Pay Now, or Pay More Later - The real dilemma of IT security talent shortages

Photo by Blue Coat Photos | Flikr

Photo by Blue Coat Photos | Flikr

Large businesses that struggle to attract sufficiently skilled IT security experts end up paying up to three times more to recover from a cyber-attack.

This is one of the key findings of the recent report by Kaspersky Lab based on the 2016 Corporate IT Security Risks survey conducted by the company.

Beyond a measurable budget impact, a significant share of businesses is observing a growth in wages, a general shortage in expert availability, and a need for more specialists in the field.

Growing their security intelligence is a top priority for businesses because of three things: the complexity of IT infrastructure, ever changing and growing compliance requirements, and the obvious need to protect business assets.

Over 68% of the businesses polled expect an increase in the number of full-time security experts, with 19% expecting a significant increase in headcount.

This growing demand for qualified specialists is hampered by an increasingly complex set of requirements. Kaspersky Lab itself employs hundreds of security professionals, and the company’s own recruitment managers’ report that on average, only one applicant out of 40 meet their strict hiring criteria.

Technical knowledge, however, is not the only requirement may lack. Security managers’ duties include an ability to communicate with top management and oversee the overall strategy.  The pool of candidates who meet all three needs are rare.

The Kapersky report also iterates a dearth of security specialists possessing a certain degree of passion for this particular IT field, a willingness to constantly self-educate, and an ability to adapt to an ever-changing threat landscape.

Higher education is an important part of fulfilling such a demand.  Training schools and colleges are beginning to recognize a need to revise and revitalize their programs to encompass these needs, acknowledging the challenge of embedding security-oriented thinking and management skills into a wide variety of IT courses.

One of the solutions being offered by businesses is to aid universities with relevant experience. Another, and very important in the long term, is to adapt R&D efforts towards the effective sharing of intelligence with corporate customers in the form of threat data feeds, security training and services.

A proper combination of security solutions and intelligence is what helps corporate security teams to spend less time on regular cybersecurity incidents and focus on strategic security development and advanced threats.

Veniamin Levtsov, vice-president of enterprise business at Kaspersky Lab, comments: “In this evolving industry, the relationship with our customers already goes beyond the shipment of a technology or a product. We need to provide them with the skills and training required to identify on-going attacks. Detailed knowledge about attacks on other businesses, in the form of intelligence reports, is also necessary, along with actionable, machine-readable data about on-going threats.

“Solving the different challenges of threat prevention, the detection of targeted attacks, incident response and prediction requires a lot of flexibility.

“As a security vendor we are dedicated to increasing the quality and size of the expert security workforce around the world. Among many projects to support this initiative we are developing IT Security Fundamentals – an educational course that will hopefully help more IT professionals to start their journey in the field of security expertise.”

The lack of qualified IT security professionals offers a dilemma to many companies.  The qualified candidates may be cost prohibitive in the short term, but the impact of a cyber-attack could mean severe losses and possible bankruptcy. Recognition of this quagmire is a good first step in aiding businesses address their immediate needs while looking down the road for a better solution.

Adapted from an article by ITonline.com