Some say the cyber-security skills gap is an issue of supply and demand – “There just aren't enough people!” Others say there are too few people with the ‘right skills' – and although there is guidance on what skills are right for what roles from CESG and the CIS, how to acquire them is an open debate.
But even teams with lots of skilled security professionals run up against three major problems, which create a gap between the skills they have and the value they're able to deliver.
The time of a skilled team is eaten up by reporting
For regular reporting, typically to the CIO or IT operations, security team members can spend two weeks or more every quarter in spreadsheets, turning loads of raw data from a technology Frankenstack into something their audience can make sense of. Often the results have inaccuracies because of changes to the IT environment, which happen between the time data lands in a spreadsheet and when it communicated. Security's analysis is then disputed and it ends up being an uphill battle to justify any improvement that needs making.
Even more time gets eaten up when technical information has to be translated so that it's meaningful to a business audience who want to understand risk exposure.
Specialist skills end up focused on basic problems
It's a constant struggle for security teams to ensure good cyber-hygiene is maintained. IT operations own many of the activities that deliver a baseline level of protection from threats. However, security and IT teams don't typically have visibility across their environment to know if ‘the basics' are being maintained consistently in terms of coverage, operational status and effectiveness. As a result, security professionals hired to develop advanced capabilities often discover gaps in cyber-hygiene factors. Then, because more advanced capabilities depend on ‘getting the basics right' to be effective, those professionals have to spend time investigating the situation across the whole environment, and working with IT operations to resolve issues.
Expertise is overwhelmed by firefighting
Linked to the point above, security functions can receive 1000s of alerts a day from technology designed to detect threats. Teams often find they're swamped with more data than they can reasonably deal with – a lot of which is noise, not signal. Because they have to sort through this data to find and disrupt threats, teams have less time to work out: what is the next most effective action to manage risk across our environment? They know that dealing with the basics would be a big step towards minimising noise and being able to focus and prioritise detection efforts more effectively. However, as they are increasingly consumed by fire-fighting, this gets harder and harder to achieve because they can't escape the cycle of constantly managing newly discovered incidents, which can have the same root cause.
Before you solve for the skills you don't have, maximise the value of the security team you do have
Given there is a skills shortage, security teams who have experienced the challenges above are trying to achieve three goals:
- Automate reporting to deliver meaningful, timely and accurate information for stakeholders like audit, risk and IT operations
- Use data analytics to gain continuous visibility into the coverage, operational status and effectiveness of security controls across the environment
- Strike the right balance between investment focused on prevention vs detection so that teams are not stuck playing alert and incident whack-a-mole
At the heart of each of these goals is the need to advance and simplify how data and metrics are used for two purposes: firstly to identify, measure and communicate risk; and secondly to prioritise and justify actions that will reduce the risks that matter most, efficiently and sustainably.
Contributed by Nik Whitfield, CEO, Panaseer