By Sergio Caltagirone, director of threat intelligence and analytics at Dragos
Dr. Alissa Johnson, Xerox CISO, challenged the audience, community, and myself onstage during our sessions at Gartner Symposium/ITxpo 2017 in Orlando to consider the cybersecurity talent gap. The talent gap question seems straightforward with the favorite answer being, “Yes! More!”
I assert there is no cybersecurity talent gap. If we measure our talent gap traditionally through the ratio of jobs open vs. fulfilled, we’re very far behind. However, that approach fails to critically examine whether all of those thousands of unfilled cybersecurity positions require fulfillment at all. Therefore, I challenge the assumption that feeding an increasing and insatiable demand for cybersecurity professionals is the correct answer.
Here is what we know:
- We grossly misuse our talent and resources by placing valuable human intelligence on tasks ripe for automation.
- We diffuse talent and resources over a wide range of low-risk functions and assets.
- We overuse bolt-on products and rely heavily on staffing due to insufficient visibility and control in current technology to support security operations.
- Many traditional security positions no longer apply as enterprise shifts into primarily cloud-based and hybrid architecture.
The fact is, there is no way to know how many more cybersecurity professionals we require given current inefficiencies and rapidly changing technology. This ongoing transition period rightly challenges our thinking and approach.
Instead, let’s examine the opportunities we’ve not yet fully capitalized:
Technology vendors who build products must partner with those who have experience in security operations to add this use case. Operational failures, not vulnerabilities, cause most breaches. Service and product vendors must enable greater transparency, control, and telemetry for efficient security operations.
Enclave-based and zero-trust models place the highest value assets and business functions in highly instrumented and secure environments. The approach takes a “trust is gained, not given” mentality. These strategies help gather security resources around critical services and reduce the diffusion of talent.
Security operations units lack sufficient engineering support and therefore waste significant talent on automatable tasks. We must instead find ways of maximizing automation opportunities and place our people on problem-solving tasks requiring the unique human intellect.
Enterprises must self-organize into cybersecurity engagement communities supporting each across both industry and threat. Let each business enable the other – do not compete on security – do not exploit the security breaches of others. What is bad for one of us is bad for all of us.
Utilize products that enable cross-organizational defenses (i.e., herd immunity) where attacks against one organization are detected and defended across all other customer organizations. A growing set of cloud products show promise to scale detection and remediation actions across the entire community.
Read “Partners in Data Protection,” which discusses different ways Xerox works with our customers to prevent data from getting into the wrong hands, inside and outside the work environment.*
During this period of transition, we have an opportunity to employ these strategies and capabilities to create more secure organizations and a stronger community. Of course, there is a talent gap. But, solving the deficit will require decades-long investments while there is much we can do now. Let’s focus our efforts on the currently possible!
Sergio Caltagirone hunts evil. He spends his days tracking hackers and his evenings chasing human traffickers. In 9 years with the US Government and 3 years at Microsoft, Sergio has hunted the most sophisticated targeted threats in the world, applying intelligence to protect billions of users while safeguarding civilization through the protection of critical infrastructure and industrial control systems. He co-created the Diamond Model of Intrusion Analysis, helping thousands of others bring more pain to adversaries by strengthening hunters and analysts. He also serves as the Technical Director of the Global Emancipation Network, a non-profit, non-governmental organization (NGO), leading a world-class, all-volunteer team dedicated to ending human trafficking and rescuing victims through data science and analytics, saving tens of millions of lives.
*Updated November 30, 2017.