It's hard to read an IT security publication these days without catching a reference to the more than 1 million unfilled cybersecurity jobs available. On one hand, it isn't a surprise; in our professional and personal lives, we've become heavily dependent on technology, quickly adopting IoT and cloud solutions into our daily routines. In some ways, our adoption has been so fast that it's outpaced our ability to build and maintain security.
We know there's still a ways to go to close the gap between our education/development efforts and filling up those open roles...but that's not the only gap we should be talking about.
Today's security tools are becoming more complicated than most security teams' abilities to consume them, exacerbating the capacity for already limited teams to be successful.
A 2016 study by the Center for Strategic and International Studies (CSIS) and McAfee found that 82% of survey respondents had a "shortage of cybersecurity skills", yet 9 out of 10 said that "technology could help compensate for skills shortages." Yet, at large, we have not seen a significant shift in focus from security and IT vendors to help these short-staffed teams. In fact, I often see the opposite—security software which requires immense human expertise and time to operate.
I have a unique perspective on this; I've been a technical practitioner and now work at a vendor, leading a managed services business. Yes, we have seen an increase in outsourced security due to a growing inability to fill internal positions. However, even managed service providers experience similar challenges. We all want our teams to be as effective and efficient as possible. Unfortunately, the reality is that very little security software is designed that way today.
The security 1%
One of the reasons for this friction is that the early adopters of security technology—banks, national governments, and the largest enterprises—often have amazingly bountiful budgets and can hire significant expertise. To be fair, they also have some of the most complex networks, large amounts of critical information to protect, and are targets for the most sophisticated adversaries who innovate every day. As such, early adopters are often the first to deal with new attacks and have immense attack surfaces to protect. Bank of America's CEO said they would spend $400 million on cybersecurity in 2016, and J.P. Morgan Chase claimed $500 million.
Sizable budgets enable the hiring of top security talent, including highly trained resources from organizations like the National Security Agency (NSA), Israel Defense Forces, the UK's Government Communications Headquarters (GCHQ), and other national intelligence organizations. These businesses can have hundreds (or thousands) of employees working in cybersecurity, including development teams that can customize and integrate security solutions into their operational environment. As they deal with sophisticated adversaries—perhaps even seeing new types of attacks first—they are positioned to acquire or develop tools quickly to address them.
This budget and resource potential presents a great opportunity for security vendors to develop technologies that address new issues. This is how security technologies are built for the "security 1%."
While the security 1% dynamic drives innovation, the solutions these organizations need don't often map well to the rest of organizations—the other 99%. The typical information security team doesn't have a single employee with an intelligence background, and has limited ability to customize and integrate solutions. Yet many small organizations end up purchasing the same solutions as the 1% because the success of these tools has been touted by the larger organizations, or has been recognized by analysts or through product awards and other industry recognition. Yet, when smaller or less-resourced organizations make this choice, it's one that ends up introducing additional stress..
The good news is that if you're part of the 99% you can do something about it. You can make your security team more effective by choosing solutions that fit your organization. Given the larger market for information security solutions, a lot of different vendors are looking to solve challenges for all types of organizations.
Three keys to making better decisions: personas, usability, and automation
When evaluating vendors, the first thing I would encourage you to do is to understand who the software was built for. Product management and user experience design teams typically use personas to understand who is buying and using their products, and for what purpose. Ask vendors what persona(s) were used when designing and building the product. If they don't know or respond that, "It's built for everyone," you should (most likely) be concerned. If the vendor describes an organization that sounds like yours, probe deeper into the profile: What is the size of the team? What experiences and skill sets do they have? What does their threat profile look like? Because personas are often very detailed to help development teams build, you won't match up in every column necessarily, but you should see a lot of common ground.
Why does this matter? Take something as seemingly simple as a firewall. There are firewalls designed for service providers that have incredibly high throughput and automated provisioning features. And there are firewalls designed for small businesses who may not even employ a full-time IT person, let alone a dedicated security person. There are also a number of solutions in the middle. In this vein, you have to examine your specific business's needs and preferences before choosing the right solution. For instance, a large bank would (most likely) struggle with the type of technology performance and lack of integration used by a small-office/home-office (SOHO), the opposite is equally true. Significant customization options could confuse a smaller security team, leading to suboptimal configuration, or requiring additional time to deploy and manage due to the complexity of the interface. Finding a solution that matches your organization will enable you to find the most effective use of the solution and help reduce the highest amount of cybersecurity risk.
Beyond personas, you should also evaluate solutions for usability, not just efficacy. While efficacy is critical—you shouldn't buy a solution that doesn't increase your team's performance—it is not the only consideration in a product acquisition. A focus on usability allows you to create benchmarks and determine which tool best meets your needs How long does a similar task take across competitive solutions? Was user training required, and if so, how will future additional users acquire training (and at what cost)? How many tries did it take to arrive at the optimal outcome? Before bringing any new tool into your environment, even if it was the right choice for a larger, more prominent organization, ask yourself: Was it designed so my team can really use it?
Finally, focus on automation. Don't let security automation be a scary term. I'm not suggesting we let Skynet from The Terminator take over running our security programs, but automation is one of our biggest opportunities to close the talent gap. The industry currently has a limited supply of security talent. Automating what we can ensures our teams stay focused on the most valuable, impactful things. Automation doesn't have to solve a problem start to finish, and is far from replacing human judgement. However, human reliability for repeatable tasks carries a high error rate—at times, as high as 1 out of 100, and the rate increases with stress or exhaustion. Automation does not replace humans in the cybersecurity industry, but it does improve efficacy while elevating job satisfaction.
To use automation effectively, look at a process and determine what steps you continually repeat. Then ask yourself: Can these steps be automated? Enriching an alert before analysis, automating listing of known vulnerable libraries in an application stack, and opening requests in IT service management systems to key off change management processes are perfect examples of what can be automated to improve your team's efficiency, efficacy, and satisfaction. You don't have to solve an entire workflow in order to leverage automation. Ask yourself how far you can drive a process until it requires a human to review or take action. Automation within a solution will likely increase both its efficacy and its usability, and can be part of the usability review above.
It's important to note that automation between security solutions is more complicated and requires interfaces, standardization, or the technical resources to implement. Evaluating vendors' partner ecosystems before implementation, and as part of the RFP process, can help set you up for successful automation integrations down the line.
Buying better software won't completely solve the talent gap issues. However, finding software designed for organizations like yours, focusing on the usability of the solution, and driving automation can make a significant impact, and make your security team more successful and happy.
David will be teaching a half-day workshop on "Establishing Your Information Security Brand" at InfoSec World Conference in Orlando, Florida, March 19-21, 2018.