If you’ve been reading the news headlines recently, then you’re well aware of just how hard it is to keep up with all the potential cyber threats out there. Until recently, the conventional wisdom was that companies should be trying to hire as quickly as possible, boosting their IT security staff in an effort to win the cyber arms race. But as a new report from cyber security firm McAfee points out, companies have other alternatives – including cyber security automation and gamification.
The cyber skills shortage
One major problem that companies face today is the cyber skills shortage. It almost seems like the faster that companies hire new staff, the faster new security risks seem to pop up. That puts a real strain on cyber security operations. It’s no wonder, then, that IT security professionals around the world are feeling the pressure. According to the new Winning the Game report by McAfee, which surveyed more than 300 senior security managers and 650 security professionals from around the world, nearly half (46%) of cyber professionals say that they are struggling to keep up.
And it’s not for a lack of trying, either. On average, says McAfee, companies are increasing staff headcount by 24% to manage all their cyber threat detection needs. That’s an impressive figure, to be sure, but companies are willing to hire even more. The problem here is that it’s just too hard to attract and find new IT talent. Of the McAfee survey respondents, 84% say that it is difficult to attract IT talent. The massive cyber skills shortage means that a large number of companies are fighting over a relatively small pool of candidates.
Cyber security automation
With that as backdrop, it’s easy to see why companies are willing to explore new alternatives to help them with their cyber security needs and the rapidly expanding types of attacks. And one of the most attractive alternatives, according to McAfee, is cyber security automation. In layman’s terms, it simply means getting machines to do more of the heavy lifting. A lot of routine security checks and threat intelligence assessments can be handed over to machines, giving IT security professionals more time to focus on higher value-added tasks.
And the data from McAfee certainly backs that up. 81% of those surveyed said that they would be more successful in their everyday jobs if they had greater automation. So, for companies struggling to find the right IT talent, the answer might be exploring cyber security automation solutions that won’t add to the overall headcount.
Cyber security automation, by encouraging more human-machine teaming, could be the key to making the most productive use of existing assets. Since hackers are using their versions of automated attacks, this means that IT security teams will be fighting fire with fire.
And there’s another element to cyber security automation: artificial intelligence and machine learning. It’s not just that new automated solutions are faster and more efficient – they are also smarter, thanks to breakthroughs in AI. This means that it becomes much easier for IT security teams to spot false positives and track down possible data breaches, all without the need for human intervention. This might make it easier to stop attacks before they even take place.
Another alternative proposed by McAfee in the report is gamification. This basically requires companies to integrate game-like elements into normal cyber security routines, in order to make threat detection easier as well as to unlock the full potential of all the security analysts on the IT cyber security team. In the survey, 96% of respondents reported seeing benefits from integrating these gamification elements.
Examples of gamification include hackathons, capture-the-flag exercises, and red team-blue team competitions. These can be so powerful for many different reasons. For example, hackathons can uncover innovative ways of accomplishing certain cyber security tasks. And capture-the-flag exercises can help IT security team members think in new ways and master new security skills. If they are able to out-smart and out-wit the enemy, then they will be more productive and efficient in their daily work, especially when it comes to incident response.
Boosting job satisfaction in the IT workplace to attract young workers
It is perhaps easy to dismiss the youngest generation for their videogaming habits – but it is precisely these skills that could make them highly desirable team members for any cyber security department. The McAfee report, in fact, suggests that these young videogaming enthusiasts could help to plug the skills gap. More than three in four respondents (78%) said that members of the current videogaming generation would make the best candidates to help cope with all the cyber threats out there.
This points, too, to the fact that creating the right workplace culture is an important feature for any IT cyber security team. By adding elements of gamification, it’s easy to see how companies can create a stronger sense of teamwork as well as create an environment that’s more fun and innovative. And, if you also layer in a cyber security automation component, that might be very real way to fill the IT cyber skills gap.
Keeping expectations about cyber security benefits in check
While all of these proposed solutions – cyber security automation, gamification and boosting workplace culture – sound great in theory, how well do they actually line up with reality? In the report, for example, there were indications that experienced benefits from cyber security automation may not have met anticipated benefits. This might suggest that companies have an inflated expectation of new technologies, such as cyber security automation.
However, Grant Bourzikas, Vice President and Chief Information Security Officer (CISO) for McAfee, suggests that companies simply need to become better at using new technologies, “I don’t believe there is an inflated expectation but a focus on how technology can be used to solve problems today and tomorrow. To reap the benefits, companies must focus on their ability to drive new processes that link the toolsets together to achieve outcomes from the technology. I do believe our industry can do a better job of recognizing and communicating the results in leveraged technologies like we do at McAfee. From an executive standpoint, these are critical to understand risk, maturity, and leading metric indicators.”
At some point, companies have to make some cost-benefit estimates of whether it is better to embrace cyber security automation or whether it is better to embrace rapid new hiring of IT employees. For the foreseeable future, it looks like companies will side in favor of hiring new skilled professionals, and then investing in their training. That, despite the growing evidence that the anticipated benefits of simply hiring as many employees as possible as fast as possible might far exceed what is seen in reality.81% of #cybersecurity pros in McAfee report said greater automation would make them more successful in their jobs.Click to Tweet
Given the current IT skills shortage, Bourzikas notes that the business case for automation is growing, “The core thing to understand is that cost effectiveness should be measured by the outcomes in which the organization is driving towards. Depending on what those outcomes look like, core investments in processes that tracks bugs as manual work could be seen as cost effective. Often, organizations focus on reducing threat detection time rather than automating processes, taking away from the core security work that must be completed. There is no question that most security organizations do not have the staffing and talent needed to operate, thus, organizations must work towards automation savings to be able to drive new initiatives or capabilities in their security programs.”
Is there a perfect cyber security strategy?
When it comes to tracking down cyber criminals, there are several alternatives that are possible. The new McAfee report helps to highlight some of the more attractive, cost-effective solutions, including cyber security automation. But it is up to each respective company to come up with a cyber security strategy that makes the best use of existing assets, both machines and humans.