Joanne Godfrey at AlgoSec examines what organizations can do to address the cyber-security skills gap.
It is well known that organizations today are facing an unprecedented number of cyber threats. From DDoS to ransomware, from phishing attacks to malware, the list of possible attack vectors is seemingly endless. However there is one threat that organizations face which is quietly and stealthily eroding their defenses. What’s worse, this threat cannot be detected by any enterprise security products, yet it presents a very real long-term risk to their organizations: the cybersecurity brain drain.
The Information Systems Security Association (ISSA) and analyst firm ESG, recently released a report which revealed that nearly half (46%) of businesses surveyed have a ‘problematic shortage of cybersecurity skills’, while nearly half of security professionals said they are approached for other jobs at least once a week! Moreover, 65% of security professionals ‘struggle to define their career paths’ due to poorly-defined training and development processes, and the lack of a career map in cybersecurity, among other factors. The cyber threat landscape is changing so rapidly that security professionals legitimately fear becoming deskilled: 56% of respondents said that their current employer simply doesn’t deliver the right levels of training to keep up with new risks, threats and security products.
Boredom damaging long term security
The findings follow on from AlgoSec’s 2016 ‘State of Automation in Security’ report which highlighted another key factor that’s contributing to the brain drain. It showed that skilled security staff are spending much of their valuable time ‘keeping the lights on’– manually maintaining and making changes to existing systems, trawling through endless security alert logs, and making device configuration changes – to plug security holes and keep things running smoothly. Not only is this type of repetitive, manual work unrewarding and boring, leading to staff dissatisfaction, it’s also counterproductive. As our survey showed, manual security changes often resulted in outages and security breaches. Furthermore, this menial work left staff without enough time to focus on more strategic business issues.
The net result is that security staff turnover rates are high, leaving organizations struggling to fill the gaps when key personnel leave, and hindering their ability to build comprehensive, long-term cybersecurity strategies to protect and enable their businesses.
Addressing the problems with automation
So what can be done? Clearly, organizations have a responsibility to improve their IT security training and staff retention programs – in particular to attract talented junior staff. But of course, these measures cannot be implemented overnight – they take time and resources.
More than half our survey respondents believed that automating security processes could replace many of the repetitive, mundane tasks, such as managing security changes and preparing for regulatory audits. In addition to freeing up staff to focus on more strategic initiatives, automation significantly speeds up these processes and reduces the number of mistakes made. Not only that, by proactively assessing the risk of each and every change, automation helps organizations remain continually compliant, something more and more auditors are now demanding, as well as improve their overall security posture. And, as an added bonus, automation solutions track and document everything, thereby reducing the reliance on the team veterans who may or may not remember this information.
Turning security into a strategic asset
But automation can do much more than simply help security staff with the day-to-day management of their security processes. It can also play a critical role in strategic business and security projects. For example, when migrating business applications to the cloud, security automation solutions can identify and map application connectivity prior to the migration – a task that’s typically extremely manual, slow and costly. Automation gives the security team the information they need to correctly migrate and configure business application connectivity in the cloud quickly and securely – without risking an outage or creating security holes. And assuming it supports a multi-vendor and multi-platform environment, automation removes the need to have domain experts for each specific security vendor’s products and platforms deployed across the enterprise network. In addition, it enables the security team to manage the entire environment holistically – which eliminates blind spots and improves the organization’s overall security posture.
Augmenting, not replacing
While automation clearly delivers many security and business benefits, it is not about replacing skilled staff with technology. Rather, automation is about giving security staff the opportunity to fully utilize and advance their skills. An experienced, qualified security team is a huge asset to the organization – especially now – so they really shouldn’t be spending their time manually sifting through logs or tweaking firewall rules, when they could be actively developing your overall security strategy to counter the next generation of cyber threats.