Pick up a newspaper on any given day in 2017 and you’re likely to read the latest chapter in a long-running story: security professionals versus the hackers. Recent revelations around Russian state-sponsored involvement in the 2013 Yahoo hack, and the WikiLeaks-managed exposure of a trove of CIA-developed exploits, means those hackers could even be government employees.
This is a story without an end – a battle which is just getting started. That’s bad news for IT leaders already stretched to the limit by a lack of human resources in their security departments.
There’s no easy answer to the increasing pressures they’re under to keep networks resilient – no silver bullet. But advanced, automated security tools offer a great opportunity to maximise those human resources, and keep threats at bay.
The information security industry today has reached a perilous state of negative unemployment. The well regarded Global Information Security Workforce Study (GISWS) released earlier this year revealed that unfilled positions worldwide will reach 1.8 million by 2022 – an increase of 20% since the last study in 2015.
It claims that chronic shortages could turn into a full-blown crisis as older professionals retire and younger millennials fail to enter the industry.
The UK is heading for a “cliff edge”, it says, with two-thirds of respondents already claiming to have too few cybersecurity personnel, and nearly half (47%) saying the reason is a lack of qualified applicants.
A separate report from January claimed the country has a skills gap second only to Israel globally, in terms of the number of security-related roles advertised versus the number of searches for those roles in Q3 2016.
This all means job security for information security practitioners already in the industry – which is great for these people. But what about the future? Cyber risk is not going away – in fact recent events have shown us the bad guys are as determined, sophisticated and agile as ever.
So staffing issues are obviously a serious challenge going forward. Security managers regularly search fruitlessly for months for candidates with the right experience, and can be saddled with practitioners who just aren’t up to the job. So, what do you do: leave the chair vacant or go for an inferior candidate? It’s a tough call.
The security manager’s job is made that much harder by the nature of IT environments today. They have usually grown organically over many years, and even in mid-sized organisations can be filled with multiple competing security products.
They might each have been deemed essential at the time to deal with one issue or another. But combined, they represent an unmanageable mess demanding more expertise and attention than short-staffed teams can provide. That’s where automation comes in.
Man versus machine
For those who balk at the thought of building too much automation into cyber defence, remember this: we’re not trying to build Skynet here. There’s always an implicit understanding that the final, most important decisions are always made by humans.
Organisations simply have to automate 99% of the work in moving events, findings, and security analysis from one part of the technology stack to another. The sheer volume of data involved demands this. But it’s always a member of the team that makes that final decision on what action to take.
>See also: Cybersecurity brain drain: the silent killer
Why is this important? Because while machines are good at flawlessly following rules, the black hats they come up against are notorious rule breakers. Computers simply lack the wit to block wily, creative attackers – although they’re still far better than humans when the question is: “I have 20TB of sensor data: is there anything like pattern X in there?”
So, let computers do what they’re good at – inexhaustible sifting through lakes of complex data – and elevate your most precious resource – your staff – to the roles of decision maker and strategist.
In trying to help firms measure the ROI of automation, one thing has become very apparent to me. Security professionals know that assessing their organisation’s defensive posture is essential to keeping networks resilient and data and systems secure.
But without the right tools in place they simply can’t hope to achieve this vital step. One fairly large corporation I spoke to recently calculated that automation could save it the equivalent of four person-years on these tasks.
And that was at a super-fast rate, where one person was calculated to work 24x7x365: taking one hour to review each security device in the organisation, one minute to review each rule allowing access to some protected asset, and two minutes to review each know vulnerability inside the network.
No human analysts can operate at this speed, or for this long. But even with these conservative estimates, the mountain of work to do far exceeds the capacity of the team trying to do it.
>See also: The Trojan horse: 2017 cyber security trends
On the one hand, automation carries out the menial, repetitive work which allows IT security teams to focus on the more interesting, strategic stuff. That alone is pretty good, and does a valuable service in helping firms do more with less.
But take a step back and think of those eye-popping figures for how long it would take a human to understand your organisation’s security posture. When you do, it becomes clear that automation can go beyond carrying out menial labour. It can take a process as fundamentally important as understanding your current posture, and turn it from impossible to automatic.
With automated network modelling and risk scoring you can then improve your organisation’s security posture by identifying defensive gaps and strengthening access controls. You can accelerate incident response with the right kind of automatically produced contextual information and intelligence.
And you can help IT teams under pressure to make decisions within minutes and hours rather than days or weeks. That’s not just ROI – that’s a game changer.
Sourced by Dr Mike Lloyd, CTO at RedSeal