Large businesses that struggle to attract skilled IT security experts are paying up to three times more to recover from a cyber security incident, a report has revealed.
As the gap between the available security skills continues to widen, a growing number of organisations are being forced to call in outside help to supplement in-house skills. This model is likely to continue for some time, according to information professionals’ organisation, Isaca. “You can’t fully outsource cyber security and you can’t really have a fully sustainable plan for insourcing cyber security,” said Christos Dimitriadis, chair of Isaca’s board of directors. “We expect to see a combination of in-house and external skills, including the use of cloud-based security services,” he told Computer Weekly.
A significant share of businesses are also seeing a growth in wages, a general shortage in expert availability and the need for more specialists in the field, according to the report by security firm Kaspersky Lab on the threat posed by the lack of security to business. Citing complexity of IT infrastructure, compliance requirements and the overall desire to protect business assets, companies are highly motivated to grow their security intelligence, the report said, taking into account the Kaspersky Lab 2016 Corporate IT Security Risks survey of more than 4,000 small, medium and large businesses from 25 countries.
For a third of businesses, the improvement of specialist security expertise is one of the top three drivers for an additional investment in IT security, the report said. The report combines the results of the survey with input from Kaspersky Lab’s experts and representatives of major universities. It shows that overcoming the lack of skills and shortage of talent in cyber security is a major challenge for companies.
The growing demand is not easy to meet, the report said, due to a lack of available specialists and increasingly complex requirements. According to Kaspersky Lab’s own recruitment managers, on average only one applicant out of 40 (2.5%) meets the strict criteria for an expert position.
Isaca research shows that 90% of companies looking to hire cyber security professionals in 2016 said it was difficult to find the right candidates for the jobs on offer. However, the challenge is not limited to technical know-how. According to Kaspersky Lab, the need for security managers is even greater. In addition to deep technical knowledge, managers’ duties include communication with top management and overseeing the overall strategy, which are qualities that are especially important for large companies, the report said.
Higher education institutions recognise the need to revise their courses, but, at the same time, acknowledge the challenge of embedding security-oriented thinking into those courses. The IT industry continues to evolve at a rapid pace, the report said, but notes that despite the obvious advancements in IT education, most graduates are not ready to help companies in ramping up security immediately.
Steve Furnell, professor and head of the school of computing, electronics and mathematics at Plymouth University, said care needs to be taken about how much graduates are regarded as being directly “qualified to work” in the IT security field. “Even as degree graduates, I would not necessarily regard them as qualified practitioners. They should certainly have a good level of supporting knowledge and some of the skills, but there will equally be various aspects that they have not been able to put into practice ‘for real’ at that stage,” the report quotes him as saying.
Most security training has been theoretical, with a lack of focus on developing skilled individuals who can prove their skills in practice, according to Isaca. “For this reason, Isaca’s Cybersecurity Nexus (CSX) training programme is designed to enable information security professionals to test and prove their skills in practice in a virtual environment, where they have to identify, block and recover from simulated attacks,” said Dimitriadis.
Overall, the Kaspersky Lab report said 68.5% of companies polled expect an increase in the number of full-time security experts, with 18.9% expecting a significant increase in headcount. Higher education is an important part of fulfilling such a demand, the report said, but this is also a call for a change in the security industry itself.
“Every year we see increased interest in cyber security matters by company boards, but still only 20% of security officers report to the board or the CEO, and not many are following internationally recognised best practices,” said Dimitriadis. “While there is a demand for highly skilled all-round practitioners, relatively few companies are investing in best practices which require the creation of capabilities to identify risks, protect against threats with security controls and to identify, respond to and recover from attacks,” he said.
According to Dimitriadis, there is still relatively low-level investment in developing cyber security capabilities in key verticals, such as software development, critical infrastructure and even the financial sector, which is one of the more mature sectors in terms of cyber security. “Although governments and organisations are starting to recognise the problem, investments are still not up to the level required to respond adequately to the huge financial losses being incurred worldwide as a result of cyber attacks,” he said.
A proper combination of security controls and intelligence, the Kaspersky Lab report said, will help corporate security teams to spend less time on regular cyber security incidents and focus on strategic security development and advanced threats. “In this evolving industry, the relationship with our customers already goes beyond the shipment of a technology or a product,” said Veniamin Levtsov, vice-president of enterprise business at Kaspersky Lab.
“We need to provide them with the skills and training required to identify ongoing attacks. Detailed knowledge about attacks on other businesses, in the form of intelligence reports, is also necessary, along with actionable, machine-readable data about ongoing threats,” he said. Solving the different challenges of threat prevention, the detection of targeted attacks, incident response and prediction, said Levtsov, requires a lot of flexibility. “As a security supplier, we are dedicated to increasing the quality and size of the expert security workforce worldwide,” he said.
As part of this effort, Kaspersky Lab has developed an IT Security Fundamentals course to help IT professionals start their journey in the field of security expertise. The report concludes that the problem of talent shortage will be solved through the efforts of education, evolution of the industry and adoption of intelligence sharing models.
“The solution lies in a greater flexibility of businesses as well as the security industry: Building security systems with intelligence in mind and making sure that findings of the evolving threat landscape can be shared with everyone efficiently,” the report said.
Author – Warwick Ashford