Many studies highlight the acute shortage of cybersecurity professionals across industry sectors, a shortfall projected to reach 1.5 million members in the next five years according to the latest (ISC)2 Global Information Security Workforce Study.
This is a serious problem because as any security pro will tell you, their craft is one combining both art and science. Even ambitious policy proposals meant to produce more cyber talent from universities and coding camps will take years to offset skills deficits, because graduates will still need to learn “under fire” in the trenches to balance classroom learning.
The skills shortage is increasingly blamed for struggling incident response and security management at many organizations. With no ready pipeline of incoming security experts – despite companies’ lucrative bids to hire – the focus of many security teams I meet is “doubling-down” on the staff they do have in-house by analyzing how their abilities can be further honed.
This is where “We need more training for our team!” becomes the common refrain. However, to advance security in the face of talent, time and other shortages, we need to think bigger than training. Organizations need to rethink how they measure their total security technology, tactics’ and teams’ effectiveness.
Talent is one security defense
Personnel are one part of every organization’s security posture including deployed security products between perimeters and endpoint devices, plus analytics and database software in security operations centers (SOCs). Linking these moving pieces are processes like incident response policies and workflows, which cannot be ignored because they dictate how teams operate and guide new hires.
Viewed this way, it is clear that focusing solely on humans’ skills leaves important questions unanswered. You need to continuously gain a sense of how the talent, tools and processes are performing together – most importantly, measuring how they work in the line of duty in the actual production environment. Otherwise, steps you take to invest in one or two individual areas can end up as piecemeal efforts with lower value and benefit.
Are you protecting yesterday’s assets?
Even the sharpest SOC veterans will struggle if security measures are out of scale with an organization’s constantly changing networks and IT assets. Newly-minted security graduates will understandably strive to suit employers’ current security architecture and norms, regardless of how sound these are. Meanwhile, training is a poor means to discover, for example, where business partners’ decisions on shared networks might be eroding security safeguards and quietly ratcheting up risk.
The most valuable lessons are learned in the SOC
Once you realize it pays off to measure your security defenses in unison – how is this done and what does it frequently reveal?
You need to change how security exercises are carried out. Look for ways to safely execute advanced cyber attacks and malicious behaviors within production environments with an eye for finding the precise combinations of technology, people and process misses that would grant attackers access. Instead of grading security teams on a “pass/fail” basis, this approach lets you validate “what worked” and pinpoint those costly misfires, so you can make fixes and measurably mature your defenses as you go along.
In working with security teams, I see several patterns where security gaps and opportunities are uncovered with this approach.
Confusing alerts: Beyond documenting whether certain attacks trigger alerts, study how alerts are interpreted. Staff may have to deal with opaque event names like “Terse alphanumeric executable downloader high likelihood of being hostile.” It pays to figure out whether alerts can be refined with tuning and, if not, rehearse with staff on how to respond.
Learning how to internally “recruit” for security: Measuring people and tools together reveals how different skill sets in a company can be recruited to support security roles, depending on needs. For example, a network administrator familiar with NetFlow data and typical behaviors in a company is probably able to help spot unusual activities. Likewise, database-savvy professionals can be adept at working with query-centric tools, like SIEM software, requiring familiarity with crafting complex queries in order to be effective.
The danger of assumptions: It is easy to let assumptions gloss over whether security tools are set up correctly and whether staffs know the history and details of why things are configured the way they are. Only methodical testing of all defenses reveals where assumptions put you at elevated risk.
The dearth of experienced cybersecurity professionals is an urgent challenge we can hopefully alleviate in time for our future of even greater connectivity and consequences. But that is no reason to take a defeatist tone in the present or respond in short-sighted fashion.
Security teams are forging ahead by recognizing they must battle-test their own abilities more than ever. What is most important is making sure they measure themselves in a manner that actually teaches volumes along the way.