The relevance of cyber security to the business bottom line has exploded in recent years. Cyber attacks have grown more sophisticated and more ubiquitous, and regulatory scrutiny more intense. This phenomenon has created unprecedented demand for cyber security talent for which the labour market was largely unprepared. In February 2017, industry body (ISC)² predicted in its 8th Global Information Security Workforce Study that by 2022, the worldwide cyber security skills shortage would reach 1.8m; in October 2018, its new study revealed that reality had already far surpassed predictions, putting the current shortfall just below 3m.
So, in a climate where the skills gap is now at an all-time high, the technology that cyber security professionals use is developing fast, and the threats they deal with are evolving even faster, how do businesses meet both today’s needs, and also prepare for those of the future? Will the capabilities they now seek even be relevant in five years’ time?
To answer these questions, it must be understood how the cyber skills crisis is shaping cyber security itself. Enterprises are often hamstrung to find niche talent that has knowledge of the tools which they have already invested in – for example, someone who has experience with their particular type of firewall or cloud service provider. Due to complexity and fragmentation issues, one organisation may have many niches.
Information security teams and security analysts now have more vulnerabilities than ever to deal with. In 2017, the National Institute of Standard and technology National Vulnerability Database, that gives formal identification numbers to vulnerabilities, assigned more than ever and more than twice that of 2016. The following year shattered even that record, with more than 16,000 new vulnerabilities formally identified. Of these, there were about 9,000 vulnerabilities ranked as ‘critical-’ or ‘high-severity’.
This means organisations need to apply better prioritisation tools rather than just fixing all high severity threats, as those pose over 50% of all threats. The overall 2018 figure is a 12% increase on the previous year; it seems these record-breaking vulnerability figures can be regarded as the new normal.
Trying to make sense of which of these vulnerabilities pose the greatest risk to their organisation is an almost insurmountable task for cybersecurity teams. The challenge of answering, ‘What do we try to fix today?’ is only getting harder. Cyber security teams often rely on manual processes to stitch together insights from many disparate tools and information sources. Given the resource burden and mixed results of those efforts, it’s unrealistic to expect those skills to be fit for purpose for an indefinite period.
Similarly, with network security engineers and operations managers who deal with near-constant or near-real time requests for changes to meet business needs, the scale and complexity in which these changes take place quickly out-maxes most available resources. To overcome the pressures placed on already stretched security teams and to offload data-intensive tasks, organisations are turning increasingly to automation.
Automation has long been part of cyber security strategy programmes; but the amount and calibre of work organisations expect technology to take care of has grown hugely in recent years. While cyber security is by no means ready for ‘flip-switch’ solutions, recent advancements already promise the demise of manual, cut-and-paste tasks and the prominence of platform solutions that orchestrate certain processes across connected devices and given ‘attack surfaces’ where an unauthorised user (the ‘attacker’) can try to enter data to or extract data from a secured environment.)
For professionals looking to remain relevant in this new era, amassing a working knowledge in such platforms and their ecosystems of analytic tools will be vitally important. Automated technology is currently more than capable of taking on rote tasks, such as data collection and correlation.
But as automation and Machine Learning (ML) continue to evolve toward the goal of Artificial Intelligence (AI), it should not degrade the authority of cyber security leaders who oversee this technology and act upon its information. Instead, it should elevate the leader’s position, and allow them to be more strategic and effective with their actions. Technological advancements often cause concern in the labour force at the time for concern it could make them irrelevant in some respect — and this concern is not misplaced.
Automation in cyber security is poised to make many roles that deal with raw data analysis irrelevant, in a short amount of time. But it also opens the door to new roles which require new expertise. In the years leading up to 2025, the ability for cyber security professionals to challenge ML parameters and processes they rely upon will become exceedingly valuable. They will need to know that their machines are continually learning, adapting to change, not following false truths, etc.
This means being able to crack open technology that might otherwise be opaque, requiring more than baseline knowledge in how to train and improve ML algorithms. As risks are reviewed on a larger, faster-moving scale, cyber security professionals will have to apply priority logic tools to significantly larger data sets; this requires analytics skills relevant to data science to make the right judgements and ensure a robust prevention strategy.
The other skillsets that will need to be absorbed will be around how cyber security becomes woven into the DevOps processes that drive how modern organisations harness technology and data to thrive. This requires the adoption of a monitoring and facilitating role for software updates and revisions – and thus playing a crucial part in pre-empting vulnerabilities or spotting and fixing them faster.
Alongside script and code-writing abilities, a cyber security professional will also need to perform as a reverse engineer, capable of tracking back into the code development process to discover flaws and loopholes in an app or digital service unique to that organisation. The shift to DevOps is about more than just a new set of technical skills; it’s about a method of working and thinking that is very different to the mindset of a traditional cyber security professional — and it will include culture adjustments within teams as well.
Cyber security professionals will need to employ more pure creativity in the job to not only respond to known problems with known answers, but also to identify and solve the new problems entirely, and keep their organisations ahead of attackers’ innovations. Building and managing the new cyber security workforce puts an onus on organisation leaders to employ mature team-building and motivational techniques that meet the needs of their new wave of employees. Reserves of creative and sceptical thinking will need to be continually exercised and fed, making the opportunity for exercises like wargaming so invaluable.
Leaders will also need to recognise the importance of intercommunication and collaboration to ‘connect synapses’ – so to speak – within the team. This is an area in which, of all groups, the threat actors have excelled: they routinely share knowledge and tools with their peers, thereby raising the bar for attack defence. For the cyber security community to raise the bar to launch attacks, cyber security professionals need to do more than simply sharing threat alerts.
They should be writing up and sharing their analytics and playbooks to better prevent attacks. Indeed, all the investment in new skills will be of less value if those future professionals are not sharing their cyber experiences seamlessly.
Marina Kidron is Director of Threat Intelligence at Skybox Security.