In recent times, no other IT skill-group has witnessed a surge in demand and the resultant mismatch vis-a-vis supply as much as Cybersecurity. Talent acquisition teams are aware of the fact that the number of cybersecurity jobs is increasing at a pace faster than the number of resources joining the workforce. According to the Global Information Security Workforce study conducted by (ISC)2, by 2022 there will be 1.8mn unfilled cybersecurity jobs; losses attributable to cybercrime will cost a whopping US$6tn by 2021 according to Cybersecurity Ventures. The talent crunch is a function of multiple factors – availability of the right skills, cost of hiring, and time.
- Recruiters are finding it difficult to match the job roles and candidate skills. While the demand for professional certifications has increased, the number of professionally certified candidates is much lower. Organizations are having a re-look at their existing recruitment practices and the way job descriptions are being written.
- On an average, a cybersecurity professional with a specific skill has more than one job offer in hand. This indicates a ‘near-zero’ unemployment.
- Alternative hiring practices gaining currency; retraining resources and revamping retention policies have moved to the realm of strategic decision-making.
- Given the rapidly changing nature of the threats, the source-to-on-board time has shrunk drastically.
While the process of standardizing work roles, responsibilities areas and specialties is still evolving based on threat perceptions and the nature of attacks/breaches, multiple studies conducted in the past 2-3 years have clearly brought the fact that at any given point in time, there are more Cybersecurity jobs available than the number of potential candidates/employees.
Automation, the future of cyber-defense and operational efficiency
The dearth of cybersecurity professionals is only a part of the problem. While recruiting more people can be a challenge in the current scenario, organizations are contemplating ways to supplement and supplant cybersecurity functions. One option that has emerged is the introduction of technologies aimed at automating part/s of an organization’s IT/cybersecurity functions.
These technologies can help overcome some of the pressing challenges related to resource availability by identifying, preventing and mitigating cyber threats with lesser human intervention. The idea is to speed up some of the manual processes that take up anywhere between 60%-70% of the time. Automating the basic security functions can be helpful to an understaffed cybersecurity organization. Automation helps relieve the pressure on skilled resources which can focus on tackling more complicated security challenges. In past 3-4 years new technologies have come in to the marketplace which can replace manual intervention in selected functions.
The cybersecurity automation market - evolving concept of SOAR
The introduction of automation tools in to the realm of cybersecurity has resulted in redefining of traditional methodologies. Increasing complexity of IT processes, evolving threats, and the need to integrate multiple security products has given rise to the concept Security Orchestration, Automation & Response – SOAR, as defined and brought to the fore by Gartner.
“The increasing adoption of SOAR solutions today cannot be explained by drivers described…..Most of the drivers have existed for as long as enterprise and government SOCs have existed; for decades, not years. However SOAR tools only appeared in mind-2010.
Future security operations. Incident Response and Threat Intelligence teams will use more automation and more consistent processes, and will have to deal with an ever-increasing number of security tools”
Gartner has listed 3 typical use cases for the introduction and use of SOAR technology: Detection & Triage, Security Incident Response (SIR), and Threat Intelligence.
The market for Security Automation & Orchestration is maturing and has witnessed a flurry of mergers & acquisitions in the recent past, indicating that the market is consolidating; Splunk acquired Phantom (Feb, 2018), FireEye acquired Invotas, IBM acquired Resilient, Microsoft acquired Hexadite, and Rapid7 acquired Komad. Some of the other vendors in this market are Cisco Systems, BlueCoat (acquired by Symantec), Palo Alto Networks, and RSA Security. Gartner predicts that the share of organizations with security teams larger than 5 people using SOAR tools will rise from less than 1% today to 15% in 2020.
Talent crunch - a critical market driver
The current trend of skill shortage in cybersecurity is likely to continue for some time. With the increase in the number of threat alerts and attack vectors coupled with continuing product proliferation, more organizations will consider SOAR solutions to unlock the full potential of their analysts and security product suites. Due to staff shortage in security operations, there is a growing need to automate, streamline workflows, and orchestrate security tasks.
Leveraging cognitive technologies to address cybersecurity talent shortage
Cognitive Technologies such as Machine Learning and Behavioral Analysis are being inducted and applied to speed up processes such as threat hunting, intrusion detection, and incident response. Automation helps to detect and identify threats, and expedite incident response mechanism for remediation. For e.g. Machine Learning algorithms help analysts decide which playbooks to use for each incident. These tools observe past decisions on playbook selection and leverage them to provide suggestions to analysts according to the characteristics of the incident.
How does automation impact hiring & resource utilization?
Most of the organizations are not in a position to hire more people for their cyber defenses, even if there is availability of resources. According to Symantec, on an average, 44% of SOC Managers see more than 5,000 alerts each day, but their teams can respond to just 50% of the alerts. This can lead to intrusions, breaches and potential data loss.
SOAR solutions reduce the burden on security analysts, who can devote more time to high priority incidents. The aim of automation is to speed up the time-intensive, manual processes that are mission critical but not a good use of resources’ time. Automation brings about efficiencies in processes while reducing human errors. This results in better time-to-resolution as the investigative processes are automated and tools are orchestrated. Many functions that are being currently performed by the IT staff are expected to get automated in the near future.
The impact of automation can be gauged along 3 important axes:
| Axis | Metric | Indicators |
| Resource Count | Headcount | Increase/Decrease or status-quo. |
| Cybersecurity Functions | # of functions automated | Optimum replacement of manual processes with automation |
| Resource Utilization | Time & Cost | Time savings, focus on strategic functions, reduced time-to-response, less human error |
However, it has been found out that the introduction of automation per se, isn’t going to reduce the dependence on manpower. In fact, according to a recent study conducted by the Ponemon Institute, an overwhelming 44% of the respondents state that automation will actually increase the need to hire people with more advanced skills. Only 23% of the respondents feel that increased automation will lead to a decrease in the headcount of the IT security function.
Limits to automation
Despite the defined benefits of automation, opinion is divided. The practitioners are questioning to what extent should organizations be dependent on automation. Does this mean that in the coming years, as more and more functions are automated, the dependence on manual tasks and processes becomes negligible?
Beyond doubt automation can lead to serious productivity gains and better talent utilization. While a large number of professionals believe that automation will free up time from their daily activities enabling them to focus on more serious vulnerabilities and network security, a smaller number of professionals also believe that automation is not going to substantially improve efficiencies. This is because they believe there are many tasks which would still require human intervention, intuition and experience and cannot be replaced by automation.
Conclusion
Automation in the cybersecurity domain is a reality. The mainstreaming of Cloud technologies has led to an increased need for automating security tools and processes. As more organizations move to the cloud, the demand for automation is expected to rise as this reduces the probability of false positives in investigating security alerts. The use of automation in cybersecurity will rationalize the use of resources leading to time and cost savings.
Despite the obvious advantages, it has been found that companies are generally slow to rely on automated tools based on cognitive technologies (Machine Learning, Artificial Intelligence). One of the key reasons is complexity, the biggest barrier to full deployment and business as usual.