Chapter 4. Evaluation process and ways to acquire more expertise

Key findings

  • Only 43% of companies have a formal evaluation process for the InfoSec workforce.
  • The most important selection criteria that companies use when choosing a training program is to see if the program includes the latest tools and technologies (57%).
  • 41% of companies assess training effectiveness through participant feedback or pre- and post-course assessments from their staff (31%).
  • 39% of respondents say they are willing to pay for their own training courses.

How do companies evaluate their InfoSec professionals?

In order to keep track of the effectiveness of InfoSec staff, an evaluation process is obviously necessary. However, surprisingly only 43% of the questioned companies mentioned that they have a formal process for evaluating the InfoSec workforce. Just over half (51%) admit that they measure the effectiveness of the of their workforce by the number of incidents they’ve handled. And less than one tenth of the people interviewed (6%) said that their business does not assess/evaluate InfoSec professionals at all!

And out of the organizations that evaluate their InfoSec workforce, 48% evaluate their workforce every six months and 37% make assessments every year. A diligent 11% of companies test their InfoSec staff once every quarter. But only 4% have an evaluation when the management asks for it.

How organizations evaluate Infosec workforce and How often organizations evaluate the training programs

In order to keep the InfoSec team up to date with the latest techniques and threats, organizations sometimes need to get outside help. Among the companies interviewed, more than half (76%) responded that they had tie ups with external organizations and experts for specific training programs to upskill their workforce. Nearly one third (28%) have an internal instruction module and, although they don’t have specific courses, 10% of respondents provide sponsorships for their workforce with relevant classes.

How organizations upskill their InfoSec staff

How do companies choose training courses?

When it comes to a training roadmap, most respondents said that their HR team, in collaboration with the senior management team, were the designers. The criteria that most professionals (57%) selected as most important when choosing a training program was inclusion of the latest tools and technologies used in InfoSec industry. Other standards companies look for are a panel of known experts (47%), years of experience (45%), cost (44%) and brand name (42%). Less important in respondents wishlist was the opinion of others with client testimonials (36%) and recommendations (31%). Only one quarter (25%) said they look at the format of the modules.

Selection criteria for training program

The companies’ preferred formats are clearly expressed regionally. Online training was the clearly preferred format in Russia (80%), Latin America (77%) META (73%) and APAC (63%). Whereas the majority (55%) in North America had a mixed preference although the online format was preferred slightly over the offline one. Preferences in Europe are also close, but in this region, they slightly prefer offline course formats.

Preference of mode of training by regions

Like most professionals, InfoSec specialists must stay at the top of their game. But as the threat environment is constantly evolving and cyber criminals are always looking for ways to hack into unsuspecting victims’ devices, cybersecurity specialists must arguably be more up to speed with the latest research and techniques than most.

And although most C-suite bosses are now realizing how important it is to help their IT security staff stay up to date, these professionals realize it is in their best interest to up their skills whenever possible. This survey provides proof of this fact.

Among this study’s respondents, 22% say they are willing to pay for training courses and upskilling their talents. More than one third (39%) are not sure whether they would use their hard-earned cash to improve their skills, but the same number of people (39%) are not willing to pay.

Willingness to pay for upskilling by respondents

Most of the InfoSec professionals willing to pay are from North America (63%) and in Latin America (51%). However, specialists least willing to pay for their own upskilling are in are in Russia (26%) where, coincidentally, cybersecurity experts are in high demand. Perhaps these differences are because company cultures in these countries differ and job markets in are quite fluid, in addition to the fact that there are fewer vacancies in the cybersecurity job markets in the former compared to the latter.

Willingness to pay for upskilling by regions

How do companies evaluate the effectiveness of programs?

To understand how effective cybersecurity training programs are, companies must assess them. They can go with measuring metrics, having a list of criteria: seeing if staff was trained in the latest security trends, discovered new technology, tracking methods, security lags and exercises. Other methods include testing the course against KPI, asking if staff are satisfied with their training, if they’ve acquired new skills, or checking if new threats have been discovered and stopped. Some even hire third-party agencies to do their assessments on their behalf.

Most InfoSec professionals (41%) responded that their organization assesses training effectiveness through participants feedback, or assessments from their staff before and after the course (31%). More than one quarter (26%) admit that their organization hires third party agencies to assess the effectiveness of the training programs. Only 2% of companies that participate in external training programs do not have a method to check their effectiveness.

Assessing program effectiveness

Once trainees have participated in a training program, companies are faced with other challenges when selecting follow-up courses to keep up with ongoing training.

The top four challenges for the majority of professionals were the lack of courses covering new challenging spheres (49%), the fact that participants had forgotten what they had learned in previous sessions because there had not been opportunities to implement what had been taught (47%), misconceptions about training pre-requisites (45%) and difficulties in assessing the effectiveness of the course (42%).

Top 10 challenges in selecting courses


To find qualified InfoSec professionals who can fulfill cybersecurity roles, companies pay attention to certain characteristics such as previous workplaces, portfolio with detailed case studies showcasing hands-on experience, relevant hard and soft skills and so on. However, many InfoSec bosses state that with the evolving threat landscape, traditional roles such as threat intelligence analyst or network security engineer are being constantly redefined and need to be adapted due to the way these threats are permeating businesses. This business need complicates the hiring process, as one experienced professional may be an expert in malware analysis but know nothing about network security – finding a versatile staff member may become even a bigger challenge for companies in the future.

In order to cope with staff shortages, companies seeking to fill InfoSec positions can turn, for instance, to additional training programs for existing staff, to professional outsourcing or the use of actual TI databases and automated solutions. As the recent Kaspersky study revealed, professional outsourcing is a popular option currently, almost 80% of companies prefer to outsource the cybersecurity function due to staff shortages. This option can deal with problems short-term as well as long term.

Another way is to train existing staff in house and build up internal knowledge within the company, meaning that the people handling cybersecurity have both a deep understanding, and 100% focus on the organization’s needs. With in-house training, a company also has direct control over the content and scheduling, and they can customize the courses according to their needs.

And of course, don’t forget about solutions that help reduce the burden on the staff, allowing them to spend more time on the skills improvement and not on hours-long routine tasks. Threat Intelligence databases and automated solutions for monitoring and responding to cyber threats can become such assistants.

List of recommendations

Educational training courses and cybersecurity awareness

  1. Invest in training so your IT security specialists keep their skills up-to-date and are best prepared for the cyber threat landscape. With Kaspersky Expert training, InfoSec professionals can advance their skills and be able to defend their companies against even the most sophisticated attacks as needed.
  2. Regularly educate all your staff, even IT and InfoSec professionals, about actual cyber threats and ways to confront them. Security Awareness training can help companies to address specific security needs and minimize the possibility of cybersecurity incidents caused by the own employees.
  3. Use interactive simulators to check your own expertise and assess the way of thinking in critical situations. For instance, with the new Kaspersky interactive ransomware game you can observe the deployment, investigation and response to an attack by the company’s IT department and make vital decisions with the game’s main character.

Managed cybersecurity service providers

  1. Adopt managed security services such as our Managed Detection and Response (MDR) or/and Incident Response to get additional expertise without additional hiring. It allows the best possible advanced automated security services and analysis of corporate data gathered every day, in real time, 24/7, to help protect against cyberattacks and investigate incidents even if company lacks cybersecurity specialists.

Collected expertise and automated solutions

  1. Provide your InfoSec professionals with in-depth visibility into cyberthreats targeting your organization. The latest Threat Intelligence will supply them with rich and meaningful context across the entire incident management cycle and help to identify cyber risks in time.
  2. Use centralized and automated solutions such as our Extended Detection and Response (XDR) to reduce the burden on the IT security team and minimize the possibility of making mistakes. By aggregating and correlating data from multiple sources in one place and using technologies of machine learning, such solutions provide effective threat detection and fast automated response.

To learn more about cybersecurity skills shortage, read the entire report ‘The portrait of modern information security professional‘.