The pressure on cybersecurity teams will increase significantly in 2026. Not only because of more incidents and more complex IT environments, but also because of stricter requirements for demonstrable risk management and incident response. At the same time, the labor market shortage will continue to grow rapidly. Analysis by Platform Talent for Technology shows that the number of cybersecurity vacancies in the Netherlands rose from approximately 8,000 in 2018 to nearly 19,000 in 2022.
This presents HR, IT, and security leaders with a strategic choice: remain dependent on a scarce market, or make the development of capabilities predictable by providing internal training through a practical cybersecurity program? A practical cybersecurity program ensures that teams not only gain knowledge, but also learn to work according to established processes, tooling, and realistic scenarios.
In this blog, you can read why practical training is the key to predictable cybersecurity teams, what risks arise if you don't focus on this, and how Trivian helps organizations with practical cybersecurity training that directly ties in with SOC work, team growth, and NIS2-relevant requirements.
The context in 2026: scarcity, compliance, and speed
Cybersecurity has been a growth market for years, but the dynamics are changing. Organizations not only need more people, but teams that can demonstrably deliver within processes, tooling, and legislation. Two developments stand out in this regard.
Firstly, the labor market remains tight. The growth in job vacancies makes it clear that recruitment alone is not a stable strategy. Those who rely exclusively on external inflow will face longer lead times, higher costs, and varying quality.
Secondly, the European NIS2 Directive requires organizations to manage cyber risks structurally, report incidents, and have governance in place. The NIS2 Directive is designed to create a uniform minimum standard of cybersecurity for network and information systems within the EU and is being transposed into national legislation in the Netherlands via the Cybersecurity Act.
These obligations include risk management, incident response procedures, and demonstration of measures in practice.
In this tense environment, there is a growing need for predictability. Not just "can we fill a vacancy," but "can we demonstrably improve as a team every quarter."
The core problem: knowledge is not the same as employability
Many organizations underestimate the difference between theoretical knowledge and operational applicability. An employee may be familiar with concepts such as MITRE, SIEM, ISO 27001, or Threat Intelligence, but still feel uncertain when it comes to putting them into practice.
This leads to familiar situations:
- Alerts remain unaddressed because it is unclear what constitutes sufficient priority.
- Incidents are resolved, but not systematically recorded or made repeatable.
- Reports are technically correct, but lack connection to risk, business impact, and compliance.
- New staff members require months to become independently productive.
The underlying cause is often that training is disconnected from practice. And that is precisely why practical cybersecurity training is crucial. It shortens the time to productivity, makes performance measurable, and reduces the structural pressure on senior specialists.
That is precisely why more and more organizations are consciously choosing practical cybersecurity training as the foundation for team development. By linking learning to daily implementation, cybersecurity personnel are trained to perform independently and consistently more quickly.
The biggest risk: unpredictable security delivery
In many organizations, the problem is not so much a lack of knowledge, but rather variation in implementation and quality. Security then often becomes a series of incidental actions rather than a predictable process. As soon as the implementation of work is inconsistent, structural bottlenecks arise that affect the team and the organization as a whole.
At the team level, senior specialists often become the unintended link that has to record, review, and correct everything. They assess incidents, adapt playbooks, and mentor new colleagues, which structurally increases the workload and dependence on individual experts.
At the organizational level, management deteriorates as soon as performance becomes difficult to predict. Planning becomes less reliable, audits feel like firefighting, and signals to management go in all directions. Not because nothing is happening, but because output and quality are insufficiently predictable.
At the same time, the implementation of NIS2 obligations brings with it new requirements for demonstrable compliance and uniform processes. NIS2 is designed to strengthen cyber resilience within the European internal market and to achieve a minimum level of security for essential and important entities.
That is why the key challenge in the cybersecurity training market is not training for a certificate, but rather training cybersecurity personnel so that teams perform predictably and consistently in daily practice and in the face of changing threats.
What makes a practical cybersecurity program different
A practical cybersecurity training course is specifically designed to develop skills that are directly applicable within SOC environments, IT teams, and NIS2-related processes. A practical cybersecurity training course is designed around work processes, scenarios, and context. The goal is not only to transfer knowledge, but also to change behavior in daily work.
Three elements make the difference here:
Learning in scenarios, not chapters
In a SOC or security team, reports rarely arrive neatly categorized. Scenario-based training teaches professionals to combine signals, set priorities, and substantiate decisions within realistic situations.
Skills become objectively measurable
Practical assignments make output visible: triage quality, log source selection, reports, playbook use, and escalation decisions can be assessed. This helps HR and management to monitor growth in a concrete and objective manner.
Team agreements are structurally safeguarded
Practical training ensures standards such as naming conventions and escalation routes are maintained. This makes team behavior more uniform and increases predictability.
Together, learning shifts from individual knowledge building to consistent team performance.
Building practical cybersecurity training as a strategy for teams
Organizations that want to build cybersecurity teams often get stuck on scalability. The market for senior specialists is too tight and expensive. That is why a "build strategy" often works better than exclusively "buy." Combining the building of cybersecurity teams with practical cybersecurity training creates a scalable model that combines growth, quality, and predictability.
Practical training allows you to build roles in a modular way:
- Juniors train in triage, basic examination, and reporting.
- Medioren develop themselves in use cases, threat hunting, and process improvement.
- Seniors focus on architecture, coaching, and governance.
For HR, this makes career paths and development plans more concrete. For security leads, it means less dependence on external power and more stability within the team.
SOC team training: from alert fatigue to routine
For security operations centers, SOC team training is often the fastest way to increase predictability. Not through more tooling, but through better behavior around tooling.
Practical SOC training supports, among other things:
- Consistent triage and prioritization based on risk.
- Reproducible research with fixed steps.
- Better handover between shifts.
- Incident reports that are also useful for management.
This results in shorter turnaround times, less noise, and higher quality.
NIS2 team preparation: make compliance feasible
The NIS2 Directive does not only require policy documents; it requires demonstrable implementation of security measures. The European Directive aims to achieve a higher and uniform level of cybersecurity within the EU, with a broader scope than the previous NIS Directive.
Effective NIS2 team preparation consists of two layers:
- Understanding what NIS2 requires and how this translates into policy, roles, and responsibilities.
- Practical implementation: classification, logging, response, evidence gathering, and reporting.
Practical training teaches teams how to deal with situations that resemble audits and real incidents. This way, NIS2 becomes an operational habit rather than an annual project.
How Trivian trains cybersecurity personnel in practice
Trivian assists organizations with training courses that are directly applicable in daily practice. The goal is not to complete a curriculum, but to sustainably develop predictable teams through practical cybersecurity training. Trivian's practical cybersecurity training is designed not only to transfer knowledge, but also to structurally improve team behavior, decision-making, and execution.
The approach focuses on:
- Scenario-driven cybersecurity learning pathways.
- Build cybersecurity teams through role-specific learning pathways.
- SOC team training focused on consistency in alerts, response, and reporting.
- NIS2 team preparation that translates compliance into daily actions.
- Continuous cybersecurity talent development as part of workforce planning.
Training thus becomes a strategic tool for capacity and quality, rather than a separate HR activity.
Read more about how Trivian supports this through cybersecurity training courses for companies or get in touch via the contact page.
How to make predictability visible in KPIs
Practical training enables guidance, because development is linked to measurable output. Effective KPIs go beyond certificates.
Examples:
- Time to productivity per roll.
- First-time right in incident handling.
- Mean Time To Respond per incident category.
- Compliance with playbooks and documentation.
These indicators make learning manageable and support audits, planning, and budgeting. Combined with practical cybersecurity training, these KPIs provide insight into how quickly teams are maturing and where further optimization is needed.
A realistic growth path: recruit where necessary, train where possible
Recruitment remains necessary for key positions. At the same time, the greatest gains are often to be found in internal training and promotion. This is faster, cheaper, and more reliable.
An effective approach:
- Clearly define roles and responsibilities.
- Standardize processes and playbooks.
- Choose a practical cybersecurity training course that suits your tooling and context.
- Empower seniors to become owners of quality standards.
- Evaluate and improve every quarter.
This makes team development a repeatable process rather than an ad hoc solution.



