In what’s been described as an “existential threat” to enterprise, national, and even global security, the past few years have seen a continuous drain on the pool of enterprise cyber security talent. Figures from 2016 confirmed that 86% of companies reported a shortage of professionals available to fill the growing need for skilled information security personnel.
And a study conducted by the Enterprise Strategy Group (ESG) in 2017 cited 70% of cyber security professionals as saying that the skills shortage has had an impact on their organization. More worrying than this was the claim by 45% of organizations that there was “a problematic shortage of cyber security skills.”
This dearth of talent is occurring at a time when cybercriminal networks are pooling resources and upping their game, hacking tools and infrastructure are creating their own “on-demand” or “as a Service” economy, and exploits and malware are increasing in sophistication and developing new methods of spread.
To cope with the demands of this evolving cyber security landscape – and to compensate for the lack of skilled personnel and professional resources – organizations will have to develop their own new methods of information gathering, threat detection, incident response, and skills acquisition.
Enterprise Cyber Security – New Actors and Threats
2014 saw an astonishing 48% increase globally in cyber attacks over the previous year – an upward trend that’s continued, ever since. In part, this may be attributed to the expanding attack surface made available by extended corporate networks which now embrace remote and mobile workers, cloud resources, multiple sites, and supply chains. But the increasing number of attack vectors and threat actors must also play a part.
Incidents such as the recent hack on Sony (allegedly linked to the regime in North Korea, as a reprisal for the cinematic release of “The Interview”) and the targeting of biopharmaceutical firms in the U.S. by a unit presumed to be part of the Chinese military have highlighted the increasing involvement of sovereign states and nation-state actors, in perpetrating cyber attacks.
With the improved contacts made possible via digital communications, the boundaries between traditional organized crime and cyber-crime are becoming increasingly blurred. Cyber-criminal networks are adopting the logistical, managerial, and financial methods adopted by mainstream cartels – which in turn are using technology to perpetrate acts of theft and extortion.
Much of this activity is being facilitated by evolving and emerging strains of malware, combined with improving attack methods and tactics. Exploiting IoT (Internet of Things) vulnerabilities has already led to successes like the recent DDoS attacks on Dyn and TalkTalk, while the widespread (and often public) availability of malware code and tool-kits have paved the way for improved campaigns involving ransomware, and other malicious payloads.
New technologies such as “file-less malware” are confounding existing detection techniques and fueling advanced persistent threat (APT) campaigns and more subtle breeds of attack, while popular market trends such as the rise of the cryptocurrency market have provided the inspiration for ingenious and profitable attack vectors like cryptojacking.
Enterprise Cyber Security – Acting in a Timely Fashion
The skills shortage in cyber security coupled with the growing scale of the threat landscape and the task of managing information security for the enterprise as a whole have resulted in increased workloads for existing personnel – who may find themselves pulled in all sorts of (sometimes contradictory) directions at once.
Under such conditions, acting quickly in response to identified or suspected threats becomes that much more difficult – and enterprise security and integrity may suffer as a result.
The ESG research study from 2017 cites 22% of enterprise cyber security professionals as feeling that their security teams were not large enough to cope with the size of their organization, with 18% admitting to being unable to keep up with their current workload.
Challenges in Meeting Compliance
Changes to existing law such as the impending General Data Protection Regulation (GDPR) regime in Europe and reactions to developments in the threat environment have resulted in a compliance ecosystem that’s growing in both complexity and stringency.
Keeping up with all the permutations, as well as orchestrating and monitoring all the requirements for data governance, information handling, auditing, documentation, and reporting are placing increased pressure on the already overworked staff in a poorly populated cyber security sector.
Mixing On and Off-Site Surveillance
As the corporate campus expands to include the individual hardware deployments of mobile and home-based workers, enterprise resources in the cloud, and inputs from supply chain partners or IoT infrastructure, there’s a need to likewise expand the scope of the network security blanket, to encompass all of these elements.
This results in an increased number of data sources to manage, endpoints to secure, and external agencies to negotiate secure terms with. And of course, an increased workload for cyber security teams – often with the need to learn new or specialized skills in order to keep pace.
Enterprise Cyber Security – The Need for Advanced Analytics and Tools
Clearly, a reliance on human resources alone may not be enough to ensure enterprise cyber security, in the current environment.
It’s for this reason that voices have been raised in support of a greater use of autonomous technologies including automation, Artificial Intelligence (AI), machine and Deep Learning algorithms, and intelligent analytics.
Used in combination, these technologies could in principle enable organizations to identify potential threats and ongoing attacks automatically, with response mechanisms requiring little or no human intervention, and with monitoring and assessment systems capable of predictive, prescriptive, and proactive modes of operation.
The Need for Human Intelligence
But with intelligent automated technologies still at an early stage of development, there’s still a need for qualified human operators to help make sense of the incoming or outgoing data, and to act independently when the occasion demands it.
Expanding the existing pool of threat intelligence databases and online resources has been suggested as a means of increasing access to necessary skills and know-how. And a call for greater collaboration between enterprises (perhaps on a per-industry basis) in sharing skills, knowledge, and threat intelligence has been made, as a means of further addressing the need for both real-time and historical information.
The Need for Extra Hands
Automation and intelligence-sharing aside, there remains a need for organizations to have skilled cyber security personnel on hand. And in an economic situation in which at least 50% of cyber security professionals are approached to consider other jobs at least once a week, enterprises will have to reappraise both their recruitment and hiring practices and the alternatives if the ideal candidates simply aren’t available.
At the recruitment level, candidates may have to be sought directly but more widely from the educational system – whether at community colleges, private technical schools, or other programs. There’s scope here too for partnerships to be formed between enterprises and educational institutions, academic programs, or government organizations.
The creation or definition of new job descriptions and the training or mentoring of existing IT staff and interns to fill them may provide hiring teams with an alternative avenue in obtaining required cyber security skills. Incentives to encourage existing workers to remain with the company must also feature in this strategy.
There’s also some mileage potentially to be had from “outside the box” skills acquisition techniques such as offering bug bounties, traveling Red Teams for hire, and the use of Managed Security Services (MSS) providers.
With little evidence to indicate that the skills shortage will abate any time soon, cyber security professionals must be open to all possibilities, in meeting the challenges of an ever-evolving threat landscape.
Share this Post