Level up with practical experience, not just cybersecurity certifications

January 20, 2024
2 mins read


  • Many organizations rely on outdated certifications and training courses to measure their cybersecurity capabilities, which may give teams a false sense of security.
  • Traditional certifications and training programs are flawed because they take too long to develop, become outdated quickly, and are costly to maintain.
  • Leaders should focus on continuous hands-on training and exercises to build and prove cyber resilience.
  • A data-driven approach to cybersecurity training, tailored to individual roles and experience levels, can lead to tangible proof of cyber resilience and more secure organizations.

The rise of cyberattacks targeting the human element exposes the inadequacy of traditional cybersecurity certifications and training, according to James Hadley, founder and CEO of Immersive Labs. Many organizations still rely on outdated certifications and annual training courses that are expensive and may no longer be effective. These methods fail to build and prove hands-on knowledge, skills, and judgment, and they do not align with the pace of the evolving threat landscape. Leaders should shift their focus towards continuous improvement through regular exercises and training, personalized to individual roles and experience levels.

Traditional certifications and training programs have several flaws. They take years to develop and become outdated by the time they are released. Certification programs cannot keep up with the rapid pace of cyberattacks. Additionally, the cost of maintaining certifications has become prohibitive for many organizations, making it difficult to justify the investment. These methods also fall short when it comes to reacting and recovering quickly from cyberattacks. Infrequent training sessions do not align with the pace of the real threat landscape, and professionals are not engaged with the information they receive. Hands-on practice and realistic, simulated scenarios are necessary to develop cognitive agility and muscle memory for tackling real breaches.

Hadley suggests four criteria for a path forward in building true cyber resilience:

  1. Continuous exercises: Teams need regular and ongoing practice and training in cybersecurity to improve skills and readiness for potential threats and incidents.
  2. Practice continuous training across the whole workforce: Involving all employees, regardless of their role or expertise, in cybersecurity exercises to create a culture of security awareness and preparedness.
  3. Tailor the training by role and experience level: Customize cybersecurity exercises based on individual job roles and levels of experience to ensure relevant and effective training for each employee.
  4. Insist on proof of real capabilities: Demonstrate and validate hands-on cybersecurity skills and competencies through practical exercises and assessments, offering tangible evidence of an individual’s capabilities in the field.

By adopting this data-driven, hands-on approach to cybersecurity training, leaders can gain a comprehensive view of team and individual preparedness for attacks. They can make informed decisions and ensure alignment throughout the organization. This approach will lead to tangible proof of cyber resilience and ultimately create more secure organizations.

In conclusion, the industry needs to move away from outdated certifications and embrace a new data-driven approach to cybersecurity training. Continuous hands-on training and exercises, personalized to individual roles and experience levels, are necessary to build and prove cyber resilience. By adopting this approach, organizations can confidently face the challenges of the evolving threat landscape and create a more secure future.

Latest from Blog

Top VPN’s privacy claims confirmed by independent auditors

TLDR: Independent auditors from Deloitte Romania confirmed CyberGhost VPN’s privacy claims through a detailed audit of their systems. Auditors found that CyberGhost’s no-logs infrastructure works as expected, ensuring user data privacy. Independent