It’s an issue that gnaws at many cyber security executives perhaps as much as the latest insidious threats: the ongoing security skills shortage. And recent research suggest that the prospects will not get better any time soon.
One possible way to address the cyber security skills gap is to use more automation for security and risk mitigation. This likely won’t eliminate the need for additional security professionals and might even create the need for certain specialized skills. But automation can help deliver greater efficiencies for processes, and that could ease the burden.
First, let’s address the bad news as it relates to the shortage of skilled professionals. In a widely publicized report released in May 2019, the Information Systems Security Association (ISSA), a community of international cyber security professionals, and independent industry analyst firm Enterprise Strategy Group (ESG) noted that the cyber security skills shortage is worsening for the third year in a row.
The research report is based on a survey 267 cyber security professionals and ISSA members worldwide, representing organizations of all sizes and industry sectors. The shortage has affected nearly three quarters (74% of the organizations
The study confirmed that the cyber security skills shortage remains the root cause of rising security incidents, “as organizations remain plagued by a lack of end-user cyber security awareness and the inability to keep up with the growing cyber security workload.
Nearly half of the respondents (48%) said their organization had experienced at least one security incident over the past two years with serious ramifications including lost productivity, significant resources for remediation, disruption of business processes and systems, and breaches of confidential data.
Many cyber security professionals are skeptical about their chances for success, according to the report. A large majority (91%) think most organizations are vulnerable to a significant cyber attack, and 94% think the balance of power is with cyber adversaries over cyber defenders. Given this scenario, the report said, “organizations face increasing and potentially devastating cyber risks.”
Furthermore, for the third straight year (63%) of organizations continue to fall behind in providing an adequate level of training for cyber security professionals. The most acute skills shortages are in cloud security (33%), followed by application security (32%), and security analysis and investigations (30%).
“Organizations are looking at the cyber security skills crisis in the wrong way; it is a business, not a technical, issue,” said Candy Alexander, cyber security consultant and president of ISSA International. “Business executives need to acknowledge that they have a key role to play in addressing this problem by investing in their people.”
It’s clearly a “sellers market,” with 77% of cyber security professionals solicited at least once a month, according to the research. To retain and add cyber security professionals at all levels, business leaders need to get involved by building a culture of support for security and value the function, Alexander said.
In the meantime, can automation help ease the shortage of skills? Time will tell, but research Gartner Inc. is encouraging organizations to adopt tools to automate processes. At a June 2019 event on security and risk management, the firm said security leaders need to leverage the “automation continuum” to create new value for their organizations.
The automation continuum emerging in the security and risk landscape is one in which new mindsets, practices, and technologies are converging to unlock new capabilities, Gartner said. It noted that identity, data, and new products and services development were three critical areas for using automation.
Identity is the foundation for all other cyber security controls, Gartner said, especially as organizations increasingly move to cloud environments. Identity decisions should always remain within an organization’s control, whether it is about humans or machines, the firm said.
Data is what organizations now depend on for virtually every transaction, and it needs to be shared as much as it needs to be protected. And new products and services are being developed as emerging technologies gain a stronghold.
“We are no longer asking the singular question of how we’re managing risk and providing security to our organization,” said Katell Thielemann, research vice president at Gartner. “We’re now being asked how we’re helping the enterprise realize more value while assessing and managing risk, security, and even safety. The best way to bring value to your organizations today is to leverage automation.”
Automation is already all around us, Gartner said, and it is starting to impact the security and risk world in two key ways: As an enabler to the security and risk function itself; and as new security frontiers that need to be acknowledged and understood.
Automation follows a continuum of sophistication and complexity, and it can use a number of techniques either stand-alone or in combination, said David Mahdi, senior research director at Gartner. For example, robotic process automation (RPA) works best in task-centric environments, he said. But process automation is evolving to increasingly powerful bots, and eventually to autonomous process orchestration.