The skills shortage in cyber security
Laurence Pitt, global security strategy director at Juniper Networks, speaks to Capacity about the deceasing number of skilled personnel in cyber security and the effect its having on global businesses.
A recent report from Juniper Networks in partnership with the Ponemon Institute, the research centre dedicated to privacy, data protection and information security policy, found that 57% respondents don’t have enough skilled security personnel deploy their security automation tools.
Speaking exclusively to Capacity, Laurence Pitt, global security strategy director at Juniper Networks, elaborated on the findings explaining that there isn’t a lack of talent out there or the fact that security firms can’t recruit.
“It’s a lack of skilled personnel on the market with experience in deploying security automation, and this doesn’t just relate to automation tools. The same shortages exist right across security operations roles. The criticality of these automation tools means that organisations want to hire people with experience that can build out a team and train less experienced staff once the structure is in place – but, finding those skilled staff to get projects moving is proving to be a challenge.”
According to Cybersecurity Ventures, by the year 2021 combating cybercrime will cost businesses worldwide more than $6 trillion per annum and there will be 3.5 million unfilled security jobs.
Cybercriminals continue to automate their attacks and are not subject to the same regulations and compliance constraints as businesses, and organisations are struggling with understaffed security teams, manual processes, disparate systems and complex policies that leave them buried in low value tasks.
“The cybercrime landscape is incredibly vast, organised and automated – cybercriminals have deep pockets and no rules, so they set the bar,” said Amy James, director of security portfolio marketing at Juniper Networks. “Organisations need to level the playing field. You simply cannot have manual security solutions and expect to successfully battle cybercriminals, much less get ahead of their next moves. Automation is crucial.”
Despite the need for greater automation Pitt is quick to point out that skilled personnel is still a greatly needed asset.
“Security automation is ideal for taking repeatable tasks and having a computer perform them with 100% accuracy thousands of times. In turn, this increases the need for skilled personnel as they can then focus on performing strategic actions. Instead of managing security products, their role changes to managing security. The cost savings will come from the efficiency offered by automation performing these repeatable tasks, and future-thinking organisations will be investing these savings back into keeping ahead of the bad guys.”
In a recent interview with Capacity Massimo Fatato, managing partner of next generation network practice at specialist consulting firm Cartesian, expressed a similar trend within the telecoms industry at large, making reference to the fact that many of these companies are losing younger talent to OTTs.
At the time Fatato said: “OTTs are more aligned in terms of mentality and the way they gear the business to the mentality of the younger people. It’s not a matter of training people or offering perks. What I see is that they’re not very motivated in the same way I was motivated, they are more motivated by the mission of the company. So if telcos continue operating the way they’ve been operating for the last 20 years, not only will they not attract young talent they will really disappear.”
Echoing this sentiment, Pitt said: “young talent will always gravitate toward what seems most exciting and this will continue to be a challenge. This means that traditional firms must change things up to attract and retain these people. From my experience, those that succeed will do so by ensuring that their new-hires are provided with a sufficient and rewarding career, rather than a job.”
In practical terms Pitt thinks that young talent needs to be trained, given time to study and keep their skills up to date, as well as be provided with a “suitable career path in cybersecurity”. He adds that smaller companies aren’t able to do this very easily because of the investment it requires but he adds that “If someone feels that they are strategic and useful to the business, they are more likely to stay around”.
Other findings on staffing from the report include: Only 35% say their organisations currently have the in-house expertise to be effective in using security automation to respond to malicious threats and 62% say they lack of in-house expertise diminishes their organisation’s security posture.
The report indicates that much of the skills shortage is caused by vendor sprawl as it leaves security personnel too busy processing alerts, events and logs to find malicious activity, meaning that they don’t have the manpower to implement critical automation technologies and results in diminishing security postures.
57% of respondants say they have interoperability issues among security technologies that diminish the effectiveness of automation technologies, 63% say it is difficult to integrate security automation technologies and tools with legacy systems, and 59% believe their organisation needs to streamline its number of vendors.
“There are multiple challenges with vendor sprawl,” says Pitt. “Organisations feel that they can’t find a single solution to all their problems, and so purchase multiple solutions which need to be managed. They then don’t have the time or resource to look at how different products could work together. Most products today either have direct integrations, or at least an API set to help.”
Lastly the report found that the top two benefits of security automation are: increased productivity of security personnel (64%) and automated correlation of threat behavior to address the volume of threats (60%). In addition, 54% of respondents say these automation technologies simplify the process of detecting and responding to cyber threats and vulnerabilities.
“Cybersecurity is ever-evolving to keep up with what the bad guys are up to, but this does not mean that organisations can always have the absolute latest and greatest solution deployed because any new product introduces some element of risk to a stable environment and requires resources to effectively manage it. From a skills perspective, this constant evolution can make it challenging for security professionals to maintain relevant knowledge, as the relentless pace of cybersecurity often means that professionals can’t hone their skills quickly enough to keep up with these criminals.”