Overcoming the perceived cyber skills shortage with automation
May 07, 2021
In this article, we’ll talk a little bit about the perceived cyber skills shortage, then look at how improvements in automation can be a big factor in alleviating some of the challenges.
The cyber skills shortage is a bit of a ‘not this again’ topic (particularly in the Twitter cybersecurity community). However, the frustration with the topic is not about disputing the growing demand for cybersecurity professionals (apparently reaching 4 million last year). I think we’d all agree that security is a growing industry, and we need to employ more people in it.
What people are tired of is that when it comes to interpreting this information, the common reasoning given for this shortfall is that there are not enough skilled people, as if the candidate pool is solely to blame. This can play into existing issues around recognising who has skills, and how to promote and retain them, particularly if they don’t fit the typical image or career path associated with the industry.
Another angle that’s rarely mentioned is empowering existing security teams. That’s where automation comes into play. There are many aspects of a security team’s current heavy workload that can benefit greatly from higher levels of automation, allowing teams to focus on the areas that are going to have the biggest impact.
The cyber skills ‘shortage’
Perhaps using the term ‘cyber skills shortage’ is a bit of a misnomer. The fact is that there are millions of vacant job roles in cybersecurity worldwide, but the industry needs to try a little more ‘out of the box’ thinking to go about solving the problems that arise from that.
Part of it certainly is around hiring – but not because there aren’t skilled candidates. When you’re asking for years of industry experience and certifications that each cost £2000, you’re ruling out anyone who doesn’t already have their foot in the door (and we’ve just agreed this number is too small!) and you’re not getting a diverse group of applicants. The same can be said for recommendations – if you’re working on recommendations from the same network, you can struggle to find the diversity that is hugely important to a successful modern work environment. Skillsets are a similar thing – hiring folks that don’t have a security background can help to apply a really valuable skillset, like data science, to the cybersecurity field.
There’s plenty of skilled people out there – we just need to be realistic, inclusive, and look past our biases in order to find them.
Enter automation
Given that organisations are short on security heads, those they have are already stretched – 83% are feeling overworked. One of the best ways to alleviate the problem of not having enough security professionals is to help those you do have become more effective. Enter automation.
There is rapid innovation when it comes to automating cybersecurity practices. An area that’s particularly crying out for automation is reporting and measurement.
A study found that security teams spend up to 36% of their time on reporting. So, automating that reporting is going to save a whole lot of person-hours and free up your security people to actually do security instead of reporting on it.
We should constantly ask ourselves how we can reduce operational costs and maximise the impact of our teams’ work. Automating security measurement processes allows you to scale and reduce the cost of operations by sidestepping all the manual effort.
And once you get the visibility from an automated security reporting tool – i.e. Continuous Controls Monitoring – you can focus your now more plentiful hours on things that are going to have bigger impact. If you know where you have gaps in your controls, or the machine builds that contain the most vulnerabilities, you can use your time more wisely. ‘A stitch in time saves nine’, and all that.
Automation improves quality and consistency
The more automation brought into a repeatable process, the more it will improve in quality and consistency.
This is absolutely the case with security reporting. If we are asking the same person to do the same stuff over and over, human error can creep in. And that’s not any slight on what anyone’s doing or their performance. It’s just a fact that humans make mistakes more often than automated calculations.
A few industry experts have weighed in on this in our Metric of the Month series. David Fairman noted that ‘Automation drives consistency. When a process is automated, we know that we get accurate results time and time again. That means we have a high level of confidence in the validity of those results and the data is not in question.’
Similarly, Andrew Jaquith said that automation, in the form of Continuous Controls Monitoring, brings value by ‘eliminating the drudgery of collecting controls performance information on a regular basis, and in presenting data in a way that has integrity, regularity and traceability… The keys are consistency and cadence.’
The stuff you automate is usually boring
I think it’s unlikely that people who work in cybersecurity see reporting as the most exciting part of the job. You pull together the same information every day/week/month. Download the same CSV file, apply the same filters, make the same bar charts, and build the same report.
In order to be a candidate for automation, the task in question has to be repeatable. So, anything you can automate is going to be very repetitive. This means if a person is having to do it day in day out, chances are it will be boring and tedious.
People won’t really want to spend a whole chunk of their time on it.
There’s a career satisfaction and motivation element too. A lot of companies know that a happy team is a more effective team. And your best employees are those that want to be challenged and valued – not told to crack on with the same thing week, in week out. If you’re a security manager or exec and you look at the day-to-day of one of your employees and think ‘I wouldn’t want to do that’, then chances are, neither do they. If a better opportunity comes along, they’ll take it.
To hypothesise a little – there is something to be said for helping with retention and churn. If you can automate away the boring stuff, your team can do things that are more challenging and enjoyable, and they’ll appreciate it. If you can create an environment where reporting and measurement burdens are lifted by automation, that could contribute to improving retention. Perhaps they would think twice before looking at another opportunity elsewhere.
The final word…
Whether you buy into the cyber skills shortage or not, the fact is there are a lot of unfulfilled cybersecurity positions out there. One of the ways you can help to overcome this problem is by investing in automation. It can help to save person-hours and resources for an already beleaguered security team and allow them to focus on the things that have higher impact, making them a more effective unit. Not only that, but it can help to improve job satisfaction by getting rid of some of the less exciting manual parts of cybersecurity.
