{"id":50677,"date":"2024-02-22T17:43:33","date_gmt":"2024-02-22T22:43:33","guid":{"rendered":"https:\/\/www.kaspersky.com\/blog\/?page_id=50677"},"modified":"2024-05-14T09:59:10","modified_gmt":"2024-05-14T13:59:10","slug":"portrait-of-modern-infosec-professional-research-2024-evaluation","status":"publish","type":"page","link":"https:\/\/www.kaspersky.com\/blog\/portrait-of-modern-infosec-professional-research-2024-evaluation\/","title":{"rendered":"Chapter 4. Evaluation process and ways to acquire more expertise"},"content":{"rendered":"<style>.c-page h1,.c-page h2,.c-page h3,.c-page h4,.c-page h5{ text-wrap: balance; } .c-wysiwyg blockquote{background: rgb(0 153 129 \/ 10%);}.c-wysiwyg blockquote p{font-style:normal} .img-big { width: 100vw!important; max-width: 1024px!important; left: 57%!important; position: relative; transform: translateX(-50%); }.accent{color: #00a88e; margin: 0;font-size:1.5rem;font-weight: 900;}.c-wysiwyg .accented-list li:before {top:1.15rem}.c-wysiwyg .accented-list li{margin-bottom:1.25rem}.c-wysiwyg hr+*{margin-top:2.5rem}.c-wysiwyg hr{border-bottom: 2px solid #00a88e; width: 120px;margin: 1rem 0 -1.25rem 0;}blockquote h5 { color: #00a88e; font-style: initial; } span.accented-quote { display: block; font-size: 60px; font-family: sans-serif; line-height: 20px; margin-top: 30px; margin-left: -3px; }@media(min-width: 40.6875rem){.accent{font-size:2rem}.c-wysiwyg .accented-list li:before {top:1.75rem}.c-wysiwyg hr{border-bottom: 2px solid #00a88e; width: 160px;}}span.footnotes { position: relative; display: inline-block; border-bottom: 1.5px dashed #333; line-height: 1em;transition: 0.5s; background: transparent; cursor: pointer; } span.note { position: absolute;line-height: 1.6em; width: 300px; opacity: 0; visibility: hidden; left: 0; top: 15px; transform: translateX(-50%); transition: 0.3s; background: white; padding: 15px 20px; box-shadow: 0px 3px 7px #ababab; border-radius: 3px; cursor: initial; } span.footnotes:hover { background: #ffffd5; } span.footnotes:hover .note { z-index:999;opacity: 1; visibility: visible; }@media(max-width:480px){span.note {position: fixed;left: 5px; top: 50vh;transform: translatey(-50%); width: 100vw;}}.c-wysiwyg .illustration-list { margin-left: 0; display: grid; grid-column-gap: 5vw; grid-template-areas: \"a a\" \"b c\" \"d e\"; } @media (max-width: 640px) { .illustration-list { grid-template-areas:\"a\" \"b\" \"c\" \"d\" \"e\" }  } .c-wysiwyg .illustration-list li { margin-bottom: 2em; } .illustration-list li:before { display: none; } .illustration-list span.accent { font-size: 1em; } .illustration-list img { width: 128px; }.desktop-banner {display:block!important} .mobile-banner{display:none!important} @media(max-width:768px){.desktop-banner {display: none!important} .mobile-banner{display: block!important}}a.c-slider__arrow.c-slider__arrow--prev.slick-arrow,.c-gallery-slider .c-slider__arrow.c-slider__arrow--next, .c-gallery-slider .c-slider__arrow.c-slider__arrow--right {background:none} .c-gallery-slider .c-slider__arrow.c-slider__arrow--next:before, .c-gallery-slider .c-slider__arrow.c-slider__arrow--right:before,.c-gallery-slider .c-slider__arrow.c-slider__arrow--left:before, .c-gallery-slider .c-slider__arrow.c-slider__arrow--prev:before { filter: invert(1); transform: scale(1.25); }.slick-slider .slick-list{max-height:410px!important}.c-article__content blockquote li, .c-article__content blockquote p { font-size: 1rem; }h5 { color: #737373; }.red{color:#d51616}.yellow{color:#99992e}.green{color:#34c334}.table-caption{font-size: .875rem;display: flex; gap: 30px; justify-content: center; margin-bottom: 2em;}<\/style>\n<p><img decoding=\"async\" class=\"img-big aligncenter size-full wp-image-50381\" src=\"https:\/\/media.kasperskydaily.com\/wp-content\/uploads\/sites\/92\/2024\/02\/02144852\/Portraits-of-Infosec-professionals.jpg\" alt=\"\" width=\"1024\" height=\"683\"><\/p>\n<h2>Key findings<\/h2>\n<hr>\n<ul>\n<li>Only 43% of companies have a formal evaluation process for the InfoSec workforce.<\/li>\n<li>The most important selection criteria that companies use when choosing a training program is to see if the program includes the latest tools and technologies (57%).<\/li>\n<li>41% of companies assess training effectiveness through participant feedback or pre- and post-course assessments from their staff (31%).<\/li>\n<li>39% of respondents say they are willing to pay for their own training courses.<\/li>\n<\/ul>\n<h2>How do companies evaluate their InfoSec professionals?<\/h2>\n<hr>\n<p>In order to keep track of the effectiveness of InfoSec staff, an evaluation process is obviously necessary. However, surprisingly only 43% of the questioned companies mentioned that they have a formal process for evaluating the InfoSec workforce. Just over half (51%) admit that they measure the effectiveness of the of their workforce by the number of incidents they\u2019ve handled. And less than one tenth of the people interviewed (6%) said that their business does not assess\/evaluate InfoSec professionals at all!<\/p>\n<p>And out of the organizations that evaluate their InfoSec workforce, 48% evaluate their workforce every six months and 37% make assessments every year. A diligent 11% of companies test their InfoSec staff once every quarter. But only 4% have an evaluation when the management asks for it.<\/p>\n<p><a href=\"https:\/\/media.kasperskydaily.com\/wp-content\/uploads\/sites\/92\/2024\/02\/22173534\/portrait-of-modern-infosec-professional-research-2024-evaluation-1-2.png\"><img decoding=\"async\" class=\"img-big aligncenter size-full wp-image-50689\" src=\"https:\/\/media.kasperskydaily.com\/wp-content\/uploads\/sites\/92\/2024\/02\/22173534\/portrait-of-modern-infosec-professional-research-2024-evaluation-1-2.png\" alt=\"How organizations evaluate Infosec workforce and How often organizations evaluate the training programs\" width=\"2048\" height=\"1641\"><\/a><\/p>\n<p>In order to keep the InfoSec team up to date with the latest techniques and threats, organizations sometimes need to get outside help. Among the companies interviewed, more than half (76%) responded that they had tie ups with external organizations and experts for specific training programs to upskill their workforce. Nearly one third (28%) have an internal instruction module and, although they don\u2019t have specific courses, 10% of respondents provide sponsorships for their workforce with relevant classes.<\/p>\n<h5 style=\"text-align: center;\">How organizations upskill their InfoSec staff<\/h5>\n<p><a href=\"https:\/\/media.kasperskydaily.com\/wp-content\/uploads\/sites\/92\/2024\/02\/22172359\/portrait-of-modern-infosec-professional-research-2024-evaluation-3.png\"><img decoding=\"async\" class=\"img-big aligncenter size-full wp-image-50682\" src=\"https:\/\/media.kasperskydaily.com\/wp-content\/uploads\/sites\/92\/2024\/02\/22172359\/portrait-of-modern-infosec-professional-research-2024-evaluation-3.png\" alt=\"\" width=\"2048\" height=\"674\"><\/a><\/p>\n<h2>How do companies choose training courses?<\/h2>\n<hr>\n<p>When it comes to a training roadmap, most respondents said that their HR team, in collaboration with the senior management team, were the designers. The criteria that most professionals (57%) selected as most important when choosing a training program was inclusion of the latest tools and technologies used in InfoSec industry. Other standards companies look for are a panel of known experts (47%), years of experience (45%), cost (44%) and brand name (42%). Less important in respondents wishlist was the opinion of others with client testimonials (36%) and recommendations (31%). Only one quarter (25%) said they look at the format of the modules.<\/p>\n<h5 style=\"text-align: center;\">Selection criteria for training program<\/h5>\n<p><a href=\"https:\/\/media.kasperskydaily.com\/wp-content\/uploads\/sites\/92\/2024\/02\/22172416\/portrait-of-modern-infosec-professional-research-2024-evaluation-4.png\"><img decoding=\"async\" class=\"img-big aligncenter size-full wp-image-50683\" src=\"https:\/\/media.kasperskydaily.com\/wp-content\/uploads\/sites\/92\/2024\/02\/22172416\/portrait-of-modern-infosec-professional-research-2024-evaluation-4.png\" alt=\"\" width=\"2048\" height=\"1284\"><\/a><\/p>\n<p>The companies\u2019 preferred formats are clearly expressed regionally. Online training was the clearly preferred format in Russia (80%), Latin America (77%) META (73%) and APAC (63%). Whereas the majority (55%) in North America had a mixed preference although the online format was preferred slightly over the offline one. Preferences in Europe are also close, but in this region, they slightly prefer offline course formats.<\/p>\n<h5 style=\"text-align: center;\">Preference of mode of training by regions<\/h5>\n<p><a href=\"https:\/\/media.kasperskydaily.com\/wp-content\/uploads\/sites\/92\/2024\/02\/22172432\/portrait-of-modern-infosec-professional-research-2024-evaluation-5.png\"><img decoding=\"async\" class=\"img-big aligncenter size-full wp-image-50684\" src=\"https:\/\/media.kasperskydaily.com\/wp-content\/uploads\/sites\/92\/2024\/02\/22172432\/portrait-of-modern-infosec-professional-research-2024-evaluation-5.png\" alt=\"\" width=\"2048\" height=\"1374\"><\/a><\/p>\n<p>Like most professionals, InfoSec specialists must stay at the top of their game. But as the threat environment is constantly evolving and cyber criminals are always looking for ways to hack into unsuspecting victims\u2019 devices, cybersecurity specialists must arguably be more up to speed with the latest research and techniques than most.<\/p>\n<p>And although most C-suite bosses are now realizing how important it is to help their IT security staff stay up to date, these professionals realize it is in their best interest to up their skills whenever possible. This survey provides proof of this fact.<\/p>\n<p>Among this study\u2019s respondents, 22% say they are willing to pay for training courses and upskilling their talents. More than one third (39%) are not sure whether they would use their hard-earned cash to improve their skills, but the same number of people (39%) are not willing to pay.<\/p>\n<h5 style=\"text-align: center;\">Willingness to pay for upskilling by respondents<\/h5>\n<p><a href=\"https:\/\/media.kasperskydaily.com\/wp-content\/uploads\/sites\/92\/2024\/02\/22172448\/portrait-of-modern-infosec-professional-research-2024-evaluation-6.png\"><img decoding=\"async\" class=\"img-big aligncenter size-full wp-image-50685\" src=\"https:\/\/media.kasperskydaily.com\/wp-content\/uploads\/sites\/92\/2024\/02\/22172448\/portrait-of-modern-infosec-professional-research-2024-evaluation-6.png\" alt=\"\" width=\"2048\" height=\"1286\"><\/a><\/p>\n<p>Most of the InfoSec professionals willing to pay are from North America (63%) and in Latin America (51%). However, specialists least willing to pay for their own upskilling are in are in Russia (26%) where, coincidentally, cybersecurity experts are in high demand. Perhaps these differences are because <a href=\"https:\/\/hbr.org\/2020\/01\/how-corporate-cultures-differ-around-the-world\" target=\"_blank\" rel=\"nofollow noopener\">company cultures in these countries differ<\/a> and job markets in are quite fluid, in addition to the fact that there are fewer vacancies in the cybersecurity job markets in the former compared to the latter.<\/p>\n<h5 style=\"text-align: center;\">Willingness to pay for upskilling by regions<\/h5>\n<p><a href=\"https:\/\/media.kasperskydaily.com\/wp-content\/uploads\/sites\/92\/2024\/02\/22172504\/portrait-of-modern-infosec-professional-research-2024-evaluation-7.png\"><img decoding=\"async\" class=\"img-big aligncenter size-full wp-image-50686\" src=\"https:\/\/media.kasperskydaily.com\/wp-content\/uploads\/sites\/92\/2024\/02\/22172504\/portrait-of-modern-infosec-professional-research-2024-evaluation-7.png\" alt=\"\" width=\"2048\" height=\"1286\"><\/a><\/p>\n<h2>How do companies evaluate the effectiveness of programs?<\/h2>\n<hr>\n<p>To understand how effective cybersecurity training programs are, companies must assess them. They can go with measuring metrics, having a list of criteria: seeing if staff was trained in the latest security trends, discovered new technology, tracking methods, security lags and exercises. Other methods include testing the course against KPI, asking if staff are satisfied with their training, if they\u2019ve acquired new skills, or checking if new threats have been discovered and stopped. Some even hire third-party agencies to do their assessments on their behalf.<\/p>\n<p><img decoding=\"async\" class=\"aligncenter size-full wp-image-50679\" src=\"https:\/\/media.kasperskydaily.com\/wp-content\/uploads\/sites\/92\/2024\/02\/22170153\/portrait-of-modern-infosec-professional-research-2024-evaluation-illustration.png\" alt=\"\" width=\"903\" height=\"722\"><\/p>\n<p>Most InfoSec professionals (41%) responded that their organization assesses training effectiveness through participants feedback, or assessments from their staff before and after the course (31%). More than one quarter (26%) admit that their organization hires third party agencies to assess the effectiveness of the training programs. Only 2% of companies that participate in external training programs do not have a method to check their effectiveness.<\/p>\n<h5 style=\"text-align: center;\">Assessing program effectiveness<\/h5>\n<p><a href=\"https:\/\/media.kasperskydaily.com\/wp-content\/uploads\/sites\/92\/2024\/02\/22172519\/portrait-of-modern-infosec-professional-research-2024-evaluation-8.png\"><img decoding=\"async\" class=\"img-big aligncenter size-full wp-image-50687\" src=\"https:\/\/media.kasperskydaily.com\/wp-content\/uploads\/sites\/92\/2024\/02\/22172519\/portrait-of-modern-infosec-professional-research-2024-evaluation-8.png\" alt=\"\" width=\"2048\" height=\"796\"><\/a><\/p>\n<p>Once trainees have participated in a training program, companies are faced with other challenges when selecting follow-up courses to keep up with ongoing training.<\/p>\n<p>The top four challenges for the majority of professionals were the lack of courses covering new challenging spheres (49%), the fact that participants had forgotten what they had learned in previous sessions because there had not been opportunities to implement what had been taught (47%), misconceptions about training pre-requisites (45%) and difficulties in assessing the effectiveness of the course (42%).<\/p>\n<h5 style=\"text-align: center;\">Top 10 challenges in selecting courses<\/h5>\n<p><a href=\"https:\/\/media.kasperskydaily.com\/wp-content\/uploads\/sites\/92\/2024\/02\/22172540\/portrait-of-modern-infosec-professional-research-2024-evaluation-9.png\"><img decoding=\"async\" class=\"img-big aligncenter size-full wp-image-50688\" src=\"https:\/\/media.kasperskydaily.com\/wp-content\/uploads\/sites\/92\/2024\/02\/22172540\/portrait-of-modern-infosec-professional-research-2024-evaluation-9.png\" alt=\"\" width=\"2048\" height=\"2268\"><\/a><\/p>\n<h2>Conclusion<\/h2>\n<hr>\n<p>To find qualified InfoSec professionals who can fulfill cybersecurity roles, companies pay attention to certain characteristics such as previous workplaces, portfolio with detailed case studies showcasing hands-on experience, relevant hard and soft skills and so on. However, many InfoSec bosses state that with the evolving threat landscape, traditional roles such as threat intelligence analyst or network security engineer are being constantly redefined and need to be adapted due to the way these threats are permeating businesses. This business need complicates the hiring process, as one experienced professional may be an expert in malware analysis but know nothing about network security \u2013 finding a versatile staff member may become even a bigger challenge for companies in the future.<\/p>\n<p>In order to cope with staff shortages, companies seeking to fill InfoSec positions can turn, for instance, to additional training programs for existing staff, to professional outsourcing or the use of actual TI databases and automated solutions. As the recent Kaspersky <a href=\"https:\/\/www.kaspersky.com\/about\/press-releases\/2023_four-in-ten-companies-plan-to-outsource-cybersecurity\" target=\"_blank\" rel=\"noopener nofollow\">study<\/a> revealed, professional outsourcing is a popular option currently, almost 80% of companies prefer to outsource the cybersecurity function due to staff shortages. This option can deal with problems short-term as well as long term.<\/p>\n<p>Another way is to train existing staff in house and build up internal knowledge within the company, meaning that the people handling cybersecurity have both a deep understanding, and 100% focus on the organization\u2019s needs. With in-house training, a company also has direct control over the content and scheduling, and they can customize the courses according to their needs.<\/p>\n<p>And of course, don\u2019t forget about solutions that help reduce the burden on the staff, allowing them to spend more time on the skills improvement and not on hours-long routine tasks. Threat Intelligence databases and automated solutions for monitoring and responding to cyber threats can become such assistants.<\/p>\n<h2>List of recommendations<\/h2>\n<hr>\n<h3>Educational training courses and cybersecurity awareness<\/h3>\n<ol>\n<li>Invest in training so your IT security specialists keep their skills up-to-date and are best prepared for the cyber threat landscape. With <a href=\"https:\/\/kas.pr\/99tr\" target=\"_blank\" rel=\"nofollow noopener\">Kaspersky Expert training<\/a>, InfoSec professionals can advance their skills and be able to defend their companies against even the most sophisticated attacks as needed.<\/li>\n<li>Regularly educate all your staff, even IT and InfoSec professionals, about actual cyber threats and ways to confront them. <a href=\"https:\/\/kas.pr\/uy59\" target=\"_blank\" rel=\"nofollow noopener\">Security Awareness training<\/a> can help companies to address specific security needs and minimize the possibility of cybersecurity incidents caused by the own employees.<\/li>\n<li>Use interactive simulators to check your own expertise and assess the way of thinking in critical situations. For instance, with the new <a href=\"https:\/\/kas.pr\/hq4m\" target=\"_blank\" rel=\"nofollow noopener\">Kaspersky interactive ransomware game<\/a> you can observe the deployment, investigation and response to an attack by the company\u2019s IT department and make vital decisions with the game\u2019s main character.<\/li>\n<\/ol>\n<h3>Managed cybersecurity service providers<\/h3>\n<ol>\n<li>Adopt managed security services such as our <a href=\"https:\/\/kas.pr\/gj1e\" target=\"_blank\" rel=\"nofollow noopener\">Managed Detection and Response (MDR)<\/a> or\/and <a href=\"https:\/\/kas.pr\/mx66\" target=\"_blank\" rel=\"nofollow noopener\">Incident Response<\/a> to get additional expertise without additional hiring. It allows the best possible advanced automated security services and analysis of corporate data gathered every day, in real time, 24\/7, to help protect against cyberattacks and investigate incidents even if company lacks cybersecurity specialists.<\/li>\n<\/ol>\n<h3>Collected expertise and automated solutions<\/h3>\n<ol>\n<li>Provide your InfoSec professionals with in-depth visibility into cyberthreats targeting your organization. The latest <a href=\"https:\/\/kas.pr\/j4dt\" target=\"_blank\" rel=\"nofollow noopener\">Threat Intelligence<\/a> will supply them with rich and meaningful context across the entire incident management cycle and help to identify cyber risks in time.<\/li>\n<li>Use centralized and automated solutions such as our <a href=\"https:\/\/kas.pr\/z49p\" target=\"_blank\" rel=\"nofollow noopener\">Extended Detection and Response (XDR)<\/a> to reduce the burden on the IT security team and minimize the possibility of making mistakes. By aggregating and correlating data from multiple sources in one place and using technologies of machine learning, such solutions provide effective threat detection and fast automated response.<\/li>\n<\/ol>\n<p>To learn more about cybersecurity skills shortage, read the entire report \u2018<a href=\"https:\/\/www.kaspersky.com\/blog\/portrait-of-infosec-professional-report-2024\/\" target=\"_blank\" rel=\"noopener nofollow\">The portrait of modern information security professional<\/a>\u2018.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Key findings Only 43% of companies have a formal evaluation process for the InfoSec workforce. The most important selection criteria that companies use when choosing a training program is to<\/p>\n","protected":false},"author":2706,"featured_media":50381,"parent":0,"menu_order":0,"comment_status":"closed","ping_status":"closed","template":"","meta":{"_acf_changed":false,"footnotes":""},"categories":[],"class_list":["post-50677","page","type-page","status-publish","has-post-thumbnail"],"hreflang":[{"hreflang":"x-default","url":"https:\/\/www.kaspersky.com\/blog\/portrait-of-modern-infosec-professional-research-2024-evaluation\/"}],"acf":[],"banners":"","is_landing":true,"_links":{"self":[{"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/pages\/50677","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/pages"}],"about":[{"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/types\/page"}],"author":[{"embeddable":true,"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/users\/2706"}],"replies":[{"embeddable":true,"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/comments?post=50677"}],"version-history":[{"count":3,"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/pages\/50677\/revisions"}],"predecessor-version":[{"id":50810,"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/pages\/50677\/revisions\/50810"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/media\/50381"}],"wp:attachment":[{"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/media?parent=50677"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/categories?post=50677"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}