Cyber security is more than just plug and play: Why training is critical to your organisation’s safety

Many organisations install tools and consider the job done. However, with 80 per cent of systems still vulnerable to penetration, experts from Lumify Work explain why foundational cyber security training is essential to make those investments count and how certifications aren’t just a piece of paper, but a pathway to better defence.

In a recent Cyber Uncut podcast, Lumify Work’s lead cyber security instructor Louis Cremen and cyber security lead Jeremy Daly unpack why training is an essential part of your organisaiton’s cyber posture – and why businesses cannot just rely on installing the latest platforms and products to stay safe. You can listen to the podcast here.

Liam Garman, editor of Cyber Daily: Why is cyber security training important, and what value does it bring to an organisation?

Louis Cremen, Lumify Work lead cyber security instructor: Many students come to training to validate their existing knowledge and identify gaps. While they might understand 60–70 per cent of the material, the remaining insights often come from discussions and structured learning. Employers want their teams to have a consistent baseline of skills. For example, I’ve seen fresh graduates struggle to bridge the gap between university knowledge and real-world requirements, which is why foundational training is so valuable.

When I started in cyber security, I worked on centralising app security testing for a foreign government – very much thrown in the deep end. Later, I took a Certified Ethical Hacker course and realised there was so much I didn’t know, despite my hands-on experience.

That training filled critical knowledge gaps I wish I’d addressed earlier – it would’ve fast-tracked my progress. Many of my students come with similar goals: to identify what they don’t know and fill those gaps. The real value is seeing them later, having implemented what they learnt, improving their organisations’ security.

Jeremy Daly, Lumify Work cyber security lead: Exactly. We work with organisations to understand their teams’ skills, identify gaps, and align training accordingly. The aim is to ensure learners bring back practical knowledge that strengthens their company’s cyber security posture.

Garman: Are there common knowledge gaps that you observe among recent university graduates?

Cremen: Absolutely. Many grads lack understanding of business processes – how ticketing systems work, [and] how to use tools like Jira or Confluence. They often know technical terms or tools but don’t grasp the ‘why’ behind them. There’s a disconnect between academic learning and industry expectations. I support universities, but we still need to bridge that divide.

Garman: On that note – do students leave with certifications, or is it focused primarily on practical skills experience?

Daly: We deliver training in various formats – public or private courses, vendor-specific or certification-based. These include Microsoft, AWS, ISC2, CompTIA, and others. Trainers like Louis are certified and authorised to deliver these programs, ensuring relevance and quality.

Many certifications, especially at a senior level, require both exams and verified work experience. For instance, CISSP and CISM require five years of relevant full-time experience. You also need to maintain the certification with ongoing professional development. It’s a solid way to validate both knowledge and hands-on experience.

I often hear from clients after training who’ve taken a course with Louis and are already applying what they learnt. It’s all about building skills over time. Certification courses aren’t static either – they’re refreshed every two to three years to stay relevant to current challenges in the field.

Garman: Training is important because, too often, people in the industry just install stuff from the box and expect that they’re protected. Why is it so important that organisations have a fundamental understanding of how to protect themselves?

Cremen: Exactly. There was a report showing that penetration testers could bypass EDR tools around 80 per cent of the time – mainly because they weren’t properly configured. Many organisations treat installing security tools as a tick-box exercise, assuming they’re protected. But without proper set-up, regular checks, and alignment with business needs, those tools won’t be effective. Security isn’t just about buying tech – it’s about using it correctly. If tech alone solved the problem, we wouldn’t still have breaches, most of which still come down to things like phishing and weak credentials.

This was taken from a recent Cyber Uncut podcast. To listen to Lumify Work’s Jeremy Daly and Louis Cremen, click here.