The 2020 edition of an annual study conducted by the Ponemon Institute and DomainTools is out, and it paints something of a grim picture for the cybersecurity workforce. Security automation appears to have turned a corner and is now more widely adopted by organizations, who are demonstrating much more faith in it than they have in previous years.
This is the third year for the “Staffing the IT Security Function in the Age of Automation” study from Ponemon Institute and DomainTools. The studies in previous years found that organizations were slow to adopt security automation as a solution to the perpetual shortfall in the cybersecurity workforce, citing a lack of trust in artificial intelligence and a sense that automated tools made the situation worse.
What will the cybersecurity workforce look like going forward?
The Ponemon survey encompassed a little over 1,000 respondents in the United States and United Kingdom. Respondents were most often a CIO, chief security officer, business leader, or risk management leader. The organizations were in a broad variety of industries and sizes.
The most important takeaway for IT professionals is that experienced and highly-skilled security specialists are still in high demand, and automation is more likely to make their job easier rather than get them laid off. However, security automation is increasingly being applied to more routine and time-intensive tasks that would have been the province of more entry-level members of the cybersecurity workforce.
The main tasks now being automated are log analysis, threat hunting and malware analysis. It is still relatively uncommon for organizations to hand over breach and attack simulation and provisioning of resources to automated tools.
51% of the respondents now expect that automation will reduce their cybersecurity workforce, an increase of 30% from the previous year, and only 13% felt that automation would have no impact at all on their hiring. However, 68% report that human involvement in IT security is still important and only 24% feel that automation will reduce the need for skilled security personnel. And 74% responded that they believe there are IT security tasks that can never be automated, a number that is actually up 6% from the previous year. Similarly, the number of respondents that believe there are threats that AI will never be able to deal with increased from 35% to 45% in this survey.
All of this would seem to point to continued job security for high-level information security staff and those with substantial experience, but the mood appears to be at least somewhat pessimistic regardless. Of those surveyed, 37% believed that they would lose their own job due to automation in the next four years. An interesting side note here is that none of the respondents to this year’s survey chose the “unsure” option for this question, whereas 7% did last time.
Increased adoption of security automation
For organizations, the key takeaway from this study is that improvements in automated security and machine learning are reducing the burden on skilled IT professionals. 76% of the respondents either use or are planning to use automated IT security measures, and 74% feel this frees the IT staff to focus on overall network security and the most serious vulnerabilities. 60% also feel that this has reduced stress on the IT staff.
Though organizations seem to be anticipating a loss of cybersecurity jobs as more automated measures are implemented, the big changes do not appear to be happening yet. Responses to cybersecurity workforce questions barely changed in the past year. 69% now feel they are “typically understaffed”, down from 75% a year ago. There was very little change in ability to recruit or retain staff with cybersecurity skills (still a major challenge for most organizations), reduction in personnel due to security automation or opinions on the need for human involvement.
And while organizations appear to feel more confident in security automation, they aren’t really increasing their use of it as of yet. There was no change in the amount of companies currently using automated measures (31%) this year, and there was actually a small reduction (39% to 36%) in those planning to implement such measures in 2020.
Of those that are slow to take up security automation, the leading reasons are lack of in-house experience (53%) and reliance on incompatible legacy IT environments (53%). And in spite of automation being seen as a cost-saving move, 47% of respondents still say they do not have the budget for it. 25% do not feel that current automation options can meet their needs.
Of those that are eager to automate, 82% want to do it to prevent business disruptions and downtime. 72% feel it will help them to meet new compliance standards emerging around the world. The biggest jump was in concern about third-party vendors and business partners, however. This was not even on the radar at all last year, but this year 45% of respondents were interested in automation to manage this particular risk.
And though cost savings by reducing the cybersecurity workforce is a fairly common concern, it’s not the leading reason that organizations are considering automation. The most common reasons are to increase productivity of existing IT staff and decrease rates of false positives and negatives (43% each). Companies are also more concerned about improving the speed of threat identification, prioritizing vulnerabilities effectively and containing infections than they are about reducing their IT payroll expenses.
No big changes for a year (or more)?
The results of the survey indicate that while organizations are definitely eyeing more security automation and a smaller cybersecurity workforce in the future, they are not currently implementing radical changes and likely will not be for at least a year.