The shortage of qualified personnel in the information security industry is not a new problem, to put it mildly. However, in recent years it has become especially acute. The trigger here was the coronavirus epidemic, which caused the rapid digitalization of everything in the world and an equally rapid increase in the number of attacks. Because of this, the demand for cybersecurity professionals is growing rapidly. But the supply is categorically not keeping up with it.
One of the leading organizations engaged
According to the latest report , from 2022 to 2023, the number of information security specialists grew by 8.7%. Sounds impressive. However, the problem is that the shortage of such specialists increased by as much as 12.6% over the same period. Thus, at the time of publication of the report, the global shortage of personnel in the cybersecurity industry reached 4 million employees. Why is this happening?
Cybersecurity in Higher Education
To answer this question, we conducted a large-scale study Shortage of personnel in which we surveyed more than 1,000 IT and cybersecurity professionals from 29 countries. We surveyed employees of all levels – from entry-level specialists to directors and SOC managers.
As a result, several interesting facts emerged
In particular, not all specialists working in this field studied information security as part of their higher education. The figures vary by region, but on average only every second person had the relevant courses. At the same time, the majority cameroon whatsapp data of respondents believe that the availability of specialized courses on information security as part of higher education is insufficient.
Availability of Cybersecurity Courses in Universities
The availability of specialized cybersecurity courses in higher education institutions was assessed by respondents as insufficient. Source
Overall, respondents rated the usefulness of higher education for a career in information security as low : only half of respondents believe that it is extremely useful or very useful, a quarter rate its usefulness neutrally, and another quarter believes that it is completely useless.
The main problem with formal cybersecurity education is that it has not kept up with the changes happening Shortage of personnel in the real world. Technologies, tools, and the threat landscape are changing so quickly that the knowledge gained during training is outdated.
Also, in many regions of the world, information security professionals note that higher education often does not provide sufficient practical work experience and does not develop the skills needed for a real career. Therefore, often, beginners are not prepared for what awaits them after employment.
Consequences for business
As a result, due to a lack of practical experience, many new professionals make mistakes that can have significant consequences for the organization. As almost half of respondents (46%) noted, it took them more than a year to get comfortable in their first job.
At the same time, during the survey, more than half of information security professionals (51%) admitted to making serious mistakes Shortage of personnel in the first years of their work. Here are the five most popular mistakes mentioned by respondents:
Updates and patches were not installed on time (43%).
Used weak, easy-to-guess passwords (42%).
Did not make timely backups of important data (40%).
Used outdated security measures (29%).
Caught in phishing (29%).
Mistakes in the first year of work
More than half of information security professionals admit to making serious mistakes in their first years of work. Source
Often, information security specialists have much higher privileges and access to a significant number of systems that are not available to ordinary employees. Therefore, such errors can have catastrophic consequences for the organization, from the compromise of corporate infrastructure and infection with ransomware to successful industrial espionage operations and data leaks.
Solving the problem of personnel shortage in information security
Of course, the problem of the lack of Shortage of personnel in the cybersecurity sphere is too large for there to be any simple and quick solution. The fight against the shortage of qualified specialists will take a long time, and the solution must be comprehensive.
At Kaspersky Lab, we have two priority areas
First, we need to establish more effective cooperation between business and academia. To ensure that the quality of education students receive meets the requirements that organizations have for employment, we need to help higher education institutions adapt their programs to what is happening in the real world and make them more flexible.
We have been cooperating with many educational institutions for quite some time. In particular, through our partner program Kaspersky Academy Alliance, higher education institutions gain access to world-class knowledge, lectures, trainings and technologies and can integrate industry expertise in line with the latest trends into their curricula.
Secondly, businesses should ensure that their information security department employees, especially junior specialists, can fill the gaps Shortage of personnel in theoretical knowledge and, most importantly, in the practical skills they need to successfully perform their work tasks. In the context of rapid technological development and the constant change of the threat landscape, professionals need to constantly learn to maintain their qualifications at the proper level.
Effective tools for professional training
Our corporate education program within the Kaspersky Academy , as well as online courses Kaspersky Expert Training , available not only to organizations but also to individuals. Within these programs, we offer courses and trainings based on many years of experience of leading experts in various areas of cybersecurity.
Mitigation
Finally, here are some tips that won’t directly help solve the problem of the global information security personnel shortage, but will help make it less acute within your organization:
To relieve the information security department, train ordinary company employees in the basics of information security – for example, using our automated educational platform Kaspersky Automated Security Awareness Platform .
The IT service’s practical skills in recognizing signs of an attack will also help reduce the load on information security. You can acquire such skills, for example, by taking our training for general IT specialists .
The use of automated tools that save time for information security department employees, in particular Kaspersky Symphony , will also help to smooth out the shortage of personnel.
If you lack your own highly qualified specialists, it makes sense to use external information security services, such as Managed Detection and Response and Incident Response .