Why Successful Companies Invest in Cybersecurity Skills
Kaspersky is a Business Reporter client.
Organizations with cybersecurity skills programs that keep pace are better prepared for cyberattacks. Arming your cybersecurity team with the right skills and experience is a crucial first step in facing down threats. How can your business become a skills leader?
In partnership with Longitude, a thought leadership agency that is part of the Financial Times Group, Kaspersky surveyed 750 leaders at enterprises around the world about their approaches to cybersecurity. The research found that a small group—just 8% of the research sample—strongly believe their companies’ cybersecurity training programs can keep pace with the ever-changing threat landscape.
Dubbed the “Skills Leaders,” these businesses have better security outcomes. About three-quarters (74%) of them say they’re prepared for employees accidentally creating a cybersecurity threat—such as falling for a phishing scheme—compared with about half (49%) of the other companies surveyed.
This is good news, because cybersecurity skills are in short supply. In 2021, Microsoft announced that the US is facing a cybersecurity skills crisis, citing that more than one in 20 open jobs in the country require cybersecurity skills.
That year, research by the Information Systems Security Association (ISSA) and industry analyst firm Enterprise Strategy Group (ESG) found that 95% of cybersecurity employees globally believe the skills gap has not improved in recent years. Our research found that one-third (34%) believe this shortage will get worse in the next two years.
Today, the Skills Leaders are a small group. How can more organizations follow their lead?
Here are three ways you can upskill your workforce in cybersecurity:
1. Train everyone, not just IT
It’s not just the cybersecurity team that should be on constant alert for threats. Employee-wide updates and reminders help make security part of company culture.
“People need to keep their software up to date, understand how to encrypt their internet traffic and not use public Wi-Fi,” says Shawnee Delaney, CEO of US-based insider threat specialist Vaillance Group. “These are general cyber-hygiene practices, and they’re critical.
“When people were in their daily routine before the pandemic, they would notice when something was outside of the norm. Now, things have opened up and people are traveling around again, and guards go down. That’s where training comes in.”
— Shawnee Delaney, CEO, Vaillance Group
Reducing human error is crucial. Technology researcher Gartner predicts that by the end of 2025, more than 99% of cloud breaches will arise from preventable user misconfigurations or mistakes. One way to reduce these errors is to introduce cybersecurity tests to see how employees respond to threats, and increase training for those who fail them.
This is what Ricardo Lafosse, Chief Information Security Officer at Kraft Heinz, does. “It’s probably one of our best ways to see whether a malicious actor could mislead our employees and get into our organization using phishing techniques,” he says.
2. Update your coaching techniques
Training must also move with the times to keep up with the evolving threat landscape. The Skills Leaders identified in the research seem to understand this.
They’re more likely to be forward-thinking with their training. About two thirds (67%) say it will be very important to carry out immersive cybersecurity training (gamification and simulations to recreate real attacks) in the next two years, compared with less than half (49%) of the other respondents.
“Cybersecurity training is often perceived as a formality, but one-off training is not enough,” says Evgeniya Naumova, former Executive Vice President of Corporate Business at Kaspersky. “Behavioral change won’t appear with the wave of a magic wand. It takes commitment and practice for acquired skills to become habit. Continuous learning is especially important for enterprises to prepare teams for the evolving threat landscape.”
Staying up to date also means being able to change strategy fast. To combat new threats as effectively as possible, Lafosse prioritizes agility and flexibility in his cybersecurity team.
“We have a ‘fail fast’ mentality. If we start an initiative and it’s not working, we can pull it right back and recalibrate. That’s something we institutionalize in the program.”
— Ricardo Lafosse, CISO, Kraft Heinz
3. Put cybersecurity at the heart of recruitment
Upskilling in cybersecurity inevitably involves addressing the skills gap. And that can force companies to take more innovative approaches to recruitment, such as hiring candidates with non-IT backgrounds.
The research found that the Skills Leaders are more likely to embed cybersecurity awareness in their recruitment and onboarding processes, and to stress the need for high cybersecurity standards from the start.
Enterprises with a multinational presence must approach cybersecurity consistently across their global operations. It only takes one cyber threat in one region to potentially wreak havoc across the whole organization.
The skills gap is a big challenge for enterprise cybersecurity teams, and to protect themselves against the full range of evolving threats, enterprises must do all they can to fill it. That means expanding recruitment, preparing their workforces by keeping them abreast of changes and training them in cybersecurity right from the start.
Read the report: Three steps to superior cybersecurity.
This article originally appeared in Business Reporter.
Image: iStock id1405385219
