Plugging the cybersecurity skills gap with automation

Nearly half of organizations claim that they have a ‘problematic shortage’ of cybersecurity skills in 2016, as opposed to just 28% last year, according to a recent survey by analyst firm ESG.

Their findings are supported by a Stanford University project, which, as outlined in the same article, has discovered that ‘more than 209,000 U.S.-based cybersecurity jobs remained unfilled, and postings are up 74 percent over the past five years.’ Meanwhile, the U.S. Bureau of Labor Statistics predicts that the demand for skilled cybersecurity staff will grow by 53% by 2018.

But what can organizations do to fight the disconnect between supply and demand and ensure that they have the right cybersecurity skills in place – one that can adequately protect them in an increasingly challenging world?

The cybersecurity sector has generally-speaking been too introspective in recent years, expecting talent to simply land in their laps. But with the growing number of threats facing organizations every single day, and talented young IT enthusiasts choosing alternative career paths, it’s a problem that can’t be ignored any longer especially, as my colleague, Nimmy Reichenberg, likes to say “creating a security professional with 10 years of experience takes … well, 10 years”.  ESG analyst Jon Oltsik outlined three possibilities that he believes will help to attract people into the sector.

1. Greater engagement with IT graduates, in particular through increased cooperation between large businesses, universities and government.
2. CISOs should develop in-house training programs to recruit and develop junior cybersecurity employees. This would offer a further opportunity to attract bright and talented individuals from a broad range of backgrounds, including non-IT, and provide them with highly targeted training.
3. Greater collaboration within the industry. Olstik points out that while leading vendors have individual cybersecurity training programs that does not extend to an industry wide initiative to attract and train new people.

While Olstik’s suggestions sound good in theory, they might not be entirely feasible in practice. To implement them would require an investment of both resources and finance that may be beyond the budget capabilities of many organizations. And it’s an even greater leap to expect competitor vendors to pool resources to train staff.

The findings of ESG’s report follow on from our own ‘State of Automation in Security’ survey which showed that currently highly skilled engineers are spending their valuable time ‘keeping the lights on’ – manually maintaining existing systems, sifting through countless security alerts, and making device configuration changes – changes which are inadvertently causing outages and security holes.

While not a replacement for intelligent human analysis, 2 out of 4 of our survey respondents believe that automation of security processes can replace much of the ‘grunt’ work and repetitive tasks – alleviating some of the staffing pressures on IT and helping to free up time to work on critical security and strategic business initiatives. Additionally, automation solutions are considered to be far quicker and more accurate than humans for this type of techno-drudgery, which will ultimately help make organizations more secure and compliant.

Another related benefit of automation is that it self-documents the reality of your security configurations – which in turn reduces the reliance on veteran experts and tribal knowledge, while helping to speed up the process of educating and ramping up new staff. Moreover automation reduces the reliance on specific domain, vendor and platform experts – which again helps address the shortage in security experts.

The skill-gap is a complicated issue with no easy or straightforward answers. However, organizations can alleviate the problem with automation.  Automation can help support a more robust and forward-thinking security posture, and a better utilized and happier security staff.