Many enterprises report increasing difficulties finding skilled cybersecurity professionals, research shows. Some 55% of US organization report that open cyber positions take at least three months to fill, while 32% said they take six months or more, according to a recent report from the nonprofit ISACA. And, 27% of companies said they are unable to fill cybersecurity positions at all.

The shortage–expected to reach 1.8 million jobs by 2022–has led some organizations to turn to training internal candidates to take on these roles.

“There aren’t enough people in the industry to fill jobs, and CISOs acknowledge that they are hiring people who they know don’t have the right skills–they are taking whatever they can get,” Frank Schettini, chief innovation officer at ISACA, told TechRepublic. The largest issue CISOs are concerned with is, if their organization is attacked, guaranteeing that they can detect it, and that they have the right policies in place to mitigate it.

Enter ISACA’s Cybersecurity Nexus (CSX) Training Platform, released on Tuesday. The program is the first of its kind, the nonprofit claims, and offers 100 hours of on-demand, real-world training to build technical skills that help staff combat real threats.

SEE: 5 reasons your company can’t hire a cybersecurity professional, and what you can do to fix it

Most cyber training programs remain knowledge-based, Schettini said: An employee sits in a classroom or reads a book. But the CSX training labs place participants in real situations, and are configured with real firewalls, web servers, database servers, and other tools.

“The person is doing a real thing–attacks are happening in real-time, and the person has to respond,” Schettini said. The program also offers an assessment tool: With each step the participant takes to mitigate a threat, they are given a score on how well they completed the task. Therefore, CISOs or hiring managers can see not only that the person passed or failed, but what areas they succeeded in, and where they may need additional training.

The program offers beginner, intermediate, and advanced training situations, ranging from managing networking to ransomware. It is also browser-based, and therefore can run on enterprise computers without downloading any software.

“There is a huge difference between thinking you know, and demonstrating it,” Schettini said. “We see it as a retention tool for organizations struggling to retain their cybersecurity professionals as well–here’s a platform they can leverage so they are constantly updating their skills, and an investment the organization makes in them.”

The program may come at an opportune time, as enterprises are investing more heavily in cybersecurity training now than in the past, according to a recent report from testing provider Pearson VUE. Among 6,605 US IT professionals surveyed in the last year, there was a 48% increase in those taking security training, and a 60% increase in those taking security exams, compared to the year before, according to Pearson VUE.

The 3 big takeaways for TechRepublic readers

  1. The cybersecurity job shortage is expected to reach 1.8 million jobs by 2022, leading some enterprises to seek out new training opportunities for staff.
  2. One new option is ISACA’s Cybersecurity Nexus (CSX) Training Platform, released on Tuesday, which offers on-demand, real-world training to build real technical skills that help staff combat real threats.
  3. The program may also help retain current cyber staff by keeping their skillsets up to date, ISACA said.