Cyber security training costs surge as firms battle skills gaps

IT leaders discussing cyber security training costs and programs in an open plan office space while colleagues work at computers in foreground.
(Image credit: Getty Images)

Cyber security training costs organizations around $100,000 on average each year, according to research from Kaspersky, highlighting the steep price of battling long-running skills gaps.

Analysis from the cyber security firm showed nearly half (43%) of firms usually spend between $100,000 and $200,000 per year on information security courses for staff, while around one-third are spending more.

Just one-quarter of respondents told Kaspersky they spend less than $100,000 on educational initiatives.

Despite these efforts though, many cyber security practitioners believe they’re not offered adequate training to contend with an escalating threat landscape. Around 40% of respondents told Kaspersky that training courses were inadequate, or few and far between.

Some said they are willing to pay for additional training courses out of their pocket to ensure their knowledge and skills are up to date.

Cyber security training costs aren’t the only hindrances

According to Kaspersky, the costs of cyber security training isn't the only issue organizations are contending with in 2024. 

The study found the education/training market is struggling to keep up with current demands, with many failing to deliver the necessary training programs and learning materials on time.

The shortage of courses covering new challenging spheres was the main problem for those searching for cyber security training, cited by more than half of respondents.

Meanwhile, nearly half said that trainees tend to forget what they've learned because they have no opportunity to apply their newly-acquired knowledge.

The need for special training prerequisites such as coding and advanced mathematics, which weren’t actually specified at the pre-registration stage, were also a problem for 45%.

How can firms bolster cyber security training?

Kaspersky said one of the best strategies for maintaining cyber security skills is to develop high-profile specialists within the company and build internal expertise, rather than simply hunting for new candidates. 

"With a constantly evolving threat landscape, businesses should continually improve the skills of their cybersecurity personnel in order to be well prepared for sophisticated cyberattacks," said Veniamin Levtsov, VP, center of corporate business expertise at Kaspersky.

"For organizations served by managed service providers, it is also important to maintain a pretty high level of expertise internally and use the same language when discussing the scope of services and service level agreement with them."

Skills shortages still run rampant

According to the report, there is still a significant cyber security skills shortage, with 40% of InfoSec professionals noting their organization’s cyber security teams are somewhat or significantly understaffed. 


These shortages are the worst in Russia, followed by Latin America, the Asia–Pacific region and the Middle East, Turkey and Africa, while the least understaffed regions are Europe and North America.

Information security research and malware analysis are the most understaffed roles globally, cited by four-in-ten, while the biggest recruitment challenges are the discrepancy between certification and practical skills and lack of experience, both cited by around half.

Almost half of security professionals claim it takes more than six months to fill an information security position.

The good news for cyber security staff is that the ongoing skills shortage is causing salaries to rise, with a recent report from Cybershark Recruitment finding that salaries in 17 out of 20 categories of cyber security work increased last year.

These rises were highest in critical national infrastructure, digital forensics, identity and access management (IAM), and business continuity management.

Emma Woollacott

Emma Woollacott is a freelance journalist writing for publications including the BBC, Private Eye, Forbes, Raconteur and specialist technology titles.