Jessica Gulick is Chief Strategist at CSG Invotas.
The IT security skills gap is getting wider again, and it will affect your organization's security.
Hiring managers in IT security have been facing down the skills gap problem for quite a while now. From the boom of the mid '90s through the turbulent economy of the past decade, organizations have been making steady, significant investments in their IT security infrastructure. Through all of this, the need for skilled information systems professionals has played an ongoing part in how effectively an organization can take advantage of new technologies that promise to improve their ability to serve organizations. After all, without a skilled IT security team, projects falter, deadlines are missed, and opportunities are lost.
As we hit the apex of our current decade, IT security has truly transformed from a recognized – but often neglected – concern for business leaders to a hot button three-alarm fire. With big-name multinationals suffering multi-billion dollar data security breaches now suddenly front-page news, organizations are finally taking notice and making significant investments to secure their networks, protect their data, and guard intellectual property.
The combination of new, rapid investments in security infrastructure and the increased frequency and sophistication of cyber attacks has driven the need for skilled security professionals to "man the battle stations." But as anyone in the field can tell you and as Network World has reported, IT security professionals are some of the most sought after technology employees, and yet the vacancies are also some of the most difficult positions to fill.
In the '90s, the tech shortage that for a time saw top level application developers led to many being gifted with luxury sports cars and treated to unsustainable levels of salary and perks. That was quickly wrestled under control and then the tech bubble burst and with it went much of the mad money dedicated to hiring IT staff. To fill the gap, there was a coordinated effort put forth by industry and government to grow (or import!) new tech workers capable of filling the gaps. The same scenario is unfolding today. IT security is on the lips of every college campus IT curriculum planner, staffing organization and for-profit IT skills training company you can find. Even the U.S. military is offering significant incentives to lure promising recruits to their new cyber defense units. All of these initiatives will, in time, help address this gap. But they won't solve it.
The problem of course, is that this isn't the '90s. The complexity, scope, and size of the global IT security enterprise footprint of today dwarfs anything that has come before. Our IT security environments have seen unprecedented growth in the last decade, and the technologies that once were only available to the largest and most profitable of businesses have trickled down to even small organizations. Our world is more intrinsically connected than ever before, and by the very nature of that connectivity we are all more exposed. The longer we're exposed, the more lasting the damage from cyber attacks will be and the more devastating they will become.
So how do we bridge that gap?
For the short term we'll likely see a boom in the adoption of managed security services. This approach enables organizations of all types to virtually have it all – high-quality security monitoring at a premium that is less expensive (and less onerous to manage) than hiring new IT security staff. It's not a bad plan, but like giving BMWs to really good programmers, it's not the long-term solution. After all, those service companies are going to be on the front lines fighting the skills gap as their customer base grows (and the complexity of the supported infrastructures grow), but the overall problem remains – too many attacks, too target-rich an environment, and too much work for even the strongest IT security staff to handle.
For those organizations that have a robust team in place already, many simply won't see a compelling enough ROI from outsourcing their needs and will opt to manage things in house. Like fighting any operational fire, security operations will see an influx in spending (to a point) and then it will come down to a limited number of trained, experienced professionals having to wade through a morass of possible security threats in hopes of finding the poisoned needle in their infrastructure haystack.
Therein lies the crux of the problem. Most IT security organizations are focused on triaging small, throw-away threats, and playing whack-a-mole with SIEM notifications rather than spending time preparing active defenses and doing forensic investigation. As an industry, we are taking the folks that are the most qualified –as well as the hardest to hire, retain, and incentivize – and we're making them slog through manual, repeatable work that could and should be automated. How can they gain any experience when they are mired in that day after day? How can any organization get ahead (or at least not feel so behind) of the IT security dilemma when they have their most talented working on low-value activities?
It's time for automated threat response (ATR). ATR is not only a solution that has the computational horsepower thrown at it as need demands, it's capable of automating away so much of the low-level work that takes up the majority of a security team's time. And that's what we're talking about isn't it? Time. Even the most professional, most qualified IT security staff still only gets 24 hours in a day; there is only so much they can do. With ATR, organizations can finally scale their effective response to threats by keeping security professionals focused on the most important ones. Even junior staff can be made far more efficient as ATR can guide them through the capture, elimination, and auditing of low-level problems allowing them in effect to perform at levels that often require senior staff, and management involvement. By coupling smart ATR with pre-approve incident response plans junior staffers can be instantly more valuable.
There's no denying we need more security professionals to address the complexity and scope of today's cyber world. But to manage the skills gap for both the short and the long term, perhaps the first thing we need to do is evaluate the talent we do have and take a closer look at how we can use them more effectively. Relegating the best and brightest to mindless mitigation tasks – reactive to threats instead of being proactive – is not the answer. Automated threat response, may not be as exciting as a new car or a private jet, but if we want to live in a world where cybersecurity is no longer front page news it may be just what we need.