Continuous cybersecurity learning is a business-critical function, says Alexia Pedersen, SVP International at the tech firm O’Reilly.
The cybersecurity landscape continues to evolve at an alarming pace. Last year, the global annual cost of a data breach reached $US4.88 million, a ten per cent increase from the previous year – and the largest annual rise since the pandemic. This year, organisations will encounter an array of emerging cyber threats, with attacks becoming more sophisticated, targeted, and damaging to business operations and reputation.
Yet, many companies lack the cybersecurity expertise needed to protect their organisation from increasingly sophisticated cyber threats. In fact, the World Economic Forum revealed the cybersecurity skills gap has expanded 8pc in the last year, despite only 14pc of companies having the right level of cybersecurity expertise required in their organisation.
Fortunately, however, research shows that employees are proactively seeking digital reskilling opportunities amid market stagnation and economic downturn. In fact, more than three-quarters (79pc) of UK employers have seen staff ask for digital upskilling and reskilling opportunities over the past 12 months. Encouragingly, this trend extends beyond the IT team – with 53pc of non-technical staff seeking cybersecurity reskilling opportunities, alongside 52pc of IT staff.
In line with this, our 2025 Technology Trends report noted a marked increase in demand for cybersecurity learning materials. We have seen a significant rise in interest in top related skills, including machine learning (9.2pc), AI (190pc), GenAI (289pc) and prompt engineering (456pc). Additionally, access to learning materials about zero-trust security models, particularly around the implementation of strict authentication and access controls, increased by +13pc year-on-year.
Collectively, these trends contribute to building a resilient workforce – specifically, one that can safeguard against emerging, more sophisticated threats – through upskilling rather than recruitment alone. So, what areas should businesses prioritise upskilling employees in? And how can they foster a culture of continuous learning to ensure preparedness across all levels and departments?
Threat landscape
The nature of cyber threats has shifted dramatically in the last few years. Threat actors are leveraging advancements in GenAI to automate phishing campaigns, generate malicious code, and deploy convincing deepfakes. These tools lower the barrier to entry for less experienced hackers while amplifying the damage sophisticated attackers can inflict. This is significant when you consider that Gartner’s analysis found human errors account for almost 74pc of all security breaches, with social engineering attacks exploiting the fact that humans are often the weakest link in security defences.
Meanwhile, vulnerabilities in software supply chains are an increasing concern. High-profile attacks on widely used libraries and dependencies highlight the need for greater vigilance in securing the development pipeline. As a result, learning resources on software supply chain security saw a 327pc surge in 2024. Additionally, the exploitation of poorly secured IoT devices has become a serious risk, as adoption continues to take off in industries like manufacturing, healthcare, and logistics. In the first five months of 2024 alone, security attacks on IoT devices surged by 107pc compared to the same period in the previous year. These devices have become lucrative targets for cybercriminals to exploit weak authentication and outdated firmware to infiltrate networks, compromising operations and sensitive data. Security has shifted from IT mandate to executive imperative, this is why continuous learning is a business-critical function.
The reality is static training programmes will fail to keep pace with today’s ever-changing threat landscape. Therefore, organisations must harness a continuous learning approach to ensure all employees – both IT teams and the wider business – are equipped to identify, mitigate, and respond to risks.
A continuous learning culture requires more than the occasional workshop or certification; it should foster curiosity and adaptability – empowering employees to take on new challenges, seek opportunities for growth and share their knowledge with others. So, how can organisations implement a continuous learning strategy without disrupting day-to-day operations? The answer lies in embedding cybersecurity learning directly into workflows and tailoring it to the unique needs of each team.
1. Adopting “In the Flow of Work” learning – This form of learning enables employees to learn something new, apply it and quickly return to their work in progress. It is different from traditional learning approaches like attending a seminar or conference. These learning formats are effective, but many employees simply do not have the time to devote to them or they prefer to learn at a time that suits them best.
On the other hand, ‘in the flow of work learning will provide staff with real-time access to high-quality learning content that addresses emerging threats and challenges at their point of need. A security analyst, for example, could quickly reference a tutorial on threat modelling during a live incident response or access a checklist for securing a Kubernetes cluster while deploying it. For best results, companies can offer ‘in the flow of work’ learning opportunities via an L&D partner, enabling staff across all levels and departments to access learning materials tailored to their unique learning style and objectives.
2. Providing access to diverse learning modalities – Different roles within an organisation require learning materials tailored to their unique level of expertise. Developers, for example, may need training on secure coding and dependency scanning, while non-technical teams might focus on phishing awareness and data protection practices. Offering diverse learning options, such as video tutorials, interactive labs, and virtual simulations, will enable every employee to learn in a way that resonates with them.
3. Fostering a culture of shared knowledge – Cybersecurity relies on specialists of every kind – CISOs, network systems administrators, cloud experts, and more – to achieve success. Organisations should encourage employees to share insights and best practices across teams, fostering a culture of collaboration. Regular knowledge-sharing sessions, gamified challenges, and cross-functional workshops can help embed cybersecurity awareness into the organisation’s DNA. At the same time, employees should prioritise cybersecurity-related L&D to make themselves an invaluable asset to their organisation – proactively identifying training opportunities that align with their unique learning style and objectives.
At a time when bad actors are constantly diversifying their tactics, the most successful organisations will be those that prioritise the ongoing development of their people. Continuous learning is not just a defensive strategy, it is a pathway to innovation and growth. This will be vital for companies to stay one step ahead while simultaneously unlocking the full potential of their workforce.
See also the O’Reilly blog.
