21% of security teams train just once a year—here’s how to fix that

There’s a deep, dark secret lurking around the professional services industry: 21% of security teams train just once a year or less. Okay, so maybe it’s not as mysterious and dramatic as that, but it is a bit of a problem. 

Threats are emerging fast, getting smarter, and hitting organizations harder. And if your security team is part of that 21%, then your organization is vulnerable to attack. To get the most out of your cybersecurity budget and your team, training needs to be continuous, adaptive, engaging, and hands-on.

In this article, we’ll get up close and personal with the main reasons why security teams fall behind, what you can do to fix it, and how to build a culture of continuous learning.

Why once a year (or less) won’t cut it

Yearly training sessions might check that compliance box, but it doesn’t reflect reality. Bad actors aren’t hanging fire until you’ve completed that next scheduled event. New tactics, tools, and vulnerabilities are coming thick and fast, and your team needs to keep up. 

Here are the top three things that happen when training isn’t an always-on thing: 

• Skill decay creeps in fast. This is a hands-on discipline, and without regular practice, knowledge dulls and response times slow down.

• Compliance =/= readiness. Meeting an annual requirement doesn’t prepare you for real-world attacks.  

• Inaction is expensive. One data breach can cost millions. For a fraction of that, you can protect your organization’s bottom line, reputation, and customer data with frequent, practical training.

How to build a better training rhythm

If you want to move beyond annual fire drills and build real capability, you need structure without rigidity. Here are a few ways to do it:

1. Shift to a CTEM-inspired strategy

Train continuously, test regularly, and evolve based on outcomes. Start with:

• Weekly events and labs; short, sharp, 30-minute exercises.

• Monthly team-based simulations (Red vs. blue, scenario-based sessions).

• Quarterly full-scope exercises in a lab environment to stress-test defenses.

2. Make training engaging

Gamification isn’t just another buzzword. CTFs, point-based challenges, and scenario scores make learning fun, competitive, and sticky.

3. Mix and match formats to fit your team

Combine self-paced labs with scheduled sessions. Let people learn at their own pace, but come together for shared experiences that foster collaboration and knowledge transfer.

4. Keep it relevant

Training only works if it feels useful. Map content to real incidents your team has faced, and any skills gaps you’ve identified through benchmarking exercises. Build learning paths for different roles, seniority levels, and new job role paths. Ultimately, the more tailored the content, the better the engagement.

Challenges to continuous training (and how to overcome them)

“We don’t have the budget”

Fair enough—budgets are tight everywhere right now. But the reality is that the cost of a single breach can wipe out years of careful saving, making cybersecurity training an integral part of your defense strategy. 

What to do instead: You don’t need to overhaul your entire strategy overnight; start with what delivers the most value. Prioritize hands-on cyber labs and scenario-based exercises that mimic real-word events—and build real-world skills. 

And when it comes to resources: you don’t need to train everyone all in one go. Target key roles, focus on critical skills, and move from there. 

“We don’t have the time”

Keeping up with the AI-powered bad actors out there has teams running on a cybersecurity treadmill. There’s a lot of pressure to react and respond, likely while working through a hefty backlog of tasks. Understandably, that doesn’t leave much time or energy for drawn-out, formal training sessions.  

What to do instead: Make the move from one-off ‘training sessions’ to self-paced, ongoing training and benchmarking. Ringfence time for your team to drop into 30-minute labs, participate in CTFs, and learn from real-world threats. 

This approach means they can train in sprints and stay at the top of their game—without compromising day-to-day operations.

“We don’t know where to start”

And that is totally understandable. With today’s supercharged threat landscape being what it is, it’s easy to feel overwhelmed, especially when security training isn’t structured or tailored to your organization’s needs. 

What to do instead: Start with benchmarking. You can’t chart a course for where you want to be, if you don’t know where you are. Assess your team’s current skill level across key areas, like threat detections, incident response, or cloud security. 

Cyber skills benchmarking tools are designed to give you a snapshot of strengths and weaknesses at both an individual and team level. Choose an area and start there; start layering in relevant, practical labs and monitor performance—and improvement—over time.  

The future of cybersecurity training is continuous, practical, and adaptive

Cyber threats evolve. So should your security training. Organizations need to move beyond annual training models and build a culture of continuous learning through:

• Labs and real-world simulations

• CTF challenges and gamified learning

• Adaptive training based on role and industry

What’s next for your cybersecurity team?

Cybersecurity training isn’t something that can be put on the back burner—no matter what. If your team isn’t continuously learning, they’re already behind. The best defense against cyber threats is a well-trained security team.

Get the full report and help your team level up