Security Experts:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Training & Awareness

Report Shows Few Solutions to Filling Cyber Skills Gap

A new report on the cyber security skills shortage from Kaspersky Lab provides few new insights and no new solutions to the problem — but it does prompt an important question. It confirms that organizations are seeking to increase their security headcount and it confirms the shortage of new security talent to enable this; but it doesn’t offer any real solution.

A new report on the cyber security skills shortage from Kaspersky Lab provides few new insights and no new solutions to the problem — but it does prompt an important question. It confirms that organizations are seeking to increase their security headcount and it confirms the shortage of new security talent to enable this; but it doesn’t offer any real solution.

Nevertheless, the report titled ‘Lack of security talent: an unexpected threat to corporate cybersafety‘ is not without merit. One point it makes very well is the counter-productivity of relying on third-parties to solve any post-event problem. It notes that companies “that feel confident about their IT Security team” pay between $100,000 and $500,000 to recover from a single breach. However, those with less confidence “end up paying from $1.2 to $1.47 million.”

A significant portion of the extra cost comes from hiring new staff ‘to pick up the pieces’, “with companies spending more on hiring external experts and paying overtime for their own team, than they actually lose in terms of business opportunities, credit rating and compensations to clients and partners.” Sadly, this is not a solution to the skills gap, but rather another consequence of it.

The report also describes Kaspersky’s own methods and experiences in security recruitment, and talks to some educational institutions that provide cyber security qualifications. The two areas are very different.

“Even for junior positions, we have to find people with practical skills and knowledge of various aspects of IT. We demand knowledge of specific tools like debugging and reverse engineering software, experience with various programming languages,” says Kirill Shiryaev, Kaspersky Lab’s Head of Talent Acquisition. Technical expertise first and foremost; but it still requires 40 applicants to fill one position, he says.

It’s a little different for business. “Just the technical side is not enough to become a real expert in IT security. Both managerial and technical know-how are required, with a good grounding in security management and auditing,” says Dr. Tse Woon Kwan Daniel, City University of Hong Kong.

Kaspersky itself recognizes this. Sergey Novikov, Deputy Director of the Global Research and Analysis Team, comments, “Our experience shows that the lack of security managers is more severe and impactful than the lack of technology experts. Growing technical skills is important, but seeing a bigger picture of all threats or those relevant to a particular business is paramount. Understanding the real scope of threats and at the same time being able to communicate the needs of IT security to top management is very, very difficult.”

Kaspersky’s conclusion is disappointing. “The solution,” it suggests, “lies within a greater flexibility of businesses as well as the security industry: building new security solutions with intelligence in mind and making sure that new findings of the evolving threat landscape can be shared with everyone efficiently.” In other words, nothing new, just more and better of the same — a solution based more on eliminating the need for skills rather than filling the gap.

Nevertheless, the real problem and solution may be hidden within this report. Kaspersky is a security firm and needs highly technical, logical and mathematically-oriented staff. Business remains fundamentally business, not security. It seeks staff strong in communication skills to bridge the gap between security and business; but with an underlying technical competence. The ability to be both creative and logical is a rare commodity in a single person.

Rather than seek one rare person who is expert in both fields, it may be easier to seek two separate people: the security geek and the security communicator.

Written By

Kevin Townsend is a Senior Contributor at SecurityWeek. He has been writing about high tech issues since before the birth of Microsoft. For the last 15 years he has specialized in information security; and has had many thousands of articles published in dozens of different magazines – from The Times and the Financial Times to current and long-gone computer magazines.

Click to comment

Expert Insights

Related Content

Management & Strategy

Tips for making a presentation that will help improve the state of security programs and reflect favorably on the presenters and their companies

Application Security

Hack The Box Raises $55 Million in Funding Round Led by Carlyle

Application Security

The infamous North Korean Lazarus hacking group is the prime suspect in the $100 million hack of Harmony’s Horizon Bridge, according to new data...

Management & Strategy

Neurodivergence, by its name, implies a different way of thinking. The question we wish to examine is whether the inclusion of this neurodiversity can...

M&A Tracker

Security awareness training company KnowBe4 will go private after being acquired by Vista Equity Partners for roughly $4.6 billion in cash.KnowBe4 first announced receiving...

Black Hat

LAS VEGAS – The security industry makes its annual pilgrimage to the hot Sonoran desert this week for skills training, hacking demos, research presentations...

Management & Strategy

The US government’s 120-day Cybersecurity Apprenticeship Sprint has come to an end. The initiative has resulted in more than 190 new cybersecurity programs and...

Nation-State

Faced with the daily barrage of reports on new security threats, it is important to keep in mind that while some are potentially disastrous,...