Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Careers & People

08:00 AM
Connect Directly

Security Talent Gap Threatens Adoption Of Analytics Tools

Finding qualified personnel with the right skillsets to configure and operate analytics platforms is a big challenge today, but workforce development, training, and more intuitive technology could help.

Most organizations are struggling to find security professionals with the right skills to properly operate and maintain security analytics platforms for detection and response. Some experts are looking for ways to close the talent gap via workforce development, training and, in some cases, technology.

The recently released SANS Institute 2015 Analytics and Intelligence Survey revealed that the demand for cybersecurity tools and resources has doubled since 2014. The majority of the 476 respondents (59 percent) cited a lack of skills and dedicated resources as the main obstacles to discovering and acting on cybersecurity incidents and breaches.

Finding these skillsets in today’s marketplace is difficult due to incredibly high demand for top talent that understands system information and event management (SIEM) systems and correlation, forensics, event management, and now, with analytics in the mix, pattern analysis across large diverse datasets, according to the SANS survey commissioned by security tools provider DomainTools.

The skill shortage challenge was ranked third by 30% of respondents in the 2014 survey, indicating that this problem is actually getting worse.

“There is absolutely a dearth of skilled analysts who have familiarity with network technology and the kinds of threat intelligence analytics that come from endpoint devices,” says Tim Chen, CEO of DomainTools. These analysts would need the skills to detect anomalies and take the appropriate measures to respond to incidents. However, that is just one piece of the human capital chain, he says.

Security professionals are pulling various data feeds and log and event data from disparate systems into databases where they can perform advance analytics. Engineers are needed to write application programming interfaces and connect systems together on the backend so security operators can actually analyze the data. That is an often overlooked skillset, Chen says.

Only 3% of organizations in the SANs survey say their analytics and intelligence processes for pattern recognition are fully automated, and another 6% report having a "highly automated" intelligence and analytics environment.

By leveraging technologies and automation, organizations can better distribute their security operations teams’ workloads, putting senior staff to work on more advanced threats, and at the same time, foster the recruitment of top talent.

Many manual processes being performed by senior SOC staff could be automated, including the weeding out false alarms, the generation of responses to help tickets, and the generation of reports that give information about key metrics such as detection success or false-positives, security experts say.

Security vendors are well aware of the need to write rules into their products that can help security professionals better prioritize alerts, says Tim Helming, director of product management with DomainTools. Some of the skills that are most valuable are hard to quantify because they come with judgement, intuition, and experience, and the analyst develops a sixth sense about alerts, which is tough to gauge during the hiring process, he says.

Workforce development crucial

Technology is just one way to address the cybersecurity skills gap. Workforce development is also paramount in addressing the problem, says Richard Spires, CEO of Learning Tree International, Inc. and a former chief information officer of the Department of Homeland Security.

“Clearly there are not enough people who have the skill competency to fill all the jobs in cybersecurity. You can’t hire your way out of this problem,” Spires says.

The IT management and training company recently launched IT Workforce Optimization Solutions, a comprehensive suite of services designed to help IT management plan, develop, and implement strategies to build and sustain high-performing IT organizations. The goal is to help IT organizations develop a culture to support professional development of their staff with an emphasis on skill assessment, individual development plans, training, mentoring, and matching people with the right assignments.

Security pros often get hired away once they reach a certain level of competency, so a key factor in development of individuals is how to retain them and help them feel they are part of a team.

The workforce solutions and services are based on the National Cybersecurity Workforce Framework as defined by the National Initiative for Cybersecurity Education (NICE) and the Skills Framework for the Information Age, which maps the skills of the workforce with the needs of a business.

Automation of technology is an important aspect of the equation to develop and retain skilled analysts, but everything cannot be automated given the complexity of IT environments, Spires says.

“You need on-the-job training to really understand data sets over time,” so once analysts learn about their systems and what is normal, they can automate tasks. However, with today’s IT environments, you still need the human element in the loop to help.  

“I don’t see that changing for some time because of the complexity of our environments,” Spires says.


Rutrell Yasin has more than 30 years of experience writing about the application of information technology in business and government. View Full Bio

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Apprentice
1/14/2016 | 5:32:17 PM
Resources already available
This site alreadt covered Stealth Worker. You can use it to get expert cybersecurity people quickly. We did!
User Rank: Author
1/12/2016 | 5:00:46 PM
excellent commentary, Gartner research agrees with you
and yet... the security analytics market is forecast to exceed $7 billion by 2020 despite cybersecurity labor shortage
For Cybersecurity to Be Proactive, Terrains Must Be Mapped
Craig Harber, Chief Technology Officer at Fidelis Cybersecurity,  10/8/2019
A Realistic Threat Model for the Masses
Lysa Myers, Security Researcher, ESET,  10/9/2019
USB Drive Security Still Lags
Dark Reading Staff 10/9/2019
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Current Issue
7 Threats & Disruptive Forces Changing the Face of Cybersecurity
This Dark Reading Tech Digest gives an in-depth look at the biggest emerging threats and disruptive forces that are changing the face of cybersecurity today.
Flash Poll
2019 Online Malware and Threats
2019 Online Malware and Threats
As cyberattacks become more frequent and more sophisticated, enterprise security teams are under unprecedented pressure to respond. Is your organization ready?
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2019-10-14
GDAL through 3.0.1 has a poolDestroy double free in OGRExpatRealloc in ogr/ogr_expat.cpp when the 10MB threshold is exceeded.
PUBLISHED: 2019-10-14
tif_getimage.c in LibTIFF through 4.0.10, as used in GDAL through 3.0.1 and other products, has an integer overflow that potentially causes a heap-based buffer overflow via a crafted RGBA image, related to a "Negative-size-param" condition.
PUBLISHED: 2019-10-14
In ImageMagick before 7.0.8-62, TraceBezier in MagickCore/draw.c has a use-after-free.
PUBLISHED: 2019-10-14
Centreon 19.04 allows attackers to execute arbitrary OS commands via the Command Line field of main.php?p=60807&type=4 (aka the Configuration > Commands > Discovery screen).
PUBLISHED: 2019-10-14
In FFmpeg before 4.2, avcodec_open2 in libavcodec/utils.c allows a NULL pointer dereference and possibly unspecified other impact when there is no valid close function pointer.