In an interview with IT Pro Portal, Darren Thomson, Chief Technology Officer for cybersecurity firm Symantec, discusses the skills gap. He addresses if organisations should be fearful of it, and to what extent. He gives actionable insights on what businesses can do to make immediate change in the recruitment of more skilled workers, as well as future steps. And finally, he tackles the idea of artificial intelligence (AI), and this new technology's role in helping businesses across the world bridge the ever increasing skills gap.
How real is the skills gap? How worried should businesses be?
The cyber security skills gap is having serious and undeniable consequences. Unsurprisingly, nearly 100 per cent of European enterprises agree there’s a security skills shortage, according to IDC. Symantec’s new report, High Alert: Skills Crisis, found nearly half of European cyber security leaders believe their teams are falling behind in the skills race against their criminal counterparts.
However, it’s not that organisations should be worried, they are worried. They know that this critical gap translates into an increasingly strained workforce whose skills development is hampered by work overload and burnout and, ultimately, an increased threat to enterprise security.
Across Europe over a third of cyber security leaders report their teams are unable to manage the sheer scale of current workloads. Here in the UK, 55 per cent of cyber security professionals report feeling responsible for an incident that could have been avoided. It’s worrying enough knowing that the enemies are at the gate, let alone knowing the people defending you are outgunned and burned out.
The shortage of appropriately skilled people is forcing some individuals to leave their roles, indeed the industry, when they simply cannot cope with the workload any longer. The recruitment challenge pushes up salaries and encourages ‘job hopping,’ which causes further disruption in an area of the business you’d want to be very stable. It also necessitates extensive use of contractors, who are often expensive, and not necessarily fully aligned with the organisation.
The issue is exacerbated when we look beyond large metropolitan areas. We know this from speaking with members of our CISO Forum who tell us that recruiting outside of metropolitan areas is an even harder challenge, along with recruiting for what might seem ‘less desirable’ brands.
How can businesses make immediate changes in the recruitment of more skilled workers?
At the Symantec CISO Forum, in February 2019, delegates agreed that six months was the absolute minimum amount of time it takes to hire a security specialist, with nine to twelve months not being unusual. For those with even the briefest of experience, salary expectations were sky high. Organisations need to hire more quickly, and in a more diverse and inclusive way to ensure the largest possible pool of candidates. There is also growing acknowledgement of the need to allow new recruits to be trained up from scratch (even with the risk they then leave for one of those big salaries offered elsewhere).
The ongoing lack of female participation in the industry is a continued concern, and the biggest area of opportunity. The 2018 (ISC)2 Cybersecurity Workforce Study reports that only 24 per cent of the workforce is female; which shows immediate scope to consciously recruit from a larger pool of candidates. Businesses must think about their work environment and create flexible ways for people to work that match their requirements. Above all, they must reach out to everyone, provide access to opportunity and excellent support from mentorship to formal development schemes.
As we look beyond the existing pool of cyber security recruits, there’s a wealth of untapped talent. There’s a huge opportunity for the industry to recruit and train underserved populations including under-resourced young adults, ex-police and military veterans. These groups have real potential to fill in-demand cyber security jobs.
We must also look beyond technical skills to bridge this gap. Identifying and addressing the key factors facing an organisation’s security can help inform how best to support the wider security team. Recent 451 research shows that 37 per cent of security workloads are driven by user behaviour. By tackling internal security challenges, security professionals can massively cut down workload, and time.
For example, a Symantec CISO Forum delegate recently shared her experience hiring a psychologist to tackle challenges with end-user behaviour within her organisation. Following a number of initiatives – such as praising those who raised a potential threat, to test phishing emails and ‘external email’ warnings – the firm’s phishing simulation click rate dropped from 27 per cent to 8 per cent in just twelve months. This savvy initiative both improved the firm’s security posture and saved the security function considerable time and workload.
You say we "cannot recruit our way out of this crisis" - so what are the next steps?
Organisations need to find alternatives that can help free up time for skills development and ease the recruitment burden. Yet, it’s essential that these tools don’t become part of the problem. They must work only to reduce the complexity of cyber security and lessen the burden on the workforce. By taking a considered and logical approach, leaders can bolster their teams and free up time to tackle new aspects of the job that add value and drive engagement through:
- Rationalisation: rationalise by consolidating the security estate or implementing a cyber security platform to improve security and reduce manual management time
- Embedding security within the main control points web, email, network and endpoints can give greater control that goes completely unnoticed by end-users, moving parts of the organisation towards a ‘in the sinew’ security infrastructure
- Automation through an integrated platform reduces the volume of alerts analysts have to contend with and supports workflow to automate tech admin tasks, reporting and compliance, giving the workforce time to embrace new skills
- Externalisation: externalise technically demanding elements, such as threat intelligence, security monitoring, endpoint detection and response, to address challenges such as complex analysis of high volumes of network data and resource monitoring the global threat landscape
Lowering the overall workload and removing the more mundane, repetitive and low-value tasks from security teams’ workloads allows staff to focus on the more rewarding, higher value work – which can only help firms in the fierce competition to attract, and keep, top talent.
What about the role of AI? Can this help with some of the heavy lifting?
Machine learning and AI can elevate defence levels, without triggering huge amounts of additional manual resource. Take Symantec’s Targeted Attack Analytics (TAA) for example: TAA enables vast telemetry data lakes and exposes attack patterns to give a holistic view of an organisation and their industry to determine the source, scope and impact of an attack in just a matter of hours. If we compare this technology to a manual equivalent, we’d be looking at months of labour, let alone the immense cost involved that, for many organisations, would be simply unfeasible. While it can enable some redeployment of the workforce, the real point of machine learning and AI is that it brings a whole new level of defence. It’s automation of workflows, reporting and maintenance (such as updates) will free up cyber security professionals in a far quicker timeframe, and cut out the drudgery that can lead to a less engaged workforce and subsequent mistakes.
How is Symantec working with educational institutions to boost cyber skills training?
The whole industry has had a poor track record in making cyber security a serious consideration for those entering (or re-entering) the workforce. Even within computing and STEM initiatives, cyber security has failed to make its case, with the focus usually on coding.
At Symantec we’re now involved with numerous initiatives, all around the world. In the UK, we’re particularly excited about Symantec’s involvement with TechTeen and our work with iQ4 and its Cybersecurity Workforce Alliance (CWA). The CWA gives our employees the opportunity to act as virtual mentors to university students to guide and deliver the essential soft skills, workplace experience and readiness employers need for roles in cyber security. So not only does it increase the pool of candidates, it means that their new employer benefits from a far faster on-boarding period. As part of our work with CWA, we’ve just launched a pilot scheme with Greenwich University to support thirty-two students develop valuable workplace experience by leveraging the NIST Framework to learn best practice in protecting, defending, responding and recovering from incidents.
Darren Thomson, CTO & Vice President, EMEA Region, Symantec