Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Training & Awareness

Report Shows Few Solutions to Filling Cyber Skills Gap

A new report on the cyber security skills shortage from Kaspersky Lab provides few new insights and no new solutions to the problem — but it does prompt an important question. It confirms that organizations are seeking to increase their security headcount and it confirms the shortage of new security talent to enable this; but it doesn’t offer any real solution.

A new report on the cyber security skills shortage from Kaspersky Lab provides few new insights and no new solutions to the problem — but it does prompt an important question. It confirms that organizations are seeking to increase their security headcount and it confirms the shortage of new security talent to enable this; but it doesn’t offer any real solution.

Nevertheless, the report titled ‘Lack of security talent: an unexpected threat to corporate cybersafety‘ is not without merit. One point it makes very well is the counter-productivity of relying on third-parties to solve any post-event problem. It notes that companies “that feel confident about their IT Security team” pay between $100,000 and $500,000 to recover from a single breach. However, those with less confidence “end up paying from $1.2 to $1.47 million.”

A significant portion of the extra cost comes from hiring new staff ‘to pick up the pieces’, “with companies spending more on hiring external experts and paying overtime for their own team, than they actually lose in terms of business opportunities, credit rating and compensations to clients and partners.” Sadly, this is not a solution to the skills gap, but rather another consequence of it.

The report also describes Kaspersky’s own methods and experiences in security recruitment, and talks to some educational institutions that provide cyber security qualifications. The two areas are very different.

“Even for junior positions, we have to find people with practical skills and knowledge of various aspects of IT. We demand knowledge of specific tools like debugging and reverse engineering software, experience with various programming languages,” says Kirill Shiryaev, Kaspersky Lab’s Head of Talent Acquisition. Technical expertise first and foremost; but it still requires 40 applicants to fill one position, he says.

It’s a little different for business. “Just the technical side is not enough to become a real expert in IT security. Both managerial and technical know-how are required, with a good grounding in security management and auditing,” says Dr. Tse Woon Kwan Daniel, City University of Hong Kong.

Kaspersky itself recognizes this. Sergey Novikov, Deputy Director of the Global Research and Analysis Team, comments, “Our experience shows that the lack of security managers is more severe and impactful than the lack of technology experts. Growing technical skills is important, but seeing a bigger picture of all threats or those relevant to a particular business is paramount. Understanding the real scope of threats and at the same time being able to communicate the needs of IT security to top management is very, very difficult.”

Kaspersky’s conclusion is disappointing. “The solution,” it suggests, “lies within a greater flexibility of businesses as well as the security industry: building new security solutions with intelligence in mind and making sure that new findings of the evolving threat landscape can be shared with everyone efficiently.” In other words, nothing new, just more and better of the same — a solution based more on eliminating the need for skills rather than filling the gap.

Advertisement. Scroll to continue reading.

Nevertheless, the real problem and solution may be hidden within this report. Kaspersky is a security firm and needs highly technical, logical and mathematically-oriented staff. Business remains fundamentally business, not security. It seeks staff strong in communication skills to bridge the gap between security and business; but with an underlying technical competence. The ability to be both creative and logical is a rare commodity in a single person.

Rather than seek one rare person who is expert in both fields, it may be easier to seek two separate people: the security geek and the security communicator.

Written By

Kevin Townsend is a Senior Contributor at SecurityWeek. He has been writing about high tech issues since before the birth of Microsoft. For the last 15 years he has specialized in information security; and has had many thousands of articles published in dozens of different magazines – from The Times and the Financial Times to current and long-gone computer magazines.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Gain valuable insights from industry professionals who will help guide you through the intricacies of industrial cybersecurity.

Register

Join us for an in depth exploration of the critical nature of software and vendor supply chain security issues with a focus on understanding how attacks against identity infrastructure come with major cascading effects.

Register

Expert Insights

Related Content

Management & Strategy

SecurityWeek examines how a layoff-induced influx of experienced professionals into the job seeker market is affecting or might affect, the skills gap and recruitment...

Training & Awareness

Google has announced a new training program for cybersecurity analysts and those who graduate will get a professional certificate from Google.

Management & Strategy

750 cyber specialists have participated in Defence Cyber Marvel 2 (DCM2), the biggest military cyberwarfare exercise in Western Europe.

Phishing

Security awareness training isn’t working to the level it needs to. Social engineering, however, is getting better. Why doesn’t awareness training work, and how...

Management & Strategy

Addressing the people problem with effective approaches and tools for users and security practitioners will enable us to work smarter, and force attackers into...

Audits

The PCI Security Standards Council (SSC), the organization that oversees the Payment Card Industry Data Security Standard (PCI DSS), this week announced the release...

Management & Strategy

Tips for making a presentation that will help improve the state of security programs and reflect favorably on the presenters and their companies

Management & Strategy

UK-based cybersecurity training solutions provider Immersive Labs announced on Wednesday that it has raised $66 million in new capital.