Nik Whitfield, CEO, Panaseer, discusses why the problem with the cyberskills shortage is ‘process’, not people.
The talent shortage in cyber is one of our biggest issues. The findings of a report from CapGemini’s Digital Transformation Institute states there is a 25-percentage point gap between the demand for, and supply of, cybersecurity skills – and the problem is getting worse.
As a cybersecurity business ourselves we have experienced this topic first-hand. It remains a topic that our clients cite as a top barrier to progress, so we wanted to get under the skin of the problem and look at whether there are effective ways of addressing the issue, other than finding and training more people.
Last month we surveyed 200 enterprise security leaders – we wanted to get a feel for how they were spending their time to see if there were areas that could be made more efficient. The result was staggering. On average, respondents claimed 36.26% of their team’s time each month was spent on creating manual reports. Within this time, the biggest task is formatting and presenting data (38.46%), followed by moving data (34.62%) across spreadsheets.
These are serious numbers, given the shortage of security professionals and the cost of hiring and retaining these specialists. It appears there’s a real opportunity to create efficiencies to get more value from these scarce, talented professionals.
Another key area that appears wasteful is where specialist skills are focused on basic problems. For the majority of organisations, especially those with complex IT estates in regulated markets, it’s a constant struggle for security teams to ensure good cyberhygiene is maintained.
However, as security and IT teams, we don’t typically have visibility across our environments to know if ‘the fundamentals (i.e. the critical security controls) are being achieved consistently and to a high standard of coverage and effectiveness. For every lapse in the fundamentals, we create additional work in cleaning up problems as they arise. The emergency room is the most expense place to be in a hospital – it is much more cost effective and less effort to exercise preventative care in order to reduce the risk early.
It’s then no surprise that to hear that our security team is overwhelmed by fire drills and firefights. Security functions can receive thousands of alerts a day from technology designed to detect threats. Teams often find they’re swamped with more data than they can reasonably deal with – a lot of which is noise, not signal.
Because we have to sort through this data to find and disrupt threats, we have less time to work out: what is the next most effective action to manage risk across our environment? We know that dealing with the fundamentals would be a big step towards minimising noise and being able to focus and prioritise detection efforts more effectively. However, as we are increasingly consumed by fire-fighting, this gets harder to achieve, constantly managing newly discovered incidents, which can have the same root cause.
With all this time wastage of the team, it stands to reason that solving the skills shortage problem needs to start by looking at how the existing team is spending its time and maximising the value of the security personnel available. Given there is a skills shortage, security teams which have experienced the challenges above are trying to achieve three goals:
- Automate reporting to deliver meaningful, timely and accurate information for stakeholders like the business, risk, audit and regulators
- Use data analytics to gain continuous visibility into the coverage, operational status and effectiveness of security controls across the environment
- Strike the right balance between investment focused on prevention vs detection so that teams are not stuck playing alert and incident whack-a-mole
At the heart of each of these goals is the need to advance and simplify how data and metrics are used for two purposes: firstly, to identify, measure and communicate risk; and secondly to prioritise and justify actions that will reduce the risks that matter most, efficiently and sustainably.
With resources optimised, the cyberteam can work more effectively and ultimately enjoy their roles and the value they are bringing and so also reduce churn. It’s not a silver bullet, but surely, it’s a sensible place to start.