When asked a poorly bounded question such as “What is the biggest threat to Internet security?”, the majority of quick-fire answers can likely be represented by the flags of a handful of nation states. Certainly the front-of-mind answer – identifying a cluster of hackers – represents a constant and escalating threat to business continuity and potential compromise.
Yet, if we introspectively examine the nature of our industry, we can easily argue that the biggest risk that Internet security faces is in fact our general inability to respond and counter the attackslaunched by adversaries from around the world.
It is estimated that today there are over 1 million InfoSec positions unfilled – growing to over 1.5 million by 2019 – and more than 200,000 of those vacancies are in the U.S. This global shortage of expertise and experience lies at the very heart of the InfoSec world’s ability to respond to cyber attacks – affecting vendors and consumers alike.
There are several contributing factors to this alarming problem. Obviously, as the volume and sophistication of attacks increased, there has been a parallel demand for people with the skills to respond – from both the vendor and defender sides of the table.
Vendors need engineers with secure development skills and researchers with acute technical security skills, mixed with hands-on defender experience.
Defenders in turn need fresh bodies with a modicum of security landscape knowledge that can be trained rapidly in the tools and products their organization uses to defend themselves. They also need a tier of highly skilled and experienced security professionals that can independently analyze new threats and instigate the appropriate corporate responses.
But, with such a gap (and an increasing gap at that) in unfilled InfoSec positions, the industry must look inwards and pursue a number of new strategies to overcome the shortage in human capital and set the industry on a long-term success path.
Solving the human capital shortage
I believe that there are three core pieces to solving this problem.
Strategy No. 1
The first strategy lies with automation. Many security vendors have begun to implant new artificial intelligence and machine learning technologies into their product ranges. Much of that effort for the past half-decade has focused upon detection efficacy – basically improving the spectrum of threats their products can detect.
However, as their customers continue to struggle to hire the staff needed to maintain, monitor and respond to the alerts generated by these products, the overall impact of increased detection efficacy has yet to be realized.
Instead, security vendors should focus on reducing the number of hands and eyes needed to operate these detection systems. This is achievable by automating as much of the data collection, threat validation, false positive triaging, response ticketing, and operational task assignments as possible.
Consequently, the customer’s “defender” staff will be better able to consistently focus on the highest priorities. At a minimum, new innovations and advancements in security products should not require additional operational staff to manage a newly deployed security product.
Strategy No. 2
The second piece of the overall strategy is to close the skills gap between the freshly minted InfoSec graduates and the businesses that need them.
As students graduate with computer science, software engineering and information security degrees and diplomas, and seek their first InfoSec role, they are often woefully short of core skills. This often necessitates a costly period of “retraining” by the hiring organization and a depressing realization for new InfoSec workers that there are few sparkly things to work on when you’re that fresh.
The two largest gaps between academia and business that need to be closed relate to legacy code and operating in groups.
As a student, the coding problems and security threats presented in assignments and exams are almost always isolated or greenfield solution opportunities. For example, pulling from multiple development languages, the student is expected to craft a program from scratch to solve an interesting and demanding computer science problem.
However, as a newbie software developer, you’re almost certainly going to be focused on fixing bugs in old and ugly code, written in ancient languages, that has been patched and repatched so many times that nobody wants to own it. And product managers will be breathing down your neck to wrap it up and move on to the next bug fix.
Within academic institutions, the preferred method of solving problems and passing exams is to operate as a solo contributor. But in a business, you’re always part of a group and, as the newbie, you’re at the bottom rung and consequently have little influence over the group.
These groups consist of multiple developers, product manager, executives, IT support and, in the vendor-side of things, PR and marketing people. The social and operational skills needed to navigate and succeed in working with these groups is rarely, if ever, taught or encouraged during degree courses, further inhibiting new graduates from realizing their maximum potential.
The institutions that are producing the next generation of InfoSec professionals need to acknowledge these sizable gaps and alter their course curriculum to accommodate collaborative development and legacy support techniques.
Strategy No. 3
The third major strategy piece to closing the resources gap lies with women and encouraging them to join the InfoSec community.
Today, it is estimated that only 11% of the InfoSec workforce are female. This represents a terrible indictment on the industry as well as a huge opportunity to close the resources gap. While 11% is poor, in the most technical areas of InfoSec – such as reverse engineering, threat analysis and incident response – the percentage is likely below 5%.
In recent years, there has been an increased number of calls to women to join the InfoSec community and, from that, join the InfoSec workforce. But there has been little noticeable increase. The percentage of women in STEM has been increasing but the flow into InfoSec has yet to happen at graduate and post-graduate levels.
Of the three core strategies to overcome the human resources gap confronting the InfoSec workforce, encouraging more women to join the fold is the least clear and least developed. Ideas are still being sought on how to achieve this.
When looking at the timeline for acting upon these three core strategies and noticing their impact on the threat faced by the industry, I believe that automation offers the shortest path – and can reap maximum benefit within five years.
Adjusting the education programs and producing graduates that can be more readily absorbed and productive within business will take a little more time, and we should anticipate the impact of those changes being felt in the four- to eight-year timeframe.
Finally, on the point of encouraging more women to join the InfoSec workforce, I believe that there is much more work to be done – both from an academic curriculum perspective and for the male-dominated, heavily introverted InfoSec community.
The latter should strive to be more welcoming and accommodating, something for which it has been repeatedly chastised. It is unfortunate that it could take five to 10 years before the ratio of woman in InfoSec has a meaningful impact on closing the recruitment gap.
To learn more about automating the hunt. Download thewhite paper Automated threat management: No signature required to get more insight into why signatures are great at catching large-scale commodity threats. But to stop targeted attacks, you need to jump off the signature hamster wheel and lay in wait where attackers will inevitably show up – inside your network.
An edited version of this blog also appears on the ThirdCertainty.com website.
Günter Ollmann is CSO of the cloud and AI security devision at Microsoft and an advisor for Vector AI. Previously, he held the position of CSO at Vectra where he assisted in building the next generation of threat detection technologies capable of illuminating persistent threats, lateral movement, IoT integrity compromise, and attacks that bypassed the front-door. Günter was also a founder and principal at Ablative Security as well as an advisor for C3 Security and Yaxa. He received a B.S. in applied physics and mathematics and a M.S. in atmospheric physics at the University of Auckland.