In the running battle with cyberthreats, your first line of defense is your IT staff: the system and network administrators, SOC and NOC operators, incident response and forensics analysts, and application development and QA teams. Are these IT professionals ready to take on an ever-growing army of innovative, persistent cybercriminals and hackers? Probably not, if you expect them to acquire the knowledge and skills they need through self-directed study and on-the-job training. There is too much to learn, and few members of the IT staff have the time to research every new threat. And you can’t afford to suffer through APTs, breaches and data leakages just to provide “teachable moments” for IT personnel. There is another solution. Security simulation immerses IT professionals in a realistic online environment and challenges them to fill the roles of cyberattackers and cyberdefenders. It borrows from education theory and online gaming to present knowledge in ways that motivate learning and increase retention. By learning to think like attackers, IT staff members discover vulnerabilities in their own systems and are able to identify attacks sooner. Security simulation also helps managers identify and fill skill gaps within their teams. In this short paper we discuss the shortcomings of on-the-job training and conventional classroom instruction for cybersecurity, review the characteristics of successful security simulation programs, and take a brief look at the Symantec Cyber Security Services: Security Simulation program.