Lack of security talent: an unexpected threat to corporate cybersafety

IT Security Risks Special Report Series 2016

Kaspersky Lab

 Download the PDF version of the report

Content

Introduction

On July 6, 2013 a Boeing 777 crashed on final approach to San Francisco Airport. The subsequent investigation revealed that due to airline policies pilots tended to rely mostly on automated aircraft systems, did not have enough manual flight experience, and lacked the skills and knowledge to understand and react in rare, but under other circumstances, standard situations. The resulting report mentioned such powerful wording as “[crew] mismanagement”, “inadequate monitoring”, “complexities [of various aircraft systems]”, “inadequate … planning and executing”. Note the striking resemblance to the messages we tend to use in IT incidents investigation.

In cybersecurity everyone has something to learn from aviation safety. Crew resource management is one example. The growing complexity of technology, together with radical advancements of automated control leading to diminishing operator qualifications is another. Transparent investigations and information sharing is also a major takeaway. The IT Security industry is still in the early stages of understanding that technology alone is not capable of solving all of its troubles. In this report we combine results of a global survey of business executives with intelligence from Kaspersky Lab’s experts and representatives of major universities to show that overcoming the lack of skills and shortage of talent in cybersecurity is a major challenge for companies. There are numerous different approaches to solving this challenge. The question is how to choose the right one.

Lack of expertise: measuring direct financial impact

Is the lack of security expertise really a problem for corporations? In short, yes. We have uncovered that an inability to build corporate security intelligence – specifically by hiring new talent – has a direct impact on the damage caused from real cybersecurity breaches. In March-April 2016 we conducted a Corporate IT Security Risks survey together with our partner B2B international. We asked more than 4,000 company representatives in different industries and of various sizes about their attitudes and experiences of cybersecurity. In particular, we wanted to find out, how businesses perceive the problem of talent shortage. Here’s what we discovered.

Overall, 33% of businesses worldwide see improving specialist security expertise as one of the Top 3 drivers of IT security investment. Approximately half of businesses admit there is a talent shortage and growing demand for specialists.

But does this concern have any foundation? To help answer that question we also asked businesses about the average loss experienced from a cybersecurity incident, which enabled us to compare perception with the real cost of recovery. We discovered that enterprises struggling to find the best security talent end up spending at least three times more on average to recover from a security breach.

Large businesses that feel confident about their IT Security team development, pay anywhere from US$100K to 500K to recover from a single breach. Those companies that admit a certain insecurity in attracting new talent, end up paying from US$1.2 to $1.47 million. However, when this loss is compared to the cost of hiring new staff, it demonstrates how much more cost effective it is to employ experts before an incident, rather than bringing them in to pick up the pieces. A significant amount of the recovery costs is due to additional staff wages – US$14K on average for SMBs, $126K for enterprises – with companies spending more on hiring external experts and paying overtime for their own team, than they actually lose in terms of business opportunities, credit rating and compensations to clients and partners. Investment in IT security before a serious breach happens is therefore worth the effort.

But it’s not only about money. 40% of companies cite increased infrastructure complexity as a major driver for increasing IT security budgets. CISOs recognize the increased demand for security from multiple directions: top management wants it (38% of enterprises, 33% of SMBs mention it as one of the main reasons for increased IT security investment), and regulators demand it with a multitude of compliance requirements (one of the key budget growth drivers for 38% for enterprises and 38% of SMBs). It’s still hard to estimate ROI for security efforts, but apparently companies don’t even care. 62% of large companies and 59% of SMBs will continue investment in IT security regardless of the ability to measure return.

On average, 15% of talent in an IT department of a large company is dedicated to security, that’s 39 specialists in a typical team of 220 experts managing all aspects of the infrastructure. SMBs in comparison have only two security experts out of a team of 16 IT professionals. Do they plan to expand? You bet. 68.5% of businesses expect an increase, of them 18.9% think their IT security department will grow significantly (27% of enterprises, 22% SMBs), with 4.1% expecting their headcount to double over the next three years.

There are also differences in attitudes towards finding new talent within industry sectors. Companies operating in the following fields have the highest expectation towards IT security staff growth:

The threat landscape provides about 315,000 reasons daily for businesses to enhance their defenses. When we compared the real experience of specific security incidents with the businesses’ desire to grow their IT security teams, we found that confronting these threats significantly affects investment in cybersecurity talent:

The demand for security professionals is growing across all industries and affects companies of all sizes. Businesses are driven by multiple demands: senior management, regulators, the threat landscape and a general desire to protect sensitive data at all costs. The question is how to find the right professionals in the market. Our survey shows that it’s not enough to secure budget for headcount and salary growth. New talent brings more intelligence but only if the right decisions were made in the process. To prove this, we asked companies how confident they are that their network has not been hacked. Over half (58.6%) were not 100% sure that their network has not been hacked. With a key goal of a company’s security efforts to raise confidence in the systems and processes in place, investing in intelligence and talent play a major role.

One out of forty: new security talent is hard to find

As a security intelligence provider, we at Kaspersky Lab have a strong team of security experts, and continue to expand in our HQ and offices around the world. This puts us in a different position compared to regular businesses. While the typical large company’s security team amounts to 15% of the IT department, in our case security experts comprise 30% of the entire R&D department. This gives us a certain advantage: we have years of experience in attracting new talent. Does this make it easier for us?

First, we believe that only our internal team can find the right experts, and that’s why we do not use recruitment agencies but develop our internal recruitment expertise in IT Security field. Second, as one of the top IT Security companies, we need only the best and most experienced candidates to join our team. That’s why we communicate with 40 applicants to hire just one expert and fill one position in 45 days on average.

Kirill Shiryaev, Kaspersky Lab’s Head of Talent Acquisition and Employer Branding:

“In order to fill a single position, on average we contact 40 applicants. Of them, we conduct extended interviews with 10 people and choose only one. Some applicants understand that they do not have enough skills and desire to learn for our unique requirements the moment they get a technical test assignment. Even for junior positions, we have to find people with practical skills and knowledge of various aspects of IT. We demand knowledge of specific tools like debugging and reverse engineering software, experience with various programming languages. Given the specifics of our company, we don’t expect that all applicants have already worked in the field of cybersecurity. In fact, if a candidate did some relevant work in his/her own time out of interest, it may become a key factor to make an offer”.

Security talent is a scarce resource, and it happens for a reason. We rarely see people who chose the IT security field by chance – it’s simply impossible to stay in this business just to make a living. Cybersecurity demands curiosity, self-education, knowledge of a broad scope of topics, and every single one of them can get you a decent salary in any other IT field. One has to be really inclined to become a security expert, and it doesn’t work any other way. Sometimes we see candidates who can’t meet our requirements, and our goal is to stay in touch with them. Once in a while we meet a person persistent enough to master their skills, return to us and join the team.

Security is tough to master

Can education institutions fulfill the growing demand for new talent? The IT industry continues to evolve at a rapid pace, and despite the obvious advancements in IT education, most graduates are not ready to help companies in ramping up security immediately. We reached out to representatives of education institutions specializing in the field of IT and IT security to confirm.

Professor Steve Furnell, Head of School of Computing, Electronics and Mathematics (Faculty of Science and Engineering), Leader of Centre for Security, Communications & Network Research at Plymouth University, UK:

“I think that care needs to be taken about how much we regard graduates as being directly “qualified to work” in the IT security field. Even as degree graduates, I would not necessarily regard them as qualified practitioners. They should certainly have a good level of supporting knowledge and some of the skills, but there will equally be various aspects that they have not been able to put into practice “for real” at that stage”.

There is also an internal competition between the security industry and other general IT fields, that too, are looking for talent. Not to mention the fact that IT specialization demands certain personal qualities that are not that common.

Dr. Tse Woon Kwan Daniel, City University of Hong Kong:

“Just the technical side is not enough to become a real expert in IT security. Both managerial and technical know-how are required, with a good grounding in security management and auditing. From time to time, I tell my students that a competent IT auditor should be one who knows about all aspects of IT security because in just understanding the technical side they may not know how to make best use of it to align with the business. On the other hand, just knowing the managerial side may mean they only know about the hype.”

That’s why at Kaspersky Lab we need to make sure that fresh graduates at the very least, will evaluate their desire and capabilities to join the cybersecurity industry. This means reaching out to universities, developing and conducting special training courses, even sharing some of our proprietary technologies to help motivate students. There are positive signs that educational institutions understand the demand for security experts and are looking to improve their programs.

Professor Steve Furnell:

“I see a growing demand for IT security education these days. I think it is certainly an area that is seeing increased interest from students, and there has been a definite growth in the number of universities offering named programs in this space. We provide specific courses dedicated to the topic of IT security at both Bachelors and Masters level, as well as security-related modules within our other computing degree programs (with the exact mix of core and optional content varying depending upon the program concerned). We also have security-related emphasis within wider computing modules. For example, software engineering and database development are both topics in which security is important even though it is not the main theme of the course concerned”.

Going beyond technical expertise

Security expertise starts with solving simple challenges. Note that in our industry ‘simple’ sometimes equals to ‘reasonably complex’ everywhere else. Kaspersky Lab’s founder Eugene Kaspersky started his security journey 27 years ago by analyzing viruses in his free time. Many of our best experts did likewise: the major source of our talent is the ‘virus lab’, the first level of many needed to become a versatile security expert.

But does our experience apply to a normal company with real business needs far from IT Security? The answer is both yes and no. We have reached out to our security experts to clarify.

Sergey Novikov, Deputy Director, Global Research and Analysis Team:

“A security researcher learns something new every day, while doing their best to analyze new advanced threats. Today the topic may be the specifics of a rare programming language, typically used in a gaming application, and now utilized by threat actors. Tomorrow this may change to aspects of Chinese dialects, needed to recover vital clues from the code of a mysterious malicious module. Complexity of threats grows with complexity of IT infrastructure, but that’s not the only challenge. Our experience shows that the lack of security managers is more severe and impactful than the lack of technology experts. Growing technical skills is important, but seeing a bigger picture of all threats or those relevant to a particular business is paramount. Understanding the real scope of threats and at the same time being able to communicate the needs of IT security to top management is very, very difficult”.

So it’s not only about technical expertise. The ability to make this expertise actionable while defending the needs of cybersecurity to senior management is also important. While the security industry itself is in need of ‘pure’ technology wizards, for regular businesses things are different. They need security intelligence as well as security management in order to be on the safe side.

Sergey Gordeychik, Head of Security Services, Deputy CTO, Kaspersky Lab:

“Business-side security experts and security researchers share one common character: the desire to master skills in this unique field and a personal interest in the topic. But there are differences, too. Protecting a company does not require knowledge of assembly language to reverse engineer. It is even harmful to dig into such things: they take precious resources away from the real goal: keep the company’s data safe and infrastructure working. It’s not a question of “how” and “who” that businesses have to answer when confronted with an attack. The right question is what should be done to reduce the risk. Security management plays the most important part in solving this challenge. We see that it’s hard to combine those skills within a single team: developers and general IT experts often overlook security matters, while security professionals tend to focus on breaking things, not building something with security in mind”.

Looking for a solution: intelligence sharing

As we have observed, even if the supply of security experts satisfied the demand, this would not solve all business troubles. First, the lack of experts’ problem extends beyond technical knowledge and experience. Finding a manager who at the same time is proficient in the threat landscape, current security solutions and specifics of IT infrastructure is even harder. Second, a single business is not capable of accumulating enough intelligence to combat all threats. Malware, spam, DDoS attacks, and targeted assaults are seeking different points of vulnerability in a corporate infrastructure, with years of knowledge required to properly secure each of them.

15 years ago the business world had just started its path towards dependency on IT infrastructure, and back then the threat landscape was much more relaxed. Those were the good times when everything that was needed to prevent cyberthreats was an anti-virus solution. Not anymore. Although the need for threat prevention technologies is going to grow, the ultimate cyber defense now relies on sharing of intelligence. By intelligence here we mean exchanging expertise about various types of cyberthreats, attacks and vulnerabilities both in a form of protection technology and pure knowledge.

Businesses are still cautious when it comes to employing external security consultants to audit the level of protection from cyberthreats: only 26% of companies we have surveyed see this measure is effective. But the same survey provides an important clue that this perception has to change. The most damaging attacks – those that companies cannot discover for days or even weeks after the initial compromise – are most likely to be discovered by a security audit. 72% of businesses that suffered from such attacks discovered them thanks to an external audit. The second most frequent working measure is internal security assessment. The third most popular clue of an ongoing attack is quite alarming – a notification from a client or a customer.

Veniamin Levtsov, Vice President, Enterprise Business, Kaspersky Lab:

“The onset of targeted attacks on businesses, often initiated by organized crime, calls for a fresh look at corporate cybersecurity. Sometimes these assaults are based on sophisticated malicious technologies, but more often, we see attacks that exploit human weaknesses and the inevitable growth in infrastructure complexity. The people behind the attacks have intent, skills and knowledge to harm the businesses they target. Therefore, the most precious assets that businesses can use to counteract these attacks are people with even better talent, knowledge and skills. With the right people in place, the technology that helps these experts to enhance a company’s defenses can really make a difference. For the corporate world, and the security industry alike, this is not a comfortable paradigm shift, but sooner or later intelligence-based security is going to be universally embraced. Talent shortage is one of the clear signs of that.

In this evolving industry the relationship with our customers already goes beyond shipping a technology or a product. We need to provide them with the skills and training required to identify on-going attacks. Detailed knowledge about attacks on other businesses, in the form of intelligence reports, is also necessary, along with actionable, machine-readable data about on-going threats. Solving the different challenges of threat prevention, detection of targeted attacks, incident response and prediction requires a lot of flexibility. As a security vendor we are dedicated to increasing the quality and size of the expert security workforce around the world. Among many projects to support this initiative we are developing IT Security Fundamentals – an educational course that will hopefully help more IT professionals to start their journey in the field of security expertise”.

Conclusion: Being flexible

52% of businesses agree that their security will be compromised at some point, and they have to be prepared for such events. So far businesses tend to concentrate on prevention technologies and pay less attention to threat detection and response. Despite some obvious controversy in businesses’ perception of IT security matters, we see a clear sign of positive change. In three years, companies are looking to invest 60% of their IT budgets on protection approaches beyond prevention, which is a positive sign of perception change.

The problem of talent shortage like any other cybersecurity problem will be eventually solved, through the efforts of education, evolution of the industry and adoption of intelligence sharing models. By that time, we will be dealing with much more complicated problems in this field. As our experts say, to be successful in this business you should always be prepared to deal with something new. The root cause of a talent shortage is the need to solve security issues that cannot be solved by automated security systems. Thus, the solution lies within a greater flexibility of businesses as well as the security industry: building new security solutions with intelligence in mind and making sure that new findings of the evolving threat landscape can be shared with everyone efficiently.