In 1911, IBM founder Thomas Watson Sr. is said to have first uttered his trademark slogan “Think” when he was managing sales at National Cash Register. In 1997, Apple told us to “Think Different.” And when it comes to addressing the cybersecurity skills gap, both pieces of advice make sense: Executives need to step back and think about how to address that gap, but they also need to expand their possible options by thinking a little differently.
The yawning chasm that is our current cybersecurity skills gap is only going to get bigger in the coming years. And it’s not because we’re not churning out smart college graduates, increasing pay scales or giving security engineers more and better tool to ply their trade.
In fact, trying to solve the cybersecurity talent crunch through traditional mindsets is a losing strategy. Addressing the people shortage is not going to solve the problem. We will continue to have large, gaping holes in our cybersecurity coverage, no matter how many security engineers we hire.
That’s because you can’t solve the cybersecurity skills problem with people. At least, not just people.
Obviously, the cybersecurity skills gap is real, imposing, and worth every moment your HR people and CISO spend on trying to plug it. Industry group ISACA points out that 40,000 security analyst jobs go unfilled every year–and that’s just in the United States. Data from the U.S. Bureau of Labor Statistics indicates that more than 250,000 cybersecurity jobs are currently open, and the global cybersecurity talent gap is pegged at about 2 million by 2020. Computer Economics notes that security professionals are, far and away, the toughest technical position to fill, according to business executives surveyed annually by the researcher.
So yes, by all means, ramp up your cybersecurity staffing budget. No one is saying that organizations–be they global 1000-class enterprises, cybersecurity consulting firms, or security-as-a-service specialists–can get by with their current staffing levels. But hiring more people is not a scalable solution–not when more than a million new malware samples surface every single day and new or improved tactics are being leveraged by the bad guys. There are many reasons why, not the least of which is the sheer cost. After all, salaries for cybersecurity professionals are rising fast; the median salary of a cybersecurity specialist eclipsed $94,000 in 2018. Add in typical benefits and overhead, and the cost of a typical cybersecurity FTE will jump to over $150,000.
How many of those people did you say you needed?
Instead, with nods to Mr. Watson and the folks at Apple’s ad agency, the solution is to think, and to think different.
By think, we mean step back, take a pause, and reassess what people can and can’t do when it comes to addressing the mounting cybersecurity problem–and think about what you really want them to do. And by think different, we’re talking about considering new ways to use those people and how to use technology more strategically as a force multiplier in cyber warfare.
Having talented people is obviously important, but relying primarily on human capital is a deeply flawed model, for one critical reason: It. Doesn’t. Scale.
Instead, organizations need to put more wood behind the arrows of simplification and automation in order to make a serious dent in the current cybersecurity deficit, let alone try to get ahead of the problem. And one of the smartest moves organizations can make to simplify how they conduct cybersecurity is to move toward streamlined, efficient solutions that address cybersecurity in a seamless, connected approach, rather than employing best-of-breed solutions for every new emerging class of threat. In order to address the problem with a solution that scales where adding more headcount does not, it’s time to deploy more holistic solutions that drive improved business results, not act as another cost center.
Automation is the real game changer here, especially when you realize that we, as an industry, have only begun to scratch the surface on what machine learning algorithms can do. Earlier forms of automation, such as scripts and run-books, are fast giving way to more sophisticated tools with embedded analytics that spot trends faster and more reliably than humans can, and with automated response mechanisms that protect digital assets and remediate problems in a fraction of the time that even an army of security analysts. And developing, deploying, and managing more applications and workloads in the cloud is a huge step forward toward innovation that doesn’t require hiring surges.
Security platforms and machine learning-based automation also promote the development and utilization of improved process discipline address problems in real time. Those approaches also enable the critical step of simplifying the management of those tasks heretofore performed by overworked security professionals whose initial training may not have prepared them for rapidly emerging threats.
Many fundamental security tasks should already be on your cybersecurity automation hit list, like patching, password management, authentication, data correlation, and many others. And while automation doesn’t eliminate the need to hire more qualified cybersecurity professionals, it does allow your team to focus on ways to align with business peers to turn cybersecurity from a cost center into a competitive advantage with measurable benefits.
Last year, Palo Alto Networks chairman Mark McLaughlin wrote in this space: “The future of the digital age, from a technological perspective, is bright, so long as secure innovation continues.” Today, Mark’s words are more apt than ever. And to get to a more widespread state of secure innovation, we’ll need to get smarter about solving the security staffing shortfall while also becoming more creative in our use of technology to simplify and automate many cybersecurity tasks.