It definitely doesn’t apply to SMBs in light of my previous post which asked the question, “What’s a small defender to do?” without skilled expertise. That post queried if the vacancy numbers included SMB staffing needs, since they can’t afford to hire them. Luckily, there are more companies and IT professionals who are trying to serve the SMB segment. Part 6 of our series on helping the little guys touched on general strategies for SMBs, to start with. The key point is for SMBs is recognize the need to start somewhere, and do something.
In light of what’s driving the skills gap, will any strategies give the small defender a chance?
Impacts on the Enterprise
The word from the private sector is that there is no doubt that the skills shortage is being felt, often impacting the existing staff shouldering the load. Also impacted is the ability to integrate desired solutions or optimize defenses because there simply aren’t enough staff available. In his article, “The scary state of the cybersecurity profession“, John Oltsik shares some of his research and says,
“Cyber security professionals believe that continuous education is a key ingredient of their profession, but they are stressed out, overworked and can’t keep up. Furthermore, they are being asked to increase their daily workloads because their employers can’t staff an adequately sized cyber security department. Since the global cyber security skills shortage shows no sign of dissipating, is there any doubt that things will continue to get worse?”
It certainly seems like SMBs will have to compete with the enterprise for expensive expertise for some time.
Software Will Eat the World
One of the reasons for the skills gap is that use of all things digital and the internet, exploded so quickly. The problem is, the underlying cyber security foundations have never been set in place, so with explosive growth, came explosive vulnerability. There’s a expression that, “software will eat the world”. Without trustworthy systems and devices, everything else, like software coding must be pretty close to perfect. (Vulnerability and design error free.) Despite a few best efforts, that doesn’t often reflect reality. As a result, additional platforms, devices and applications will generally add to the attack surface options for adversaries. Small defenders may not have much control over the code of applications they use in their business, but they can advocate for best practices and make security a criteria for things they use.
Impact on Future Staffing
The article, “Security skills shortage is real, and it’s not going away anytime soon” reflects this idea;
“We have a model that basically says ‘I accept the world of software as is and I am going to patch everything at a systemic level,'” he said. It is an approach that is basically unsustainable in the long term. A company that has 600 security professionals today might require 1,000 in a few years – and still not be secure.”
Predicting and satisfying staffing needs may both be problematic for the enterprise. Will there be any trickle down benefit for small defenders as large defenders sort it out?
What we believe are adequate staffing levels for tomorrow, … could prove inadequate if the pace of change continues to accelerate. At this rate, will cyber security awareness and skills training become mandatory for everyone? Better just start that right away. Will everyone from the janitor and up, require a black-belt in IT security? Kids will start their training in kindergarten. Will we soon see collector cards, board games, toys, TV shows and Cyber Defender Dude cartoon heroes, and see the return of secret encryption decoder rings, but real ones, in cereal boxes?
For those thinking that surely the education system is on this, the article, “Top U.S. universities failing at cyber security education” informs us that,
“It is going to take 20 years to get where we need to be in having schools at all levels have security teachers and professors teach security to students so the workforce is stacked with security experts.”
It seems few computing science programs include much in the way of cyber security. No one seemed to see this coming, because education efforts would had to ramp up about a decade ago.
Outsourcing is one of the most common and feasible strategy options suggested for small defenders. While some operational tasks or secure services can be outsourced to alleviate staffing shortfalls, problems to be aware of remain. You can outsource a task, but it’s hard to outsource responsibility for customer data, or legal liability! This goes hand-in-hand with the concept of moral hazard. That is, will your MSSP or service provider go the extra mile to protect the data, because it’s not their data! It’s yours! SMBs need to make sure expectations about performance are crystal clear and hold providers accountable. What’s needed are technologies which enables data owners to retain control of their data even if they are taking advantage of provided services, or the cloud.
Another promising option we’re hearing a lot about lately is automation. There are many articles about the need for automating security due to the complexity of IT systems, data overwhelm, and human fallibility when it comes to making judgement decisions safely. The demand for better detection and quicker response times are real incentives to go this direction.
Gunter Ollmann suggests this direction as option one in his post, “Closing the Gap on the Infosec Skills Shortage“. He includes automating operational tasks in his list of desirable automation goals and says,
“At a minimum, new innovations and advancements in security products should not require additional operational staff to manage a newly deployed security product.”
In a thoughtful post on the topic, “Security Automation: Striking The Right Balance“, Nathan Burke says,
“In every exercise, there is a balance between the utility of knowing how to do a task, and the efficiency of automating the work.
“… when considering automation, ask yourself: Will this eliminate a task that my team can learn and grow from, or will it eliminate a task that’s making them inefficient? Finding the balance is key for effective security teams.”
What About in a Skills Vacuum?
Automation seems not only desirable, but necessary for enterprises with security staff. Helping existing security staff to perform better and extend their productivity is a good thing. MSSPs and service providers helping SMBs might benefit.What about when there is no security officer to begin with? Is it possible to extend, what doesn’t exist?
SMBs need complete automation and orchestration of security operations. But SMBs need this combined with AI, for the one-man IT shop, or business owner who is not a security guru. Period.
I’m talking about goal and outcome driven security operations. One knows what needs to be done, or protected, but does not necessarily know how to do it themselves. SMBs need the equivalent of the driver-less car for cyber security, so they can request an outcome and let the AI engine apply the work processes, automatically.
That’s one of the reasons why Trustifier has developed TUX AI. It’s suitable for SMBs without security expertise and who simply can’t afford it. TUX AI will provide security expertise, built-in, at a fraction of the cost of a human operator. And when you have something like TUX AI running security operations for you, then you can also put it to work on the cyber security backbone of your compliance efforts as well. Trustifier is making TUX AI, complete with natural language interface -NLP, a core component to the Trustifier cyber security and compliance solutions going forward.
Original art work by Scott Lewis.