This isn’t another article about the skills shortage. We’ve all read plenty of those, detailing the alert fatigue plaguing analysts and the number of unfilled positions the industry can expect by 2020. Not only does the shortage seem to get bigger and more dramatic with every article I read, but all this talk isn’t getting us any closer to a solution. Instead of worrying about the skills shortage, let’s talk about how to fix it.
Sharing Responsibility: CISOs and Security Companies
Cyber security experts recognize that there is a problem, yet determining who is responsible for solving these issues is woefully under-discussed.
A company and the CIO or CISO will need to hire new security analysts, retain current team members, and brainstorm how to streamline processes and reduce the workload for the security team. Urging CISOs to be creative in their hiring, think strategically about the division of labor, and keep their employees engaged is all well and good. But in the long-term, these same strategies are unlikely to make a real difference for an organization’s ability to succeed in the face of the growing skills shortage.
Cyber-threats will only become more advanced, and the complexity of the digital business continues to increase. By failing to identify more permanent solutions to the issue, the industry is placing a burden on CISOs and security teams to “do more with less.” This approach will almost undoubtedly lead to mistakes, breaches, and attacks.
Security software companies need to take on some of the responsibility for solving this problem. If the industry is lacking “skills”, why not make it easier for less-skilled individuals to be successful in this space? If companies develop products with the requirement that the user be anywhere from junior all the way up to senior it could start making a real difference. By enabling less-experienced individuals to be successful analysts, these tools could inadvertently help CISOs to fill many of the positions that remain open.
College Graduates and Current Job Requirements
The number of students majoring in computer science continues to rise. A 2017 study (PDF) conducted by the Computing Research Association found that the average number of computer science majors has more than tripled since 2006 and more than doubled since 2011. It isn’t that the pool of talent available to CISOs isn’t growing. Instead, CISOs feel unable to dip into this new talent.
If you search “Cyber security analyst” most positions’ descriptions focus on prior experience. Find one such job description below:
● BS in Computer Science, Information Security, or a related field is highly desirable
● 3+ years of work experience in information security, especially in a network security analyst role
● 3+ years of past experience in a role on a Computer Incident Response Team (CIRT), Computer Emergency Response Team (CERT), Computer Security Incident Response Center (CSIRC) or a Security Operations Center (SOC) is highly desirable
● Security +, CEH, or SANS GIAC certifications are preferred
These job descriptions are informed by what skills CISOs believe their team members will need to have to succeed, which is in turn informed by their own experience. The tasks expected of security analysts, including working with a wide variety of tools, identifying genuine threats amongst false positives, and quickly remediating incidents, are all incredibly difficult.
However, cyber analysts can easily learn to operate at a senior level when working in tandem with artificial intelligence. Technology that can provide only high-confidence alerts, prioritize incidents, and also take action to stop an in-progress threat enables new analysts to quickly get up to speed. They can quickly come to have a sense of which anomalies are indicative of what type of threat and learn what actions are needed to remediate a threat.
The New Normal
In my work as an analyst, I’ve worked with numerous small companies and other organizations with limited resources around the world. At these 10-person hedge funds or non-profit organizations, there may not be any individual dedicated to security. My main contact responsible for the everyday security of his organization had the title of “Investment Principal.” However, by having the right tools deployed, these same individuals and organizations have prevented ransomware, identified threatening misconfigurations, and enforced detailed company policies.
This is what a tool designed for a more junior user can enable. The security skills shortage will continue to worsen unless organizations come to fundamentally rethink the current hiring model and job requirements. By creating tools that can be used both by non-technical individuals and experienced analysts, security companies can enable organizations to reduce the burden for experienced security staff, train new staff, and stay ahead of both the skills shortage and advanced threats.
Related: A ‘Force Multiplier’ for Tackling the Security Skills Shortage
Related: Recruitment Challenges Continue to Plague Cyber Security
