Industry players have confirmed that the demand for OT/ICS security skills and specific expertise has been on the rise for the last several years, due to threat escalations and the increased prevalence of IT/OT security frameworks and regulations.
According to the Kaspersky’s survey, industrial organizations have experienced significant staffing issues, including those related to the lack of cybersecurity experts (19%), staff overloading (46%) and staff turnover (30%). Only 4% reported feeling absolutely no pressure in regards to human resources.
The report names underfunding as one of the possible reasons for this gap between the supply and demand of qualified employees. A lack of finances has led to a reduced headcount, with staffing being the most underfunded aspect of OT/ICS cybersecurity in every second organization (55%). Another 35% of respondents also named low salaries and compensations as a particular concern.
Overall, just under half (43%) of industrial organizations have dedicated OT/ICS security teams. Given the difficulty of recruiting skilled industrial cybersecurity specialists, many organizations are looking into outsourcing, with 58% already relying more heavily on external OT security service providers since the pandemic.
“To organize the cyberprotection of an industrial enterprise, turning to a professional team, like a managed security service provider (MSSP), is an effective option. However, if a business needs to have its own team of professionals, then they can involve expert organizations and CERTs (Computer Emergency Response Teams) like Kaspersky ICS CERT, with expert knowledge in finding vulnerabilities, detecting threats and investigating cyber-incidents who can train an in-house team to do the same. In addition to training OT cybersecurity professionals, it is also necessary to ensure that other staff members are aware of cybersecurity issues. Training in this area can be delivered through dedicated awareness programs, including face-to-face, online and e-learning courses. This can be a legal requirement for critical infrastructure enterprises,” comments Dmitriy Petrovichev, ICS CERT Service Group Manager at Kaspersky.
Kaspersky suggests the following steps to mitigate the gap in OT/ICS security expertise:
The full report, “Kaspersky ICS Security Survey 2022: The seven keys to improving OT security outcomes” is available for download here.