Lack of security talent is a threat to corporate safety

Large businesses with a small amount of full-time security experts pay almost three times more to recover from a cyberattack than those businesses with in-house expertise, according to Kaspersky Lab.

In March-April 2016, a survey about attitudes and experiences with cybersecurity was conducted of more than 4,000 company representatives in different industries and of various sizes. The findings show a general shortage in full-time security staff and expert talent availability which calls for the need for more specialists in the field.

Recovery costs

The research shows that large businesses hiring outside help pay between $1.2M – $1.47M to recover from a cybersecurity incident, compare to those large businesses who have in-house skilled IT security experts to handle a crisis who pay between $100K – $500K. This is due to a significant amount of recovery costs going toward additional staff wages to hire external expert help – on average costing $14K for SMBs and $126K for enterprises.

Businesses, large and small, don’t have the full-time security expertise to properly handle an attack on their own. Only 15 percent of the employees in an IT department of a large company are dedicated to security. For example, in a large business that equals 39 specialists in a typical team of 220 experts managing all aspects of the infrastructure. For SMBs, there are only two security experts out of a team of 16 IT professionals. With an average of 315,000 malware threat detected on a daily basis, businesses need to reconsider proactively enhancing their security defenses.

Growing demand for more specialists

Surprisingly, nearly half (48 percent) of businesses admit there is a talent shortage and a growing demand for more specialists (46 percent). Proactively hiring new staff to employ experts before an incident, rather than bringing them in to pick up the pieces, significantly lowers the average IT costs and helps better protect the business.

Citing complexity of IT infrastructure, compliance requirements, and the overall desire to protect business assets, companies are willing to grow their security intelligence. In fact, for a third of businesses, the improvement of specialist security expertise is one of the top three drivers for an additional investment in IT Security.

Full-time security experts wanted

Overall, 68.5 percent of companies expect an increase in the number of full-time security experts, with 18.9 percent expecting a significant increase in headcount. Higher education is an important part of fulfilling such a demand, but this is also a call for a change within the security industry itself. One of the solutions is to aid universities with relevant experience.

Intelligence sharing

Another very important long-term solution is to adapt R&D efforts towards the effective sharing of intelligence with corporate customers in the form of threat data feeds, security training, and services. A proper combination of security solutions and intelligence is what allows corporate security teams to spend less time and money on regular cybersecurity incidents and focus on strategic security development and advanced threats.

“In this evolving industry the relationship with our customers already goes beyond the shipment of a technology or a product – to providing the skills and training necessary to identify on-going attacks,” said Veniamin Levtsov, vice president, enterprise business at Kaspersky Lab. “Sharing detailed research about attacks on other businesses, in the form of intelligence reports, is also necessary, along with actionable, machine-readable data about on-going threats. Solving the different challenges of threat prevention, detection, incident response and prediction requires a lot of flexibility and experience and we are dedicated to helping grow the security expert workforce around the world.”