Rethinking readiness: Key insights from our skills benchmarking webinar

Are your cybersecurity skills assessments actually preparing your team for real-world threats—or just lulling you into a false sense of security?

That’s the tough question 3 experts tackled in our latest webinar, Rethinking readiness: Benchmarking skills to build true cyber resilience.

Tom Williams (Hack The Box) is joined by Margus Lind (Tesco Bank) and Jack McAloon (Accenture) for a lively discussion on why static benchmarking methods don’t cut it anymore—and what a more dynamic, continuous approach looks like in 2025 and beyond.

If you didn’t catch the live session, don't worry. We’ve hand-picked some of the juiciest insights from this panel—just for you—and it’s available on demand whenever you like. Let’s jump in. 

Watch the webinar recording

The problem with traditional benchmarking

Many organizations still depend on certifications, one-off training courses, and static assessments to gauge cybersecurity readiness. But this approach has some fundamental flaws:

• Certifications test knowledge at a single point in time—not whether someone can apply it under pressure.

• Static assessments don’t take new, evolving threats into account; is your team ready for the kind of attack your competitors experienced yesterday?

• Many professionals stop learning after getting certified, leading to outdated skills.

• Static benchmarking creates blind spots, making teams think they’re ready when they’re not.

Here, Jack makes a crucial point: "Some of the best pentesters I know don’t have certifications. They stay sharp by tracking real-world threats and continuously learning."

The cyber threat landscape just doesn’t stand still, and neither should skills benchmarking. If an organization is measuring competency using outdated methods, it risks creating a workforce that is unprepared for the next wave of sophisticated attacks. 

Why cyber resilience needs a new approach

Cyber threats today are more adaptive than ever. AI-backed phishing campaigns, supply chain attacks, and adversaries leveraging zero-day exploits are becoming the norm. Threat actors are not waiting for organizations to catch up, so security teams need to stay ahead by constantly improving their skills.

“To stay ahead, skills benchmarking must become more dynamic and continuous. Measuring technical knowledge isn’t a one-and-done exercise, and instead we need a framework that evolves with the threat landscape that helps us better plan, prepare, and strengthen our cyber workforce.” - Tom Williams, Director Global Operations at Hack The Box

The traditional method of benchmarking skills through periodic testing and certifications cannot possibly keep up with this pace. Organizations must transition to a continuous, real-time approach that reflects the dynamic nature of cyber threats.

With that in mind, a modern, adaptive skills benchmarking approach should include:

• Bite-sized, ongoing training to keep skills fresh without disrupting daily work or cutting into personal time excessively.

• Capture The Flag (CTF) challenges and attack simulations to regularly test practical abilities, not just theoretical knowledge.

• Team-based evaluations because cybersecurity is not an individual sport, and your organization is only as secure as its weakest link.

Margus sums it up best: "The hardest part is accepting the chaos—if you're waiting for a perfect framework before shifting, you'll never start."

The 5 challenges to dynamic benchmarking

Despite recognizing the value of continuous benchmarking, many organizations struggle to implement it.

1. Mindset shift: Organizations cling to static benchmarking because it feels safe and measurable. Changing this requires leadership buy-in and cultural transformation. Margus explains: “You need to lead the way from the ‘understood’ model of learning to something that is unknown and a bit scary. You suddenly need to muster up support for a disruptive change in learning, which doesn’t come easy.”

2. Lack of infrastructure: Many companies lack the tools and processes for real-time skills tracking. Even though the technology exists, it is often not prioritized.

3. Fear of exposing weaknesses: Moving to dynamic benchmarking means acknowledging gaps in skills, and some organizations are not ready to do that.

4. Budget and resource constraints: Certifications are easy to budget for, while continuous learning requires long-term investment.

5. Standardization: Larger organizations tend to struggle when it comes to creating a unified skills framework due to the use of multiple vendors across different teams.

"In consulting, we struggle to retain talent after they get certified. Once they have the credential, they leave for big tech roles. We need to shift toward skill-based development that actually keeps people engaged." - Jack McAloon, Cyber Security Manager at Accenture

How to make the change (without overwhelming your team)

The good news? Moving to a more dynamic benchmarking model doesn’t mean overhauling everything overnight. Small, strategic shifts can make a big difference.

• Start with one real-world test: Swap out a static metric for something hands-on, like an attack simulation.

• Make learning part of business as usual: Integrate training into daily workflows instead of treating it as a separate event.

• Leverage internal expertise: Encourage knowledge-sharing sessions where experienced team members dissect recent threats and vulnerabilities.

• Get leadership buy-in: Continuous benchmarking needs top-down support to become a cultural shift, not just another initiative.

Organizations should also embrace gamified learning. CTF-style challenges, red vs. blue team exercises, and scenario-based simulations provide engaging ways for cybersecurity teams to test their skills in high-pressure situations. 

But the key is not just running these exercises, but conducting structured debriefs afterward to analyze what went well and what needs improvement.

The biggest takeaway: Threat readiness is a moving target

Cybersecurity is not a one-and-done deal. Attackers are constantly adapting their tactics, so defenders need to do the same. The organizations that embed real-time, dynamic benchmarking into their security operations are the ones building true resilience.

Jack emphasizes the urgency around this shift: "Teams that practice dynamic benchmarking are naturally better at handling real-world threats. We’ve seen continuous benchmarking help pinpoint weaknesses in both technical skills and team coordination—things that static benchmarks never highlight."

By moving on from static methods alone and toward more responsive, skill-based assessments, organizations can:

• Improve incident response times by ensuring teams can react effectively in real scenarios.

• Build a stronger security posture with real-time tracking of strengths and weaknesses.

• Reduce the risk of a false sense of security by replacing theoretical assessments with practical, hands-on evaluations.

We already know the cybersecurity landscape is moving at break-neck speed. The real question is: will your organization evolve with it?

Next steps for better cyber skills benchmarking

Time to dive deeper into these insights? You can watch the full webinar on demand right now, but before you do that remember to sign up for the next webinar in our Benchmarking Masterclass series, From theory to action: Applying dynamic benchmarking to real-world threats. We’ll be going beyond the theory and looking at practical examples of how it all looks in action.

Claim your spot at our next webinar