Most organizations are struggling to find security professionals with the right skills to properly operate and maintain security analytics platforms for detection and response. Some experts are looking for ways to close the talent gap via workforce development, training and, in some cases, technology.
The recently released SANS Institute 2015 Analytics and Intelligence Survey revealed that the demand for cybersecurity tools and resources has doubled since 2014. The majority of the 476 respondents (59 percent) cited a lack of skills and dedicated resources as the main obstacles to discovering and acting on cybersecurity incidents and breaches.
Finding these skillsets in today’s marketplace is difficult due to incredibly high demand for top talent that understands system information and event management (SIEM) systems and correlation, forensics, event management, and now, with analytics in the mix, pattern analysis across large diverse datasets, according to the SANS survey commissioned by security tools provider DomainTools.
The skill shortage challenge was ranked third by 30% of respondents in the 2014 survey, indicating that this problem is actually getting worse.
“There is absolutely a dearth of skilled analysts who have familiarity with network technology and the kinds of threat intelligence analytics that come from endpoint devices,” says Tim Chen, CEO of DomainTools. These analysts would need the skills to detect anomalies and take the appropriate measures to respond to incidents. However, that is just one piece of the human capital chain, he says.
Security professionals are pulling various data feeds and log and event data from disparate systems into databases where they can perform advance analytics. Engineers are needed to write application programming interfaces and connect systems together on the backend so security operators can actually analyze the data. That is an often overlooked skillset, Chen says.
Only 3% of organizations in the SANs survey say their analytics and intelligence processes for pattern recognition are fully automated, and another 6% report having a "highly automated" intelligence and analytics environment.
By leveraging technologies and automation, organizations can better distribute their security operations teams’ workloads, putting senior staff to work on more advanced threats, and at the same time, foster the recruitment of top talent.
Many manual processes being performed by senior SOC staff could be automated, including the weeding out false alarms, the generation of responses to help tickets, and the generation of reports that give information about key metrics such as detection success or false-positives, security experts say.
Security vendors are well aware of the need to write rules into their products that can help security professionals better prioritize alerts, says Tim Helming, director of product management with DomainTools. Some of the skills that are most valuable are hard to quantify because they come with judgement, intuition, and experience, and the analyst develops a sixth sense about alerts, which is tough to gauge during the hiring process, he says.
Workforce development crucial
Technology is just one way to address the cybersecurity skills gap. Workforce development is also paramount in addressing the problem, says Richard Spires, CEO of Learning Tree International, Inc. and a former chief information officer of the Department of Homeland Security.
“Clearly there are not enough people who have the skill competency to fill all the jobs in cybersecurity. You can’t hire your way out of this problem,” Spires says.
The IT management and training company recently launched IT Workforce Optimization Solutions, a comprehensive suite of services designed to help IT management plan, develop, and implement strategies to build and sustain high-performing IT organizations. The goal is to help IT organizations develop a culture to support professional development of their staff with an emphasis on skill assessment, individual development plans, training, mentoring, and matching people with the right assignments.
Security pros often get hired away once they reach a certain level of competency, so a key factor in development of individuals is how to retain them and help them feel they are part of a team.
The workforce solutions and services are based on the National Cybersecurity Workforce Framework as defined by the National Initiative for Cybersecurity Education (NICE) and the Skills Framework for the Information Age, which maps the skills of the workforce with the needs of a business.
Automation of technology is an important aspect of the equation to develop and retain skilled analysts, but everything cannot be automated given the complexity of IT environments, Spires says.
“You need on-the-job training to really understand data sets over time,” so once analysts learn about their systems and what is normal, they can automate tasks. However, with today’s IT environments, you still need the human element in the loop to help.
“I don’t see that changing for some time because of the complexity of our environments,” Spires says.