Arming your cyber-security team with the right skills and experience is a crucial first step in facing down threats.
In partnership with Longitude, a thought leadership agency that is part of the Financial Times Group, Kaspersky surveyed 750 leaders at enterprises around the world about their approach to cyber-security. The research found that a small group of companies strongly believe their cyber-security training programs can keep pace with the ever-changing threat landscape.
Dubbed the Skills Leaders, these businesses have better security outcomes. About three-quarters (74 per cent) say they’re prepared for employees accidentally creating a cyber-security threat – such as falling for a phishing scheme – compared with only half (49 per cent) of the rest.
This is good news, because cyber-security skills are in short supply. In 2021, Microsoft announced the US is facing a cyber-security skills crisis, citing that more than one in 20 open jobs in the country required cyber-security skills.
In the same year, research by Information Systems Security Association (ISSA) and industry analyst firm Enterprise Strategy Group (ESG) found 95 per cent of cyber-security employees globally believe the skills gap has not improved in recent years. Our research found one-third (34 per cent) believe this shortage will get worse in the next two years.
But the Skills Leaders are a small group – just eight per cent of the research sample. How can more organisations follow their lead?
Here are three ways you can upskill your workforce in cyber-security.
1. Train everyone, not just IT
It’s not just the cyber-security team that should be on constant alert for threats. Employee-wide updates and reminders help make security part of company culture.
“People need to keep their software up to date, understand how to encrypt their internet traffic and not use public Wi-Fi,” says Shawnee Delaney, CEO of US-based insider threat specialist Vaillance Group. “These are general cyber-hygiene practices, and they’re critical.
“When people were in their daily routine before the pandemic, they would notice when something was outside of the norm. Now things have opened up and people are travelling around again, guards go down. That’s where training comes in.
Shawnee Delaney, CEO, Vaillance Group
Reducing human error is crucial. Technology researcher Gartner predicts that by the end of 2025, more than 99 per cent of cloud breaches will arise from preventable user misconfigurations or mistakes. One way to reduce these errors is to introduce cyber-security tests to see how employees respond to threats, and increase training for those who fail them.
This is what Ricardo Lafosse, Chief Information Security Officer (CISO) at Kraft Heinz, does. “It’s probably one of our best ways to see whether a malicious actor could mislead our employees and get into our organisation using phishing techniques,” he says.
2. Update your coaching techniques
Training must also move with the times to keep up with the evolving threat landscape. The Skills Leaders identified in the research seem to understand this.
They’re more likely to be forward-thinking with their training. About two thirds (67 per cent) say it will be very important to carry out immersive cyber-security training (gamification and simulations to recreate real attacks) in the next two years, compared with less than half (49 per cent) of the rest.
“Cyber-security training is often perceived as a formality, but one-off training is not enough,” says Evgeniya Naumova, former Executive Vice President of Corporate Business at Kaspersky. “Behavioural change won’t appear with the wave of a magic wand. It takes commitment and practice for acquired skills to become habit. Continuous learning is especially important for enterprises to prepare teams for the evolving threat landscape.”
Staying up to date also means being able to change strategy fast. To combat new threats as effectively as possible, Kraft Heinz’s Lafosse prioritises agility and flexibility in his cyber-security team.
“We have a ‘fail fast’ mentality. If we start an initiative and it’s not working, we can pull it right back and recalibrate. That’s something we institutionalise in the program.”
Ricardo Lafosse, CISO, Kraft Heinz
3. Put cyber-security at the heart of recruitment
Upskilling in cyber-security will inevitably involve addressing the skills gap. And that could force companies to take more innovative approaches to recruitment, such as hiring candidates with non-IT backgrounds.
The research found the Skills Leaders are more likely to embed cyber-security awareness in their recruitment and onboarding processes, stressing the need for high cyber-security standards from the start.
Enterprises with a multinational presence must ensure they approach cyber-security consistently across their global operations. It only takes one cyber-threat in one region to potentially wreak havoc across the whole organisation.
The skills gap is a big challenge for enterprise cyber-security teams. To be protected against the full range of evolving threats, enterprises must do all they can to fill it. That means expanding recruitment, preparing their existing workforces by keeping them abreast of changes and training them right from the start.
Read the report: Three steps to superior cybersecurity