Cybersecurity skills shortage hurts security analytics, operations

I’ve written a lot about the cybersecurity skills shortage over the past five years. For example, ESG research indicates that 45 percent of organizations claim to have a problematic shortage of cybersecurity skills. 

To me, the cybersecurity skills shortage represents an existential problem. If you don’t have enough people or the right skills, it really doesn’t matter what types of security controls you have in place because you simply won’t be able to keep up with changing threats and day-to-day workloads.

Cybersecurity skills are especially important when it comes to security analytics and operations. It takes highly experienced professionals to investigate security incidents, synthesize threat intelligence, or perform proactive hunting exercises. 

Unfortunately, this skills set is particularly lacking. In a recently published ESG research report, Cybersecurity Analytics and Operations in Transition, 412 cybersecurity and IT professionals were asked about the size and skill set of their organization’s cybersecurity team. As it turns out, 54 percent of survey respondents said the skill level for cybersecurity analytics and operations was inappropriate for an organization of their size, and 57 percent said the staff size for cybersecurity analytics and operations was inappropriate for an organization of their size. 

What makes this data more frightening is that many organizations remain understaffed AND lack advanced cybersecurity skill sets—a double-whammy that surely makes them extremely vulnerable to attack. 

The research also exposed some areas of acute cybersecurity analytics and operations weaknesses. The top weaknesses cited included:

• Proactive threat hunting. This isn’t surprising, as threat hunting is an advanced skill set. That said, however, it is also a best practice within organizations that have established a cybersecurity center of excellence. Effective threat hunting helps organizations stay ahead of threats with the right security controls and establishes the right knowledge for continuous security monitoring. Those organizations lacking the right skills for threat hunting can only hope to spot suspicious activities AFTER a system has already been compromised.
• Assessing and prioritizing security alerts. ESG Research indicates that many firms are buried by the volume of security alerts, so identifying and prioritizing alerts is a mission-critical process. If your organization struggles here, you will likely miss something (or many things) and suffer the consequences.
• Computer forensics. This, too, is an advanced skill set. Computer forensic weaknesses will make it difficult to discover the nuances of network penetration or system compromises. If you are unaware of these specific details, there’s no way you can protect your organization against similar attacks.
• Tracking the lifecycle of security incidents. This is likely related to collective skills, processes and tools deficiencies. For example, IT trouble ticketing systems often lack the functionality necessary for tracking malware or performing forensic investigations. When security incidents are discovered, security teams can’t always track the remediation progress of IT ops. In some cases, security and IT operations teams simply don’t work well together. Without sound incident lifecycle tracking, it’s simply impossible to monitor, measure and adjust cybersecurity performance. 

When you don’t have enough people or the right skill sets, you tend to overwhelm the existing staff—and this, too, causes problems. In a 2016 research report from ESG and the Information Systems Security Association (ISSA), 32 percent of respondents said the cybersecurity skills shortage led to high attrition and turnover within the cybersecurity staff, while 25 percent reported high “burn out” rates within the cybersecurity staff. An unhappy staff is likely an unproductive staff. 

The global cybersecurity skills shortage simply prohibits CISOs from hiring their way out of these issues. So, what CAN be done? More on possible solutions soon. In the meantime, see you at Black Hat!