The Problem of Unfilled Cybersecurity Jobs is that Attack Volume has Made Those Roles Feel Futile
Every day when I scan my news feed I find a new article describing a stunning scarcity of qualified cybersecurity professionals. Most recently, a study by global recruiting firm Robert Half entitled “Cybersecurity – Protecting Your Future” found that the majority of CIOs (77%) believe that they are due to face more security threats in the next five years due to a shortage of IT security talent. From the report’s description:
The days when cybersecurity was viewed as simply an IT problem are over. Across the UK, two-thirds of large businesses have been hit by a cyber-breach or attack in the last year. The impacts can affect the entire business and leave a trail of financial, operational and reputational damage in its wake. As those behind cyber-attacks become more sophisticated in their execution, the solution demands a resilient IT security strategy and skilled IT talent to be prepared for the future of cybersecurity.
The one unchallenged and recurring thread in each of these pieces is that they define the problem and solution exactly the same way: by talking about people. A look at the logical progression:
- Given the fact that the majority of companies have been hit by a cyber breach or attack…
- And given the fact that attacks and breaches can cause critical damage…
- It is the people behind those attacks that are becoming more sophisticated.
- The solution is to demand
- Smarter people that develop more resilient strategies
- More of those smart people to battle the army of bad guys
The issue at hand is that the problem is being framed incorrectly, and in doing so, the proposed solution is wrong too. Let’s look at some indisputable facts, and then we can get into some highly disputable solutions.
The Cybersecurity War Isn’t Being Won by Numbers
The days when the larger army won with just sheer numbers of bodies willing to fight are over (if they ever existed in the first place). When you consider the tools of modern warfare, you see that fighting more intelligently with fewer instances of hand-to-hand combat is a much more strategic way to beat an enemy.
While we hang on to a nostalgic idea of joining the ragtag rebels to fight for freedom and somehow overcome being drastically outnumbered, it’s just not reality anymore. Battles can be won by having the largest number only when there’s no other advantage.
Instead, when we look at why our adversaries are able to overwhelm cybersecurity teams, causing a mismatch in response, the solution isn’t as simple as hiring thousands of cyber analysts.
Our Enemies Are Using Automation
A rhetorical question: how much does it cost for a cybercriminal to send 1 million phishing emails? How about 10 million? 100?
The issue is that the vast majority of cyberattacks – be they ransomware, social engineering, credential takeover, or phishing – rely on one central idea: put enough lines in the water, and you’ll eventually get something on the hook. And when doing so is fully automated with no incremental cost per million in distribution, criminals are able to overwhelm companies with the volume of their attacks.
It is because they are able to use automation and work anonymously in small groups that cybercriminals are able to thrive. For them, adding more people significantly increases their chances of getting caught, bringing the entire operation down. Instead, automation lets very small groups operate with agility, anonymity, and lets them improvise quickly to stay nimble.
People Can’t Keep Up with Automation
One of the more recent studies on the massive increase in alert volume comes from the EMA group, who’s recent report states that:
- 92% of companies face more than 500 alerts per day
- 88% percent of respondents said they were receiving up to 500 severe/critical alerts per day
- 88% of the participants indicated their teams were only able to investigate 25 or fewer severe/critical events per day
- 67% of organizations were only able to investigate 10 or fewer of their severe/critical events per day
The math is simple, and jarring: with 500+ alerts per day, even with the best cyber analysts in the world, you’d need 150 cyber analysts working 8 hours per day just to keep up. That’s at current alert volume, and there’s no logical reason to believe that the number won’t double or triple next year.
Fighting Automation with Automation
If we’re willing to admit that simply adding more people won’t do the trick, we’re forced to rethink our approach. The only approach that can move the dial is to embrace automation the same way cybercriminals have: automate that which is repeatable and based on logic, and use people to do the higher-level things people are best served to do.
The resources behind the black hats are no greater than the resources available to the good actors. In fact, as organizations pour billions of dollars into cybersecurity, our defenses should be fully stocked. When we embrace automation, we gain ground on the bad guys. And ultimately, the perceived cybersecurity skills gap should close itself.