Survey: Cyber security skills gap poses serious risk

By Alison Job
Johannesburg, 04 Apr 2023
Brandon Muller, technical expert & consultant: MEA, Kaspersky.
Brandon Muller, technical expert & consultant: MEA, Kaspersky.

Late last year, ITWeb conducted a survey to find out if SA businesses are experiencing a cyber security skills shortage, and if so, what they’re doing about it.

The survey, sponsored by Kaspersky, looked into whether outsourcing security solutions is a viable solution. “

The cyber security skills shortage is quite a concern in the global market, not just locally. Existing research shows 75% of companies in Africa say they’re encountering challenges recruiting and retaining qualified cyber professionals, and this while the cyber threat landscape is evolving,” says Brandon Muller, technical expert and consultant at Kaspersky. 

“A lack of cyber security skills and personnel might compromise a business’s operations: how do they counter advancing cyber security threats with limited skills and resources?”

Attacks up, skills down

There’s been an increase in persistent and sophisticated attacks targeting organisations across Africa, with several new threats having become active in the region over the past year. In view of the escalating threat landscape, access to skilled cyber security personnel is more critical than ever. Yet more than half of the survey’s respondents (55%) indicated their business was definitely experiencing a cyber security skills shortage.

“Cyber attacks have affected a large proportion of businesses of all sizes and across all industries. We’re seeing a steep increase in the number and complexity of threats.”

A lack of cyber security skills and personnel might compromise a business’s operations.

Almost half of the survey’s respondents (44%) said ‘yes’ when asked if their organisation had experienced cyber security incidents in the past 24 months. An overwhelming majority (87%) said they’d heard of cyber security incidents in other organisations within their industry.

The steps taken after these incidents include introducing additional security policies or requirements (52%), IT team seeking external IT security expert advice (29%) and conducting training for IT personnel and staff (27%). “Only 8% of respondents considered increasing their IT security personnel. The third that sought external advice had the right response when you consider the complexity of today’s cyber attacks. Prevention is much better than cure.

You need the right services, solutions and people in place to defend your data rather than having to try to recoup information after an incident.”

Is outsourcing viable?

When it comes to who is responsible for managing IT within the organisation, the majority of the respondents said they had a specialist internal IT staff (74%), while only 33% had an internal security operations center (SOC). A quarter (24%) rely on non-specialist internal staff, 28% use an outsourced IT support company and 21% use an outsourced managed service provider.

Only 17% use an outsourced SOC and 15% use an outsourced consultant specialising in specific areas or platforms. “Cyber security in SA organisations is not neglected. But the appropriate solutions and services to back up the expertise that you have inside an organisation is.”

The information security function is managed by either a dedicated role or department (45%) or as part of the IT function overall (46%). Muller says, “Dedicated cyber security functions are not yet common in South African businesses and are often considered as part of the general IT function. However, the IT team is already inundated with responsibilities, so it makes sense to consider a dedicated qualified cyber security role.”

The majority of those polled (74%) believe it could benefit their business to expand its cybersecurity team when there’s a need for additional experience and protection. “The big question comes down to outsourcing,” says Muller. “The majority still believe it’s possible to outsource certain elements of their cyber security platforms. But there are also those that won’t even consider it because they prefer to enhance their own internal teams. There are pros and cons to each approach, and we can recommend options that address both preferences including managed detection and response, threat intelligence and training of personnel.”