If you’ve followed my writing, you know that I passionately broadcast issues related to the global cybersecurity skills shortage. Allow me to report some sad news: Things aren’t improving at all. In 2016, 46% of organizations reported a problematic shortage of cybersecurity skills. In 2017, the research is statistically the same as last year; 45% of organizations say they have a problematic shortage of cybersecurity skills.
Now these numbers point to an overall dearth of talent but the cybersecurity skills shortage is especially pronounced in cybersecurity analytics and operations. For example:
- According to 2016 research conducted by ESG and the Information Systems Security Association (ISSA), 33% of respondents said that their biggest shortage of cybersecurity skills was in security analysis and investigations. Security analysis and investigations represented the highest shortage of all security skill sets.
- Recent ESG research reveals that 54% of survey respondents believe that their cybersecurity analytics and operations skill levels are inappropriate, while 57% of survey respondents believe that their cybersecurity analytics and operations staff size is inappropriate.
The ramifications of skills and staff deficiencies are also apparent in the research. Cybersecurity operations staffs are particularly weak at things like threat hunting, assessing and prioritizing security alerts, computer forensics, and tracking the lifecycle of security incidents.
Of course, many CISOs propose an easy fix: Simply hire more cybersecurity staff to bridge the knowledge and staffing gaps. In fact, 81% of the cybersecurity professionals surveyed say that their organization plans to add cybersecurity headcount this year.
Unfortunately, this isn’t always easy to do. According to the ESG research, 18% of organizations find it extremely difficult to recruit and hire additional staff for cybersecurity analytics and operations jobs while another 63% find it somewhat difficult to recruit and hire additional staff for cybersecurity analytics and operations.
Given the fact that CISOs can’t hire their way out of this mess, what can they do? Here are a few things I see leading organizations undertaking to address the skills shortage:
- Pushing on automation and orchestration. CISOs are assessing security operations processes, developing formal runbooks, and using technology to help add automation and orchestration to staff sweat and brainpower. Tools from vendors like IBM (Resilient), Phantom, ServiceNow, Siemplify, and Swimlane can be helpful here.
- Kicking the tires on machine learning. Slowly but surely, large organizations are figuring out the right use cases for machine learning technologies that can help them prioritize and investigate true security incidents. Promising vendors include DarkTrace, E8, Exabeam, HP (Niara), IBM (Watson), Palo Alto Networks (LightCyber), Splunk (Caspeda), and Vectra Networks. CISOs should cast a wide net here, however, as there is a lot of innovation happening quickly.
- Rationalizing, consolidating, and integrating security tools. Security operations today is based upon too many tools that don’t talk to each other, adding to security operations overhead. Many CISOs are seeking to counter this complexity by building an integrated security technology architecture like ESG’s security operations and analytics platform architecture (SOAPA).
- Seeking help. Rather than struggle, smart CISOs are relying more on professional and managed services. It should be noted that even the most advanced organizations realize that they can’t do everything themselves and are looking to service providers to supplement the internal staff.
- Investing in training and cybersecurity staff career development. CISOs who want to recruit and retain the best talent need to make their organization a cybersecurity center of excellence. Key areas for investment include training, mentoring programs, and career development counseling. Savvy CISOs will also market their cybersecurity programs aggressively so the word spreads throughout the cybersec diaspora.
A few final thoughts:
- When I consult with CISOs, I tell them that they should consider the cybersecurity skills shortage in every decision they make. This advice is especially true when it comes to cybersecurity analytics and operations.
- I keep saying this but I’ll say it again: The cybersecurity skills shortage is an existential threat that impacts all of us. As such, national governments need to do more.