If you’ve been in the cybersecurity industry for any length of time, then you know we’ve been talking about the industry’s labor gap for years. Decades actually. And it shows no sign of disappearing. According to a Gartner survey, 61% of organizations admitted that they are struggling to hire security professionals.
At this point, it’s fair to say the situation is reaching crisis levels. Training and certification non-profit (ISC)2 released research that estimates the U.S. cybersecurity workforce needs to grow by over 60% in order to meet demand today. That equates to 500,000 jobs. Globally, the situation is worse, requiring growth of 145%. The problem has become so critical that the U.S. Department of Homeland Security called it a “national security issue.”
But despite the huge levels of evidence and discussion, there’s still no clear route to a solution. From my experience as a CEO at a high-growth security analytics and automation company, I don’t believe there’s one quick fix. The solution lies with a combination of technology, processes and people. Artificial intelligence (AI), automation, diverse hiring practices, and a culture of giving back can provide us with the answer.
A Role for Better Technology: Artificial Intelligence and Automation
It’s tempting to point to AI and automation as the answers to just about every business challenge today. In this case, they provide part of the solution but not all.
Machine learning is a branch of AI where prediction algorithms automatically improve through experience. Machine learning and automation have the potential to take on a lot of the mundane work that cybersecurity analysts do, particularly tasks such as prioritizing security alerts, reducing false positives, mapping devices to IPs and their users, and containing, investigating, and remediating threats. Machine learning can also enhance a security team’s abilities, for example, with pattern matching. Machine learning can quickly detect attacker activity, such as lateral movement that would otherwise have required large amounts of time by security analysts. Similarly, machine learning can build out employee profiles, including their peer groups and personal email addresses, to help analysts identify insider threats more quickly.
When machine learning is applied to tasks that are high-volume and repetitive, people can then focus their efforts on problems that require human minds. Our own study has shown that a modern security management solution with machine learning can reduce the time to complete security tasks by 51%. That time savings represents a big dent in addressing the labor shortage. The added benefit of leveraging machine learning and automation is that they can allow security teams to hire junior staff, thus expanding the talent pool, and help them be faster and more productive.
Similarly, an increasing number of repetitive security tasks are being automated. Most of the attention has focused on security orchestration, automation and response (SOAR). Another notable advance is the automatic creation of user and device timelines to provide security analysts with chronologies and context during incident investigations. Fortunately, security teams are generally receptive to automating some of their tasks. According to a recent survey, 88% of cybersecurity professionals believe automation will make their jobs easier.
So, if 50% of an analyst’s time is spent on mundane tasks, for argument’s sake, let’s consider that AI, machine learning and automation could help us tackle half the problem. What about the other half? While technology definitely has the potential to take care of a sizable part of the skills shortage, AI and automation aren’t suited to many of the tasks critical in cybersecurity. Things like interfacing with and teaching end users good security practices and possessing the intuition needed to hunt down bad actors inside and out — they require the experience and expertise of actual (good, committed, skilled) people, not machines.
Delivering on Diversity
There are huge numbers of talented people that the cybersecurity industry is failing to attract. The same survey referenced above from the year prior showed 91% of the cybersecurity workforce is currently made up of white males, which is actually up from 90% in the previous year. People of Asian descent made up just 13% of respondents, while even fewer (9%) were Latino/Hispanic. African Americans are represented by less than 3% of respondents to the survey.
The lack of diversity revealed in the survey is a microcosm of the wider problem plaguing the industry. Fighting the continuous threats and external adversaries that cyber professionals face requires a multidisciplinary approach. Building a diverse team of people offers additional perspectives, creates a more holistic view of the problem, and delivers a range of valuable problem-solving skills. In that way, diversity truly improves the overall outcomes of the team.
Another survey by (ISC)² published in April 2019, says women make up about 24% of the U.S. cybersecurity workforce. Even if that sounds more encouraging, clearly there is still work to be done to provide better opportunities for people of every gender and ethnicity.
Organizations such as Advancing Women in Technology, Girls Who Code, Black Girls Code and WiCyS play an important role in bringing women into the industry and enabling them to share knowledge and experience, while also providing companies with access to professionals at every stage of their career development. They deserve the support of the entire cybersecurity industry.
Organizations can also foster diversity and inclusivity from inside their organizations, with programs that invest in women and other under-represented groups, whether the focus is on training and development, fostering community or information sharing. Exabeam and many other forward-thinking cybersecurity companies are already doing this. Okta is a good example. Education on hiring practices that address and root out bias is also essential.
Ultimately, organizations need to become more inclusive and flexible and invest to provide equal opportunities. For a sector chronically short of talent, there’s no excuse for any further lack of progress.
Military Minds
The cybersecurity skills shortage also requires some lateral thinking. For example, military personnel leaving the armed forces often have the aptitude and experience to thrive in the cybersecurity industry. Technical engineering experience, collaboration, an ability to think outside the box, a mindset of defending and the determination to succeed are qualities found in abundance across the military.
Cybersecurity is already an increasingly popular career choice for those transitioning out of the military. Many former military personnel are moving into cybersecurity roles based on directly relevant or transferable skills — including some of our own employees. And as I meet with customers and security leaders, I often learn of their past military experience. In fact, over 50% of the guests on Exabeam’s The New CISO podcast have a military background. On this front, I think it’s simply about more awareness and more opportunity, and it’s incumbent on companies to raise their game, open communication channels and continue giving these high-value contributors a route to a new and rewarding career.
There are some organizations already focused on making headway in this area. An example is the National Initiative for Cyber Education (NICE). Established in 2008, NICE, led by the National Institute of Standards and Technology (NIST) in the U.S. Department of Commerce, is a partnership between government, academia, and the private sector focused on cybersecurity education, training, and workforce development. The mission of NICE is to “energize and promote a robust network and an ecosystem of cybersecurity education, training, and workforce development.” It underlines that all stakeholder groups have a vital shared role to play. My company has even configured our training program to align with the NICE framework.
But we can’t expect the government to intervene on a scale that will solve the labor problem. The onus is on employers to open their doors to people outside their existing workforce and provide job opportunities, training and support. This can include veteran recruitment programs, security and technical training discounts for former military personnel and more.
Giving Back
With that in mind, I think there’s a lot more we can do as an industry.
One thing we have in abundance is knowhow — and we should be sharing it more widely. While there is a great deal of knowledge sharing happening, it tends to be siloed among people already in the industry, at events for the industry. Which is great, but we also need to be reaching new audiences, educating and advocating, and that will require a broader culture of giving back.
At Exabeam, we are beginning to put this into action by enabling our experts to give back to the community through volunteering and mentoring, with an education focus. We even take this approach as a company, focusing on how we can help security practitioners and leaders improve how they work, teaching cyber skills, and offering training, not just showing product demos. We’ve also established a scholarship program for those studying cybersecurity, computer science, programming, data science and related disciplines to encourage more students to pursue an education in cybersecurity.
We hope these efforts will contribute towards widening the opportunity for people who might not otherwise have thought about a career in cybersecurity, while also helping to close the skills gap. If every cybersecurity business got on board with similar programs, collectively we could make a real difference.
So, where do we go from here?
It’s my belief that difficult problems can be tackled with fresh eyes, critical thinking and smart new approaches, along with persistence and teamwork.
One of Exabeam’s core values is the belief that by working together we can win together. A team mentality enables efficiency, productivity, and responsiveness — and allows us to rely on each other for success, achieving more than we could alone.
I think we can apply the same thinking here. It starts by serving others and being responsible members of the cybersecurity community at large. It requires investing in education and learning opportunities for the next generation of cybersecurity professionals. It means opening our eyes to fresh perspectives and adding new voices to our teams. It means reaching across industries to recruit talent. And of course, it means leveraging technology to the best of our ability to help security practitioners work more efficiently.
I envision a future where organizations have all the cybersecurity resources they need. Where they achieve increased security and reduced risk because technology, processes and diverse people converge to make it happen. I hope other organizations and leaders will join me in working towards a solution that will bring that vision to life.
