education during a global pandemic


The findings have uncovered a severe workplace skills gap in cyber security, with 72% of respondents to the Cybrary survey suggesting there’s a skills gap on their team. To compound the issue, 65% of IT and security managers agree that this has a detrimental effect on how effective their teams are in responding to threats.

The picture is particularly grim considering recent changes in the workplace which have resulted in IT and security professionals feeling their organisations don’t understand what skills are needed from them.

Around half of organisations, for example, have either reduced their training budgets, 22%, or kept them the same, 25%, over the past year. A fraction of respondents, 16%, claimed their organisations don’t have any training budget at all.

Methods of reviewing skills on security teams are seemingly inadequate or out-of-date, the report also concluded, with 46% of organisations relying on performance reviews, and a further 37% relying on job-related assessments. Only 20% of businesses deploy skills-based assessments, while just 17% use certification practice tests.

Alarmingly, 23% of organisations don’t track any skill development for their IT and security teams, and 46% also don’t confirm new hire skills for specific roles, and neither do 40% regularly assess the skills of newly recruited team members.

The report has recommended that organisations must empower members of their IT and security teams to take up training and development opportunities so they aren’t forced to invest their own time and money developing themselves. The result would be an increase in efficiency, the report claims, as well as productivity and performance.

Simply providing training isn’t a solution, however, and any efforts to improve the skillset amongst the workforce must involve assessing skills across teams and monitoring development on a continuous basis. Such a targeted approach would help the industry to gain a better, more granular, understanding of the skills gap, with businesses able to establish clear development goals for workers.

Keumars Afifi-Sabet

Keumars Afifi-Sabet is a writer and editor that specialises in public sector, cyber security, and cloud computing. He first joined ITPro as a staff writer in April 2018 and eventually became its Features Editor. Although a regular contributor to other tech sites in the past, these days you will find Keumars on LiveScience, where he runs its Technology section.