Cyber security leaders know it’s tough to recruit and retain top talent. But exclusive new research reveals the true scale of the challenge. 45% of CISOs surveyed feel their teams can’t keep up with technological change, while 46% are too busy to learn about the latest cyber threats.
Based on responses from over 3,000 security professionals, High Alert Chapter 2 analyses today’s skills crisis and recommends ways to overcome it, by:
- Looking beyond traditional candidate profiles
- Re-energising your cyber security training and education programs
- Lightening the load on your existing resources by adopting an integrated security platform.
Exclusive new research conducted on behalf of Symantec highlights the challenge that CISOs and security leaders face in trying to find, attract and retain cyber security professionals. Existing talent struggles to keep pace with the rapidly-evolving technology landscape, the supply of talent is far outstripped by demand – and salaries are rocketing. Without a radical rethink, organisations are simply not going to be able to scale their cybersecurity teams.
It’s time for change.
What is the High Alert series?
Based on the opinions of over 3,000 security decision makers in the UK, France and Germany, with analysis from CISOs and Dr. Chris Brauer, Director of Innovation at of Goldsmiths, University of London, the High Alert series lays bare the real state of cyber security in 2019 – and what you can do to regain the initiative.
Across four chapters, we’ll explore a different cyber security topic. Combining insights, analysis and recommendations, you’ll learn how your organisation can master cyber security for the cloud generation: protecting your reputation, sustaining customer trust, guarding against financial penalties, and balancing budgets and resources.
Building over the coming months, the High Alert series will address four topics:
- High Alert Chapter 1: Perfect Storm
- High Alert Chapter 2: The Skills Crisis
- High Alert Chapter 3: After the Breach
- High Alert Chapter 4: The Security Environment of the Future
Alongside new intelligence and analysis, you’ll learn how cyber security industry leader Symantec offers an alternative approach to help you cut through today’s cyber security chaos.
Perfect Storm: Cyber Security Now
Cyber attacks are more sophisticated and capable than ever before. For most of the population major breaches and exploits are the stuff of news headlines. But for cyber security professionals, today’s aggressive threat landscape is a daily reality. Their mission? Addressing seemingly endless attacks from an increasingly professional, well-funded, highly motivated and experienced array of adversaries.
As cyber security professionals work to face down this evolving threat landscape, they do so short of qualified personnel and in the face of wide gaps in strategic and operational information sharing. For cyber security decision makers, these challenges are felt at a deeply individual and personal level.
Cyber security: the psychological impact
A career in cyber security requires focus, extreme attention to detail, creative problem solving and rational decision making in high-pressure scenarios. But with increasing regulation, better-equipped attackers, growing complexity of the digital estate and thousands of alerts going off at the same time, security leaders are overloaded. This overload can have a serious impact on their ability to make sound decisions.
Sensory overload, fatigue and stress impair memory, disrupt rational thinking and negatively impact every cognitive function we have. Studies show that when you’re stressed, signals in the brain associated with factual memories weaken, while areas in the brain associated with emotions strengthen. Whilst the human brain is adept at many things, dealing with vast quantities of information and alerts can hamper our cognitive function. The more information and alerts we receive, the more numb we become to them.
Even just the anticipation of stress can impact cognitive function throughout the day. A study from Penn State showed those who woke up feeling as though the day ahead would be stressful experienced problems with working memory; a function which helps people learn and retain information even when they’re distracted. Researchers say the anticipation of stress impacts cognition, even if a stressful event does not occur. – Penn State ‘Experiencing a Stressful Day May Lower Cognitive Abilities Throughout the Day.’ Neuroscience News, 3 July 2018.
Symantec wanted to better understand the impact of these pressures on the cyber security industry. How do security leaders view their industry and their workloads? How do they see the threat landscape changing? And how well equipped do they feel to deal with bad actors infiltrating their networks?
In collaboration with Dr. Chris Brauer and Goldsmiths, University of London, Symantec surveyed over 3,000 security decision makers across three countries – France, Germany and the UK. The aim was to gain real insights from those at the coalface.
The picture painted will be both poignant and familiar to readers within these roles, but it also raises an important fact: the industry cannot afford to continue like this.
Stress dramatically impacts our ability to make good decisions. It impairs your memory, disrupts rational thinking and negatively impacts every cognitive function you have. In an industry like cyber-security, which requires focus, creative thinking, attention to detail and rational decisions in high pressure scenarios – stress can be crippling. Highly stressed workers are far more likely to be disengaged and ultimately quit. In an industry already suffering a skills shortage, this kind of stress can present a significant risk. – Dr Chris Brauer, Director of Innovation, Goldsmiths, University of London.
Navigating the perfect storm
Security leaders are overwhelmed. Two thirds of cybersecurity decision makers (65%) feel they are being put in a position where they are set up for failure. Additionally, 82% report feeling ‘burnt out’, 63% think about leaving the industry, and 64% think about quitting their job (figure 1).
But the overwhelming workload and pressure of the role doesn’t seem to deter them from the mission. Most security leaders appear to be adrenaline junkies; fully immersed in their work, and its potential to make a difference, even when it’s stressful (92%). Security leaders tend to be motivated by high-pressure situations and find their work environment thrilling, even though it’s challenging (figure 2).
Cause and effect
But what is causing the sense of overwhelm that so many professionals in the industry are feeling? According to the research, there are numerous causes, but four stand out.
The leading source of strain for cyber security leaders is government regulation. Four in five (86%) reported that mounting regulation, such as GDPR and the NIS Directive, was increasing pressure in their role. Two in five reported concerns that they would be held personally liable for a data breach.
Attackers gaining ground
The second biggest issue is the rise of the adversary and an increasing volume of threats and alerts. The level of sophistication, motivation and organisation in cyber-crime today is more comparable to mature enterprises than to the stereotype of the hooded lone hacker. Attack groups are agile and persistent, continually probing for weaknesses and moving swiftly to exploit those they discover. Some 82% said that having ‘too many threat alerts to deal with’ was increasing the pressure in their role. Just over half (55%) feared dismissal if a breach happened on their watch.
Growing enterprise complexity
The size and complexity of the estate defended is also increasing pressure. Whether through digital transformation, merger and acquisition, an increasingly connected and distributed workforce, or simply a question of scale – the attack surface is expanding. Four in every five (82%) of security leaders agreed that having to secure too much data in too many places is making the job more stressful, costly and complex. In mature organisations, cyber defences have often grown piecemeal over time. Simply maintaining legacy defence technology is a significant burden.
The ever-present skills gap
Four in every five (80%) reported that insufficient skills in their workforce is causing increased pressure. In many cases, the existing base of experienced cyber security professionals has been ‘outdated’ by the rise of cloud and mobile. Almost half (48%) of respondents believe attackers now have the skills advantage over the defenders (figures 3 & 4).
These challenges are not only adding to the stress felt by security professionals (figure 5), they are also making it more difficult for them to keep their business safe.
Security infrastructure sprawl
There’s a certain degree of irony that efforts to protect the enterprise are also increasing stress. 79% reported that managing ‘too many cyber defence products or vendors’ was increasing the pressure within their role.
Multiple security products and services generally means a large number of alerts – all coming from different places. And there’s only a finite pool of people within an organisation that can review and resolve these. Two thirds (68%) of cyber security decision makers said they’d felt ‘paralysed’ by the overwhelming volume of threat alerts. A third (33%) reported that threat alerts, designed to help keep a business safe, are making the situation worse due to their sheer volume (figure 6).
In the face of such huge workloads, the majority of those questioned (67%) said their cyber security teams left work at the end of the day with threat alerts left unreviewed. The volume appears to be impacting the security of enterprises. Already 41% of security leaders believe a breach is inevitable. A third (32%) say their organisation is currently vulnerable to avoidable cyber security incidents. A quarter (26%) admitted they have already suffered one of these.
This sense of being overwhelmed is having an impact on their role (figure 7).
Quantity certainly isn’t the answer when it comes to security services. But if the answer lies in quality, many security leaders feel under-resourced and ill-equipped to provide it (figure 8) – particularly with attackers becoming increasingly savvy.
In an increasingly broad and capable threat landscape, how do cyber security leaders move out of a state of personal overload? The answer lies in moving from a reactive and fragmented model, to a consolidated and strategic one. Yet to invest the time, energy and resource into defining and executing against a cyber security vision, they must first regain control of the finite human resources such an approach would free up.
One of the biggest factors at play here is the overhead that goes into managing a patchwork of IT security vendors across a vast, rapidly evolving IT estate. A patchwork approach to cyber defence creates vulnerabilities and overburdens cyber security teams.
This tension is underpinning a push towards simplicity and integration across the industry; fewer vendors, less complexity, and more centralised management. With this transformation, the cyber security industry is entering the platform era.
An open standards security platform, such as Symantec’s integrated cyber defence (ICD) platform, gives a modern foundation on which to build. It integrates security data feeds, cutting duplication, improving accuracy and speeding decision making. With the ICD platform, security leaders can add new security solutions as required (typically cloud-centric ones such as CASB and cloud workload protection) and feel safe in the knowledge they will integrate quickly and easily into the ICD platform. The ICD platform’s automation capabilities mean that new solutions won’t require time-intensive manual patching and maintenance, or the manual integration of new data sources into reporting and compliance workflows. With these capabilities, it becomes far easier to hand selected functions off to managed services. In an industry with a severe skills shortage, an integrated platform enables cyber security professionals to minimise mundane tasks in favour of adding more value through proactive, higher level of work.
A pathway to protection
There is much for you to consider as part of this approach, but four of the most fundamental elements are:
- Mature and consolidate cyber defences by adopting a platform approach, automating key processes and compliance
- Educate the business on the threat landscape, and demonstrate how cyber security can become a business and transformation enabler
- Be both pragmatic and bias conscious in your efforts to overcome the skills gap – recruit and up-skill a diverse range of talent to tackle the multiple challenges you face
- Define your organisation’s risk posture, securing buy in and ‘sign-off’ from specific business departments and the board.
With skilled talent, the right processes and tools, it is possible to evolve your roles from overloaded and reactive, to confident and strategic. In subsequent chapters of this research series, we’ll explore some of these key factors in how you can work towards overcoming this state of overload.
The current patchwork approach to security tooling and strategy is creating more problems than it solves. There is so much daily noise that it’s near impossible to work out what is most important. Meanwhile the overlaps and chinks between defensive systems present hackers with new opportunities for exploit. The volume of alerts, the constant patching, and rapid emergence of new threat vectors, are absorbing the attention of security professionals, leaving little time for a more strategic approach. – Darren Thomson, CTO EMEA, Symantec.
The Skill Crisis: Tackling the Critical Gap
There was one theme in our research findings that came through loud and clear: overload.
I see a huge risk of burnout in today’s industry. Many people are operating at their limit. When you look at the hours on top of the day job, you don’t have to be a rocket scientist to know that it’s going to take its toll. Some of the people most at risk are those fresh into the CISO role. They are of course very ambitious, very smart, very competent people. But as time goes on, it becomes clear that it’s a challenging post to adapt to. – Dr Steve Purser, Head of Core Operations, ENISA, former financial sector CISO.
IT security leaders feel overworked and behind the curve compared to their criminal competition. There are many factors contributing to this – regulation, growing technological complexity, increasingly skilled and wellequipped hackers.
However, one of the single biggest issues compounding this perception is a long-standing one: The Talent Gap. According to IDC’s recent Western Europe Security Survey, 97% of European enterprises agree there’s a security skills shortage, which is having a negative impact.
It’s a remarkable statistic. It means only 3% of enterprises in Europe believe the industry has the requisite talent to deliver on its mandate – to ensure business integrity and protect sensitive company, customer and shareholder data. According to the 2018 (ISC)2 Cybersecurity Workforce Study, there’s a shortfall of around 142,000 cybersecurity professionals across EMEA – a significant shortage. At the Symantec CISO Forum, in February 2019, delegates agreed that six months was the minimum amount of time it takes to hire a security specialist, with nine to 12 months not being unusual. Pure pragmatism meant that those CISOs were perfectly prepared to upskill those they hired, with attitude, mindset and potential more than making up for a lack of experience.
Indeed, so much of cyber security has changed in recent years, particularly as a result of cloud and mobility, that a lack of baggage (such as a ‘defend the perimeter’ mindset) was described as potentially advantageous.
The impact of a continuous skills shortage
The impact of an on-going skills shortage is that it drains those who are already in position, making them overworked and stressed as they end up operating in a ‘make it through the day’ mindset. All too often, the workforce feel they cannot keep up with their workload, which leaves them unable to get on the front foot, or upskill themselves and adjust to technological change (figure 9).
Clearly, if their environment does not allow enough time for continuous development, cyber security professionals’ skillsets will gradually become outdated. This explains why delegates at the Symantec CISO Forum felt much of the current base of cyber security professionals, who have anywhere between 10 to 30 years’ experience, have found the rise of cloud and mobility such a challenge to deal with. Declining skills are highly problematic for cyber security professionals, who are effectively in an arms race, in which talent and skill are their most important weapons. Unfortunately, enterprises feel they are falling behind in precisely this area (figure 10). Our research discovered almost half of those surveyed (48%) believe attackers now have a raw skills advantage over defenders, and 44% say their team lacks the necessary skillset to combat cyber threats.
If cyber security professionals are feeling overworked, stressed and see themselves falling behind in their own skillset, it is hardly surprising that around two thirds are considering changing their role or leaving the profession altogether. For employers the battle isn’t simply recruitment, but retention too.
As first responders to potential attacks, cyber security leaders are in a constant arms race of skills and resources of their teams versus those of threatening attackers. To this end, leaders in the survey believe attackers have the advantage. – Dr Chris Brauer, Director of Innovation, Goldsmiths, University of London.
Addressing the skills gap
CISOs report their success in the recruitment and retention of cyber security professionals comes down to an appreciation from elsewhere in the business of just how hiring is impacted by the laws of supply and demand. Organisations that are naturally keen on standardisation and transparency can find it difficult to distinguish between IT and cybersecurity salaries.
Typically, CIOs allocate 4-8% of the IT budget to security. Yet significantly increased costs for hiring and retaining security talent (figure 11) will put CIOs, CISOs and security leaders in the position of having to argue for funds beyond these budgetary norms. As ever, evidence can only aid understanding.
As well as budgeting appropriately to hire new staff, it’s absolutely essential for organisations to improve the skills of the current workforce – an issue at the very heart of the talent gap. Firms simply must invest in in-house or third-party education services to address this challenge. That investment isn’t simply a case of allocating a training budget, but ensuring staff have the time and space to learn.
Think outside the box
It’s also worth noting that the skills cyber security teams require go beyond just the technical ones. High level management skills and a commitment to bringing on the next generation of leadership are also essential.
The CISO role today is much broader than it used to be. There’s more emphasis on being able to relate the technical aspects to the business aspects. This is alongside having the right personal attributes – the soft skills, such as communication – which are needed to bring people together to solve problems. This is why the really good people in the security industry are far more than just technically skilled. Especially in the higher ranks, you will see people who have a good mix of technical and soft skills, which enables them to implement control frameworks that really work. We should also think about growing the next generation of CISOs from the start of their careers. We need to support them through all the different phases, from their 20s through to their 40s or 50s. You need solid experience to do this job. – Dr Steve Purser, Head of Core Operations, ENISA, former financial sector CISO.
As we will see in next month’s Chapter Three: After the Breach, cyber security professionals could also do much more to learn from one another than is currently the case. Sharing the right information, at the appropriate time and in the right way, could go a long way to helping more staff upskill effectively.
Still, even with the luxury of a realistic budget for training in place, a gap of 142,000 cyber security professionals in EMEA means most companies are still going to struggle to find people to hire.
Organisations therefore need to find complementary alternatives that can help free up time for skills development and ease the recruitment burden.
IDC points to a four-step model:
As highlighted in Chapter One: Perfect Storm, the cyber security estate has become incredibly complex and can easily contain more than 100 different point solutions from a huge mix of vendors. Consolidating that estate, or using a cyber security platform to integrate it, both improves security and reduces the time taken to manage it manually.
An integrated cyber defence platform can also de-duplicate alerts from multiple systems. Freeing up existing security professionals’ time like this can ease the need to recruit and improve retention. If staff are less overworked and more in control of their time, they’re more capable of focusing on their own professional development.
Cloud and mobility are rewriting the way data is captured, stored and managed. Modern cyber security is designed to operate around cloud-centric computing and can itself be delivered as a cloud service. Security which is embedded within the main control points – web, email, network and endpoint – gives far greater control, goes unnoticed by end-users, and is a step towards a ‘set and forget’ security infrastructure. Being ‘in the sinew’ like this means less manual management is required.
Automation can help address the security skills gap at two levels. First, an integrated security platform – by correlating, cross-checking and prioritising data across multiple security products – can reduce the volume of alerts and highlight those that really matter. In addition to reducing the volume of alerts analysts have to contend with, it can support workflow to automate reporting and compliance; the key challenge for cybersecurity professionals identified in Chapter One: Perfect Storm. This relieves mundane manual administrative tasks, enabling time-pressed cyber security professionals to focus on higher value activities.
Second, machine learning and artificial intelligence can change the game entirely. Symantec Targeted Attack Analytics (TAA), for example, enables vast telemetry data lakes and exposes attack patterns occurring in the customer environment. TAA takes a holistic view of the customer’s company and their industry to determine the source, scope and impact of an attack in just a matter of hours. The manual equivalent would not only take months, it would also be unfeasible for most organisations to fund.
Given the talent gap, it is no surprise that Managed Security Services is the fastest growing segment of IDC’s European Security Forecast. Conventional wisdom is to ‘get the house in order’ before looking to externalise a service (this work itself might use third party support) as a typical patchwork environment is difficult to hand over to a managed service provider.
When the security estate is ‘in good order’, threat intelligence, security monitoring, endpoint detection and response are some of the most attractive areas to externalise, as they are technically demanding and require many of the most sought-after skills. Externalisation helps to address other significant challenges. These include operating the security estate 24x7x365, providing sufficient resources to monitor the global threat landscape, and the complexity of analysing high volumes of network data to identify direct concerns and relay them back to the organisation. Identifying and responding to incidents can also require other specialist skills and a certain level of tradecraft, which comes from outside the typical corporate cyber security environment – such as military or law enforcement.
Security monitoring, threat intelligence and response needs strength and depth in people, processes and technology. We already manage the world’s largest civilian threat intelligence network, operating six SOCs and nine response centres. It’s a global infrastructure and level of specialisation that few end-user organisations could ever match. Having this breadth of experience and development opportunity makes it easier to attract and retain top talent than it is for a company that does not have security as its core business. – Duncan Evans, EMEA Director, Managed Security Services, Symantec.
Taking steps to reduce the complexity of cyber security, the use of cloud-delivered security, increased automation and smart deployment of managed services can all help to deliver improved rates of staff retention. This is because, in addition to lowering the overall workload, it removes the more mundane, repetitive and low-value tasks from security teams’ workloads. As a result, it enables staff to focus on more rewarding, higher value work – which can only help firms in the fierce competition to attract, and keep, top talent.
Modern integrated cyber defence platforms have a role in addressing the skills crisis because they help save time – and security leaders can use this extra capacity to focus on skills development for themselves and their team.
But clearly there is still a core need to secure budget to invest in cyber security professionals and, even then, there is the challenge of recruitment.
The clear message from the Symantec CISO Forum was to ensure ‘no stone is left unturned’ in addressing the skills gap – which is a chronic, systemic issue that will take years to resolve. So any technology which can provide an edge in the shorter term should be welcome, while the benefits of longer-term initiatives take time to manifest.
There are several ways to address the skills gap. Hiring an experienced interim to do some of the heavy lifting or lead a transformation programme can relieve a huge amount of pressure while you focus on building the team. It’s a buyer’s market, so you have to have an attractive proposition. Ask yourself if your environment is putting potential recruits off, or if there’s unconscious bias in your recruitment process. Think carefully about what you have to offer, because you will have something distinctive which will be right for someone – this could be as simple as creating a part time role, job share or flexibility in terms of location. At Savanti we’ve had great success in hiring candidates who are returning to work following time off to raise young children. Provided you create the right environment and are prepared to try new approaches, there is talent out there. A diversity of mindsets and backgrounds strengthens the team; whether a psychologist, a marketer, someone from HR, risk or legal. You can try a secondment to see if there’s a good fit. The key is to find smart people with transferable skills and train them up. Build a pipeline of talent. – Richard Brinson, CEO Savanti, and former CISO at Unilever, RS Components and Sainsbury’s.
A similarly rigorous, conscientious approach should be taken when scouring for talent. A recognition and celebration of diversity is not only ethical, it is plain old common (and business) sense.
The 2018 (ISC)2 Cybersecurity Workforce Study reports that only 24% of the workforce is female, which suggests there’s an immediate scope to consciously recruit from a larger pool of candidates. Similarly there are many people with high potential, and at least some requisite skills, to be found outside the more renowned universities from which corporates tend to recruit. It should also be recognised that some of the most important cyber security roles are not technical.
Thinking different pays off
End-user behaviour, from lack of awareness to wilful non-compliance, usually causes security teams the most amount of work (figure 12) while phishing is currently the biggest external threat. One Symantec CISO Forum delegate shared her experience of hiring a psychologist into the security team. Following a number of initiatives – such as praising those who raised a potential threat, to test phishing emails and ‘external email’ warnings – the firm’s phishing simulation click rate dropped from 27% to 8% in just 12 months. That’s a single recruit, with no technical skills, that both improved the firm’s security posture and saved their new colleagues considerable time.
Having a well thought out security architecture and an agreed set of robust procedures, which have been properly tested – are all things that can reduce stress. Ultimately, if you do your job correctly, put the flags where they’re supposed to be, and you communicate well – whatever happens, you’re not in the firing line. – Dr Steve Purser, Head of Core Operations, ENISA, former financial sector CISO.
The benefits of an integrated approach
Further resources for you and your team
Every challenge facing today’s security leaders – as revealed by the High Alert findings – is being compounded by a patchwork approach to security tooling and strategy. Bolt-on point solutions are adding unnecessary complexity to IT estates, creating new vulnerabilities and overburdening cyber security teams.
Symantec’s overarching recommendation is that organisations must move from a reactive and fragmented approach to a consolidated and strategic one. Yet to invest the time, energy and resource into defining and executing against a cyber security vision, they must first regain control of the finite human resources such an approach would free up.
This tension is underpinning a push towards simplicity and integration across the industry as security professionals demand a more integrated approach. Managing cyber defences more holistically means fewer vendors, less complexity, and more centralised management – with reporting and shared telemetry across every layer of defence.
A mature, well-integrated cyber security function can give businesses a competitive edge, both complementing and taking advantage of digital transformation. Taking a streamlined, security platform-based approach will go a long way in helping to address many of the issues identified in High Alert – and help protect cyber security talent from overload.
Your journey to comprehensive protection
There’s lots to think about as part of this approach but these four pillars are especially important:
- Mature and consolidate cyber defences with a platform approach, to enable the automation of essential processes and compliance efforts
- Educate the business on the risks posed by today’s threat landscape, and demonstrate cyber security’s role in enabling business transformation
- Retain and upskill staff to overcome the skills gap – while being both pragmatic and conscious of bias in pursuing a diverse recruitment strategy
- Define your risk posture, collaborating with different stakeholders and adapting to their needs to earn buy-in from colleagues and sign-off from the board.
Summary and Next Steps
If you want your organisation to reduce cyber security complexity, and enjoy proactive, holistic protection with a reduced management burden, it’s easy to get started with Symantec Integrated Cyber Defense.
We’ll work with your cyber security specialists and partners to complement, streamline and ultimately transform your existing security infrastructure at a pace that suits your organisation.