Although cybersecurity expertise is a highly sought competence, there is no agreed educational path to developing the necessary professional skills. Formal education and informal training are understood to both contribute to the making of cybersecurity professionals for various capacities.
This study examines how current cybersecurity professionals got where they are. An online survey of 131 participants and follow up interviews with 10 professionals asked about such dimensions of their education as the time spent in various types of training and self-reported current level of expertise.
The cybersecurity professionals in the study on average had more years of informal training (self-taught) than formal education. Many perceived their advanced aptitude as being fostered through experiential learning. Education was seen as a convention. Experience was ranked as the key ingredient to becoming an expert, rated more highly than education and pure knowledge. Similarly, on-the-job training was ranked above classroom learning and experimentation as a source of knowledge. Self-reported skill level was shown as being correlated with informal education but not with formal training; those with an expert skill level reported more informal training than those with high or intermediate skill. The results for breadth of skill are similar. Experts reported being skilled in more areas than those with intermediate and even high levels of skill.
This research has implications for the design of training opportunities. Importantly, pursuing formal and informal education should not be presented as an ‘either/or’ choice. Cybersecurity education programs could make the most of benefits of informal training, by integrating practical and experiential learning.
A combination of formal and informal training incorporating experiential learning is important in creating cybersecurity experts.