Arming your cybersecurity team with the right skills and experience is a crucial first step in facing down threats.
In partnership with Longitude, a Financial Times company, Kaspersky surveyed 750 leaders at enterprises around the world about their approach to cybersecurity. The research found a small group of companies strongly believe their cybersecurity training programs can keep pace with the ever-changing threat landscape.
Dubbed the Skills Leaders, these businesses have better security outcomes. About three-quarters (74 percent) say they’re prepared for employees accidentally creating a cybersecurity threat – such as falling for a phishing scheme – compared with only half (49 percent) of the rest.
This is good news, because cybersecurity skills are in short supply. In 2021, Microsoft announced the US is facing a cybersecurity skills crisis, citing that more than one in 20 of all open jobs in the country require cybersecurity skills.
In the same year, research by Information Systems Security Association (ISSA) and industry analyst firm Enterprise Strategy Group (ESG) found 95 percent of cybersecurity employees globally believe the skills gap has not improved in recent years. Our research found one-third (34 percent) believe this shortage will get worse in the next two years.
New research from Kaspersky in partnership with the Financial Times Commercial department shows that diversity, collaboration and training can help protect enterprise from major cyber threats.
But the Skills Leaders are a small group — just eight percent of the research sample. How can more organizations follow their lead?
Three ways to upskill your workforce in cybersecurity
1. Train everyone, not just IT
It’s not just the cybersecurity team that should be on constant alert for threats. Employee-wide updates and reminders help make security part of company culture.
“People need to keep their software up to date, understand how to encrypt their internet traffic and not use public Wi-Fi,” says Shawnee Delaney, CEO of US-based insider threat specialist Vaillance Group. “These are general cyber hygiene practices, and they’re critical.
When people were in their daily routine before the pandemic, they would notice when something was outside of the norm. Now things have opened up and people are travelling around again, guards go down. That’s where training comes in.
Shawnee Delaney, CEO, Vaillance Group
Reducing human error is crucial. Technology researchers Gartner predicts that by the end of 2025, more than 99 percent of cloud breaches will arise from preventable user misconfigurations or mistakes. One way to reduce these errors is to introduce cybersecurity ‘tests’ to see how employees respond to threats and increase training for those who fail them.
This is what Ricardo Lafosse, Chief Information Security Officer (CISO) at Kraft Heinz, does. “It’s probably one of our best ways to see whether a malicious actor could mislead our employees and get into our organization using phishing techniques,” he says.
2. Update your coaching techniques
Training must also move with the times to keep up with the evolving threat landscape. The Skills Leaders identified in the research seem to understand this.
They’re more likely to be forward-thinking with their training. About two-thirds (67 percent) say it will be very important to carry out immersive cybersecurity training (gamification and simulations to recreate real attacks) in the next two years, compared with less than half (49 percent) of the rest.
“Cybersecurity training is often perceived as a formality, but one-off training is not enough,” says Evgeniya Naumova, Executive Vice President of Corporate Business at Kaspersky. “Behavioral change won’t appear with the wave of a magic wand. It takes commitment and practice for acquired skills to become habit. Continuous learning is especially important for enterprises to prepare teams for the evolving threat landscape.”
Staying up to date also means being able to change strategy fast. To combat new threats as effectively as possible, Kraft Heinz’s Lafosse prioritizes agility and flexibility in his cybersecurity team.
We have a ‘fail fast’ mentality. If we start an initiative and it’s not working, we can pull it right back and recalibrate. That’s something we institutionalize in the program.
Ricardo Lafosse, CISO, Kraft Heinz
3. Put cybersecurity at the heart of recruitment
Upskilling in cybersecurity will inevitably involve addressing the skills gap. And that could force companies to take an innovative approach to recruitment, like hiring candidates with non-IT backgrounds.
The research found the Skills Leaders are more likely to embed cybersecurity awareness in their recruitment and onboarding processes, stressing the need for high cybersecurity standards from the start.
Enterprises with a multinational presence must ensure they approach cybersecurity consistently across their global operations. It only takes one cyber threat in one region to potentially wreak havoc across the whole organization.
The skills gap is a big challenge for enterprise cybersecurity teams. To be protected against the full range of evolving threats, enterprises must do all they can to fill it. That means expanding recruitment, preparing their existing workforces by keeping them abreast of changes and training them right from the start.