A new report on the cyber security skills shortage from Kaspersky Lab provides few new insights and no new solutions to the problem — but it does prompt an important question. It confirms that organizations are seeking to increase their security headcount and it confirms the shortage of new security talent to enable this; but it doesn’t offer any real solution.
Nevertheless, the report titled ‘Lack of security talent: an unexpected threat to corporate cybersafety‘ is not without merit. One point it makes very well is the counter-productivity of relying on third-parties to solve any post-event problem. It notes that companies “that feel confident about their IT Security team” pay between $100,000 and $500,000 to recover from a single breach. However, those with less confidence “end up paying from $1.2 to $1.47 million.”
A significant portion of the extra cost comes from hiring new staff ‘to pick up the pieces’, “with companies spending more on hiring external experts and paying overtime for their own team, than they actually lose in terms of business opportunities, credit rating and compensations to clients and partners.” Sadly, this is not a solution to the skills gap, but rather another consequence of it.
The report also describes Kaspersky’s own methods and experiences in security recruitment, and talks to some educational institutions that provide cyber security qualifications. The two areas are very different.
“Even for junior positions, we have to find people with practical skills and knowledge of various aspects of IT. We demand knowledge of specific tools like debugging and reverse engineering software, experience with various programming languages,” says Kirill Shiryaev, Kaspersky Lab’s Head of Talent Acquisition. Technical expertise first and foremost; but it still requires 40 applicants to fill one position, he says.
It’s a little different for business. “Just the technical side is not enough to become a real expert in IT security. Both managerial and technical know-how are required, with a good grounding in security management and auditing,” says Dr. Tse Woon Kwan Daniel, City University of Hong Kong.
Kaspersky itself recognizes this. Sergey Novikov, Deputy Director of the Global Research and Analysis Team, comments, “Our experience shows that the lack of security managers is more severe and impactful than the lack of technology experts. Growing technical skills is important, but seeing a bigger picture of all threats or those relevant to a particular business is paramount. Understanding the real scope of threats and at the same time being able to communicate the needs of IT security to top management is very, very difficult.”
Kaspersky’s conclusion is disappointing. “The solution,” it suggests, “lies within a greater flexibility of businesses as well as the security industry: building new security solutions with intelligence in mind and making sure that new findings of the evolving threat landscape can be shared with everyone efficiently.” In other words, nothing new, just more and better of the same — a solution based more on eliminating the need for skills rather than filling the gap.
Nevertheless, the real problem and solution may be hidden within this report. Kaspersky is a security firm and needs highly technical, logical and mathematically-oriented staff. Business remains fundamentally business, not security. It seeks staff strong in communication skills to bridge the gap between security and business; but with an underlying technical competence. The ability to be both creative and logical is a rare commodity in a single person.
Rather than seek one rare person who is expert in both fields, it may be easier to seek two separate people: the security geek and the security communicator.
