UK enterprises want more machine learning in security but lack data scientists

Enterprises across the UK are suffering from a dearth of cybersecurity talent. Companies are hungry for security skills in almost every area from application development and testing to networking and engineering. With the cost of failure growing ever higher, doing nothing is not an option.

A growing number of organisations see machine learning and automation as the answer, but could a lack of data science skills mean one skills shortage is being replaced with another?

To coincide with the launch of CSO UK, IDG conducted a survey of 200 IT leaders from major UK enterprises to explore the state of cybersecurity within British organisations. The survey covers key threats, main investment areas and what is driving the security agenda within the business. The full results are published in our new report, .

Security skills shortages reported across the UK

ISC² reports that the EMEA region has a security staff shortage totaling more than 140,000 people. In the UK, this shortage is being felt acutely with over 60% of organizations surveyed by CSO saying they are suffering skills gaps within the security function.

Security testing is the area where shortages are felt the most with 30% of organisations saying they were lacking skills in this area. Application development was also a major area in need of reinforcement with nearly a quarter of UK enterprises saying they see a gap. Networking (17%), engineering (10%) and data science (9%) were also cited has areas where skills were lacking compared to demand.

IDG

However, while there may be a shortage of experienced security talent in the country, UK enterprises could probably be doing more  around widening the number of people coming into the field diversifying their talent pipeline through alternative sources.

KPMG was recently listed by job listing site Indeed as one of the keenest recruiters of security talent in the UK, with some 6% of all its job postings being for security roles. KMPG’s UK CISO has previous told CSO that he’s keen to recruit ex-service personnel on account of his own military background, but he also likes to recruit people from a variety of backgrounds to create “diversity of thought” among his security teams.

As well as keeping specifications as simple as possible to avoid putting potential candidates off, JustEat CISO Kevin Fielder  brings people with a different skillset from other areas of the business into the team to learn security on the job while sharing their own talents.

“There is, of course, a need for highly skilled technical people, but we can do a much better job at looking both internally and externally for people with skills that you might not normally think about,” Fielder previously told CSO. “If you have someone who’s been at your company for a while [but outside the security team], they immediately bring business context and knowledge.”

Automation and machine learning high on the agenda

Given the lack of people with the right skillsets to deal with increasingly complex IT landscapes and a growing barrage of security alerts, it’s little surprise that companies are hoping that machines can start to take the lead and do some of the heavy lifting.

A massive 90% of organizations surveyed said artificial intelligence/machine learning (AI/ML) would be important to combatting emerging threats in the future, with 40% saying it would be ”very important”. While security awareness training was listed as the main method, over 30% of enterprises said automation is one way they are trying to reduce human error.

IDG

Despite the promise, excitement, or hype of the technology, only a small proportion are looking to deploy something in the near future; a mere 15% of respondents said they were investing in ML/AI in 2019.

However, the fact that data science is listed as a skills gap within the security function suggests there may still be a human barrier to greater adoption. So, a shortage of talent in one field could well hinder companies looking to apply automation as a remedy for skills shortages in another.

Security and data science challenges

Security automation can bring tangible benefits to a company. Insurance company Aflac won a CSO50 award for its efforts around applying automation and machine learning to its threat intelligence operations, while US financial utility the Options Clearing Corporation uses machine learning to help predict routes attackers might take into their network.

While our data suggests companies want to bring data science talent in-house and even into the security function specifically, Alexander Linden, a VP and analyst at Gartner specialising in data science and ML, suggests companies shouldn’t be concerned.

“Applying data science to security, I don’t see it as a problem that end users ever should be concerned about,” he says. “I cannot possibly see any company on the planet will take a look at their own data and then create machine learning and create machine learning models on their own data for security reasons.”

He likens the situation to companies owning company cars but outsourcing all the repair work to mechanics, and so instead companies should outsource their security-related data science efforts to companies that have concentrated groups of talent.

“It’s pointless for companies to have car mechanics. it’s completely outsourced. And this is exactly happening with security and data science; it is very much outsourced to a few vendors that specialise in security and data science,” Linden continues. “The normal end-user company should not be interested in hiring data scientists with a security focus because they will just benefit from all the vendors [deploying ML in their products].”

While Linden says there are many use cases and reasons for companies to hire data scientists – and agrees that there is still a shortage of data science talent generally – security isn’t one where companies are likely to do anything better than the security vendors and the talent they have.

“I don’t think that they should have an interest in the security aspect of solving it themselves with data scientists. Security specialists need to deploy solutions that fit the company’s needs, and those solutions have been produced by somebody else mostly.”

For those who do want to create their own machine learning projects in-house, a number of companies are creating services that can “democractise” ML and make it easier to use. All the major cloud providers offer some form of machine learning as a service – for example, AWS’s Sagemaker, Google Cloud Platform’s DataLab, and Azure’s Machine Learning Studio – to make creating such applications easier. AWS CISO Stephen Schmidt has previously told CSO the company uses Sagemaker internally for prototyping machine-learning-based security tools and developing models for uses such as log analysis.

“I think the word ‘democratising’ is a little bit abused in this context,” says Liden. “It’s definitely not democratized. You still have to have significant skills to work with these [tools]. They’re democratised to the extent you don’t have to be necessarily a real data scientist; engineers with good data science training can do some good things as well.”