Lee Rossey is CTO of SimSpace, advancing AI proving grounds to help orgs prove cyber readiness.gettyIf you wanted to become a basketball star, how would you get started? I don’t think it would be by reading a book on basketball and taking an online course. No, you’d set up a hoop in your driveway, join a local team to train and play in real games. So, why do we expect cybersecurity professionals to learn their skills from theory and static training?The cybersecurity industry talks constantly about the “skills gap.” The recent World Economic Forum Cybersecurity Outlook report revealed that skills and budgets were significant blockers to achieving cyber resilience. However, I argue that we don’t have a skills gap—we have a validation gap.The Cyber Skills Gap Is Really A Validation GapThe “skills gap” gets a lot of airtime in cybersecurity industry discourse, but what are we really talking about when we talk about a skills gap? It’s not about staffing: How can we have both a skills gap and a graduate unemployment problem? “AI” is the lazy answer to the question and the problem (is there anything anyone hates more than hearing that their job could be replaced by AI?). But, if AI is the answer, why are we still experiencing breaches and talking about skills?The reality is that we don’t really trust AI with our most critical security concerns. Most folks would argue there’s production risks in relying on AI and wouldn’t actually use it to replace a switched-on security analyst. You can’t hire or tool your way out of the skills gap—you have to build your way out.The industry keeps asking, “How do we close the cyber skills gap?” The better question is: “How do we prove readiness before the fight begins?” That's the real challenge emerging in cybersecurity today.Training Without Testing Creates False ConfidenceThis is more challenging when we need skills and expertise that just don’t exist yet. AI poses new threats to combat, from the development of more unsecured software to the exploitation of models to do things they weren’t intended for, as well as attackers weaponizing AI for more efficient attacks. No one was preparing to respond to these threats five years ago, so these skills need to be developed in real time.Traditional upskilling is flawed. Organizations can shell out thousands of dollars per employee on courses, certifications and boot camps, but certifications can’t keep up with the pace of technological change and the evolution of attacker tactics and techniques. Staff need continuous hands-on experience. How you apply your skills in a real-world scenario is a big part of what’s missing.Our industry has traditionally seen technology as the answer—more tools and more alerts feel like we’re getting somewhere, but all it really leads to is teams that are fatigued and burned out on noise. When the main source of breaches remains human failure, we’re not going to tip the scales unless we invest in the people on the front line. Dynamic cyber ranges—effectively, a virtual training sandbox that mirrors your exact computer network—are the difference between learning a skill in theory and learning it in context. When you can practice in virtual training grounds, you're able to see mistakes and fix them rather than just think about them.The Rise Of The AI Proving GroundsTruly effective cyber upskilling needs an AI proving ground with a high degree of customization, post-exercise analysis and the ability to nurture and retain talent.High Degree Of CustomizationReplicate your real production environment and tech stack and introduce panic-inducing live fire exercises. Employees can understand how they’ll react in a real-life scenario. Does everyone have the right context and information to make fast decisions that will protect the business? Replicating a real production environment also allows for testing integration flows between security and IT tools to validate how they work together.Post-Exercise AnalysisThe exercise itself is only half the equation, as organizations need a way to measure performance, understand failure points and track improvement over time. A modern cyber range transforms every exercise into data that reveals how teams, technologies and AI agents perform in realistic conditions. Think of that isolated, mock version of a company's network (including computers, servers and routers) as an AI proving ground so you can test and experiment without causing real harm. Those insights help security leaders prove readiness, identify weaknesses before attackers do and make smarter decisions about where to invest next.Nurture TalentHow do you take a Tier 1 SOC analyst and turn them into a Tier 3? Although AI might be able to perform the role of a junior analyst, you need a pipeline of talent to become that high-performing individual who could be the difference between spotting an unusual indicator of compromise or allowing an attacker to get further into the system. It’s more cost-effective and faster to teach someone over time than hunt out a top performer to hire into the organization.ConclusionFor overstretched teams, on-the-job training might feel onerous, but the benefits are sizable. In my experience, you can get 10 times on your investment. I’ve even seen customers save $400,000 in training expenses. The trick isn't to see it as an annual event but to employ continuous training so it becomes part of your operating model.I don’t know about you, but working in a team environment feels far more rewarding than a classroom environment. Retain your top talent by validating their skills and giving them the opportunity to add to their resumes in a way that feels natural and instinctive.Forbes Technology Council is an invitation-only community for world-class CIOs, CTOs and technology executives. Do I qualify?
AI Isn’t Closing The Skills Gap—It’s Exposing The Validation Gap
I argue that we don’t have a skills gap—we have a validation gap.












