Is cybersecurity talent shortage a myth?

In this interview for Help Net Security, Ricardo Villadiego, CEO at Lumu, explains why he thinks the cybersecurity talent shortage is a myth and how organizations can overcome this challenge by improving technology.

There’s been a lot of talk lately about the Great Resignation. How has this phenomenon affected organizations’ security posture?

Talent that specializes in cybersecurity was already scarce before the Great Resignation. With threats evolving infinitely, organizations found themselves with the need to hire more talent to operate more security technology. During the pandemic, security became even more complex because most (if not all) of the protection that had been deployed, stayed in the empty offices so the workload of a security team increased dramatically. Of course, this complexity created the perfect situation for the cybercriminal.

An unprotected environment, a distracted end user and an overwhelmed security team – the end result is unavoidable. A data breach or a ransomware incident is almost certain. This has affected the security posture of organizations dramatically. What we are seeing today is something completely unprecedented. And while technologies are readily available, they must be operated in order to offer any value, whether it is protection or detection.

Security teams are very overwhelmed by something that we used to know as alert fatigue. Too many alerts and too little time to know which are the alerts that matter. To this, let’s add “portal fatigue” where SOC teams need to jump from and to different portals to obtain the necessary context about one particular incident. This creates burnout but also frustration among security teams because they are on a road that leads them nowhere.

Why do you think technology is the main culprit?

It is a combination of things but yes, in part technology is to blame. Vendors have made the operation of the technologies they designed an afterthought. These technologies were never made to be operated efficiently.

There is also a certain fixation to technologies that just don’t offer any value yet we keep putting a lot of work towards them, like SIEMs.

Unfortunately, many technologies are built upon legacy systems. This means that they carry those systems’ weaknesses and suboptimal features that were adapted from other intended purposes. For example, many people still manage alerts using cumbersome SIEMs that were originally intended to be log accumulators. The alternative is ‘first principles’ design, where the technology is developed with a particular purpose in mind.

Some vendors assume that their operators are the elites of the IT world, with the highest qualifications, extensive experience, and deep knowledge into every piece of adjoining or integrating technology. Placing high barriers to entry on new technologies—time-consuming qualifications or poorly-delivered, expensive courses—contributes to the self-imposed talent shortage.

How can technology be improved to optimize and simplify the work for current talent?

Technology needs to be built to be operated – months of costly training also means you take our scarce talent out of the job but the threat actor does now and will not wait for your team to be trained to target your organization.

It needs to be easily deployed – technology that takes you months to be deployed should not exist.

Technology that is adaptable to different technology stacks should be favored – changes to your infrastructure for a solution to work should not be a requirement.

The training of the operators of these technologies needs to be optimized, with freely available, user-friendly educational resources.

What role does training play in advancing people’s abilities to cope with growing cybersecurity threats and not feel overwhelmed?

If attacks evolve infinitely, we must evolve our knowledge about them as well. This would address the concern about being overwhelmed. We must focus on the learning, what are we learning today vs. what do not know yet.

Training provides a significant advantage in preparedness to cope with growing and evolving cyber threats. There are two key components to ensuring cybersecurity operators are well equipped to manage cybersecurity threats and not feel overwhelmed, both involve some level of training.

The first component is understanding the nature of these threats. Threats will constantly be evolving. Understanding the latest techniques attackers are leveraging and which threats are most prevalent are key to avoiding targeted attacks. This requires continuous education and training.

The second component is the person’s ability to manage detection and response of these threats by selecting the right solution. Choosing a cybersecurity solution requires experience and knowledge in the field. It’s very specific to an organization’s needs and existing cyber threats.

Training and experience provide cybersecurity operators with the information they need to know what they’re up against and take action accordingly.

Is there a particular method companies should consider to help them retain talent?

Companies need to stay competitive in terms of benefits, pay, etc., but focus should mostly be around establishing the right culture. Cybersecurity professionals have options and aren’t afraid to explore those if their current employer isn’t promoting the right culture.

In addition to culture, it’s important that employees believe in the company’s mission. When they are equally invested in the work they are doing, they will continue to be engaged and feel like they are part of the solution.