The shortage of skilled IT security professionals is not a new topic. Multiple reports have shed light on the talent shortage and the type of security risks associated with an IT department that is short on security skills. But a report released this week by Kaspersky Lab and partner B2B International shows the potential financial impact of being short-staffed in the security department.
The study, which surveyed nearly 5,000 representatives from companies of different sizes and industries, compared the breach recovery costs for large companies that had enough IT security staff with large companies that were light on security support. The average cost of recovery for companies with inadequate security support was between $1.2 to $1.47 million, and from $100,000 to $500,000 for companies with a strong and sufficiently staffed IT security team.
When an organization has internal IT security staff on the payroll, they become more familiar with the cyclical process of a breach and recovery and are able to learn from each incident and apply that knowledge to the organization’s security posture, says Michael Canavan, vice president of North America for Kaspersky Lab.
“This is a large reason why you see the smaller dollar amount with those incidents [at organizations with in-house security staff],” he says. They’re less traumatic because more information is known, he adds.
The survey also showed that additional staff wages make up a significant portion of the recovery costs -- $14K on average for SMBs and $126K for enterprises -- which was higher than the loss of business opportunities, credit rating, and compensation to clients and partners combined.
Candace Worley, vice president and general manager for enterprise endpoint security at Intel, points out that while nearly $1.5 million for a breach is high, the average cost of a breach is now over $4 million dollars per incident, according to the Ponemon Group's Cost of Data Breach 2016 report.
“If a company was unfortunate enough to experience two breaches in a year," she says, then “investing in a security staff is the better way to go.”
She also notes that in addition to labor costs, organizations have to account for the brand impact and opportunity cost of a breach in addition to the hard costs. “There’s the domino or cascade of costs,” Worley says.
Tejas Vashi, senior director of Cisco Services, says that while the industry acknowledges that many organizations need more security staff, it takes a long time to bring them on.
“Enterprises need to be proactively seeking out the talent and continuously reskilling their existing workforce,” says Vashi, adding that a proactive mindset is very important in the security space right now, for both hiring and threat mitigation. He likens the IT security landscape to a quote from Henry Ford: "The only thing worse than training your employees and having them leave is not training them and having them stay."
Find the full report here.