The cybersecurity skills gap – and automation as the answer

As the number of attacks increases and the shortage of skilled security staff continues, automation may be the only solution to the problem. To manage security well organisations need to get more automated – but what does this look like?

By Tony Hallett

Tue 25 Apr 2017 @ 9:09

One journalist put it this way: “I keep writing about the cybersecurity skills shortage for one consistent and troubling reason: It ain’t getting any better.”

There’s plenty of data to back that up. One oft-cited report puts the shortfall at one million trained staff – and that was a couple of years back. Meanwhile ESG’s annual research showed last year and in 2017 about 45 per cent of organisations reporting a “problematic shortage” in cybersecurity skills. No wonder they called one report ‘A State of Emergency’.

In practice, this mostly results in burn out of the staff who are available, which in turn means organisations experience more risk than they’d want. And we know risks are on the rise from areas such as ransomware, various social engineering techniques and attacks taking advantage of newer ways of working, including mobile, cloud and Internet of Things-connected devices. Very few organisations can keep up.

Some answers to this really help, such as a culture of security and training from the very top of an organisation down. Or sharing intelligence, even with competitors. But they aren’t enough.

Other approaches can be questionable. The median pay for those who work in various security roles is already higher than for many other professions. Throwing money at new hires only goes so far. It’s hard to keep staff churn low that way.

Automated attacks call for automated defences

There is a way to make the skills shortage better and it’s increasingly coming to the fore. It’s automation.

It’s an approach that’s been used for a long time for detecting threats and now it’s being used for intelligent response. That makes sense in a world where so many advanced persistent threats are themselves automated.

Automation of security processes featured in the conclusions of the ESG study, which found nearly one in three respondents admitted their security capability wasn't big enough. CISOs, it concluded, will “have to turn to other options like enhanced cyber security automation and orchestration” or a managed security service.

The research reported that, with the skills shortage unlikely to go away anytime soon, CISOs and IT chiefs should: “Initiate and push projects for security automation and orchestration that use technology to alleviate tedious manual processes.”

Unlike even the best security personnel, automated systems don’t have to sleep or take lunch breaks. They also tend to be more accurate and able to follow strict rules around major compliance regulations such as PCI-DSS and Sarbanes-Oxley. Some would also argue automated systems are better than their human counterparts at decision-making – or at the very least more consistent.

So automation can help improve remediation, speeding it up and making it more effective and efficient; it’s not just about reducing workload. This suggests it should be the primary, scalable response to the skills crisis in the face of cybersecurity threats.

However, it does leave one major gap. As automated systems for remediation, as well as protection and detection, are used more, the security industry still needs people to manage them. This could well be the tech job of the future.

There are even standards evolving in this area, such as the Information Security Automation Program (ISAP), As automation continues to be more widely applied, there won’t just be a need for those who can program these systems and apply these standards. There will still be problems that slip through automated defences and – most importantly – we will still need strategic, critical thinking. And that tends to be a very human skill.