Chapter 2. Initial professional struggles

As respondents note the lack of hands-on experience received in their formal education, many of them acknowledge that they might not have had the right kind of practical skills and hands-on experience when entering the field, resulting in initial struggles and failures at their job. Despite the cyber industry continuously reporting a workforce gap, 34 percent of respondents claim to have had three or more failed interviews before being selected for an Infosec role.

Number of unsuccessful interviews

When getting to grips with their job, 46 percent revealed it took more than a year before they were comfortable or confident in their first cybersecurity role. Interestingly, the largest share of those who managed to get the hang of their responsibilities at work promptly was observed in the META region (42%).

Time taken to get comfortable at work

Time taken to get comfortable at work by region

Additionally, more than 50 percent of new starters in the cyber industry said they had made initial mistakes in their job due to lack of theoretical or practical knowledge. Among respondents with 2-5 years of experience, nearly 6 out of 10 admit to mistakes like these.

Mistakes during initial years

Mistakes during initial years by experience

Failure to update software (43%), using weak or guessable passwords (42%) and negligence in taking timely backup (40%) were the most common mistakes made by InfoSec professionals. In APAC and North America, the use of outdated security measures was also a common mistake cybersecurity experts made at the beginning of their career.

Mistakes during initial years

Mistakes made by Infosec professionals – by region

“In one instance, early in my career, I failed to adequately prioritize and address a critical security vulnerability in a timely manner and the reason for this mistake was there was a lack of understanding of the potential impact of the vulnerability and the urgency of remediation,” admits a cybersecurity professional from the United States.

Part. 1 Conclusion


The origins of the lack of InfoSec education and quality of training lie in the fact that the rapid growth of cybercrime makes it difficult for the available workforce to keep up. At the heart of the problem are the peculiarities of the traditional education industry, which, by nature is slow to react and change, making it challenging to keep pace with the latest cybersecurity industry developments.

Lots of decision-makers indicate difficulties in finding great certified professionals quickly to fill in new positions so prefer paying for the external training and certification of their own employees than searching for the new staff. It is clear from respondents that current InfoSec training needs to be more focused on specific roles and have a greater understanding of the InfoSec evolution and the new requirements professionals face daily, rather than simply teaching theory.

Respondents also suggest there should be more regular reviews, updates or standardization of cybersecurity course content, giving professionals more access to the latest and most efficient tools for practical education programs, and greater provision of course content in regional languages.

Companies worldwide need to face the education gap, and evaluate and enhance their InfoSec employees’ skills so they can better tackle the rapidly changing threat landscape. Currently, there has never been a more urgent requirement for the cybersecurity industry to connect with the academic world, so both sides can benefit from new areas of expertise, in places where people can develop their skills, exchange ideas and network.

With a need to keep up with the pace of the technological evolution, teaching with the latest tools and technologies is required more than ever, and there is no better way of doing this than by creating more internships and real-life experiences for new professionals.

List of recommendations


Enhancing academic learning outcomes with industry cooperation

  1. Higher education institutions can upgrade their curriculums by partnering cybersecurity players and integrating the latest industry knowledge into their training programs. Kaspersky has a special program for universities to integrate the cybersecurity expertise – Kaspersky Academy Alliance, which offers program participants access to the world-class knowledge on cyberthreats, lectures and training sessions, as well as the latest technologies.
  2. Young professionals can supplement their academic training with real-life job experience by completing an internship in an information security or R&D departments. Follow the news on Kaspersky’s LinkedIn page to be the first to learn about internship openings.
  3. International competitions run by various companies and organizations also provide cybersecurity professionals with a chance to develop their skills by solving various cybersecurity challenges. Kaspersky runs the Secur’IT Cup – a global competition for students from all over the world and from various academic backgrounds. Participants have the chance to compete for an award while building an understanding of what it is like to work in the industry.
  4. Acting cybersecurity professionals can opt for continuous learning, undertaking additional trainings and certifications. Kaspersky provides a wide range of knowledge on information security for IT professionals, offering both professional education for individuals and corporate training.