Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Careers & People

08:00 AM
Connect Directly

Security Talent Gap Threatens Adoption Of Analytics Tools

Finding qualified personnel with the right skillsets to configure and operate analytics platforms is a big challenge today, but workforce development, training, and more intuitive technology could help.

Most organizations are struggling to find security professionals with the right skills to properly operate and maintain security analytics platforms for detection and response. Some experts are looking for ways to close the talent gap via workforce development, training and, in some cases, technology.

The recently released SANS Institute 2015 Analytics and Intelligence Survey revealed that the demand for cybersecurity tools and resources has doubled since 2014. The majority of the 476 respondents (59 percent) cited a lack of skills and dedicated resources as the main obstacles to discovering and acting on cybersecurity incidents and breaches.

Finding these skillsets in today’s marketplace is difficult due to incredibly high demand for top talent that understands system information and event management (SIEM) systems and correlation, forensics, event management, and now, with analytics in the mix, pattern analysis across large diverse datasets, according to the SANS survey commissioned by security tools provider DomainTools.

The skill shortage challenge was ranked third by 30% of respondents in the 2014 survey, indicating that this problem is actually getting worse.

“There is absolutely a dearth of skilled analysts who have familiarity with network technology and the kinds of threat intelligence analytics that come from endpoint devices,” says Tim Chen, CEO of DomainTools. These analysts would need the skills to detect anomalies and take the appropriate measures to respond to incidents. However, that is just one piece of the human capital chain, he says.

Security professionals are pulling various data feeds and log and event data from disparate systems into databases where they can perform advance analytics. Engineers are needed to write application programming interfaces and connect systems together on the backend so security operators can actually analyze the data. That is an often overlooked skillset, Chen says.

Only 3% of organizations in the SANs survey say their analytics and intelligence processes for pattern recognition are fully automated, and another 6% report having a "highly automated" intelligence and analytics environment.

By leveraging technologies and automation, organizations can better distribute their security operations teams’ workloads, putting senior staff to work on more advanced threats, and at the same time, foster the recruitment of top talent.

Many manual processes being performed by senior SOC staff could be automated, including the weeding out false alarms, the generation of responses to help tickets, and the generation of reports that give information about key metrics such as detection success or false-positives, security experts say.

Security vendors are well aware of the need to write rules into their products that can help security professionals better prioritize alerts, says Tim Helming, director of product management with DomainTools. Some of the skills that are most valuable are hard to quantify because they come with judgement, intuition, and experience, and the analyst develops a sixth sense about alerts, which is tough to gauge during the hiring process, he says.

Workforce development crucial

Technology is just one way to address the cybersecurity skills gap. Workforce development is also paramount in addressing the problem, says Richard Spires, CEO of Learning Tree International, Inc. and a former chief information officer of the Department of Homeland Security.

“Clearly there are not enough people who have the skill competency to fill all the jobs in cybersecurity. You can’t hire your way out of this problem,” Spires says.

The IT management and training company recently launched IT Workforce Optimization Solutions, a comprehensive suite of services designed to help IT management plan, develop, and implement strategies to build and sustain high-performing IT organizations. The goal is to help IT organizations develop a culture to support professional development of their staff with an emphasis on skill assessment, individual development plans, training, mentoring, and matching people with the right assignments.

Security pros often get hired away once they reach a certain level of competency, so a key factor in development of individuals is how to retain them and help them feel they are part of a team.

The workforce solutions and services are based on the National Cybersecurity Workforce Framework as defined by the National Initiative for Cybersecurity Education (NICE) and the Skills Framework for the Information Age, which maps the skills of the workforce with the needs of a business.

Automation of technology is an important aspect of the equation to develop and retain skilled analysts, but everything cannot be automated given the complexity of IT environments, Spires says.

“You need on-the-job training to really understand data sets over time,” so once analysts learn about their systems and what is normal, they can automate tasks. However, with today’s IT environments, you still need the human element in the loop to help.  

“I don’t see that changing for some time because of the complexity of our environments,” Spires says.


Rutrell Yasin has more than 30 years of experience writing about the application of information technology in business and government. View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Apprentice
1/14/2016 | 5:32:17 PM
Resources already available
This site alreadt covered Stealth Worker. You can use it to get expert cybersecurity people quickly. We did!
User Rank: Author
1/12/2016 | 5:00:46 PM
excellent commentary, Gartner research agrees with you
and yet... the security analytics market is forecast to exceed $7 billion by 2020 despite cybersecurity labor shortage
COVID-19: Latest Security News & Commentary
Dark Reading Staff 7/6/2020
Russian Cyber Gang 'Cosmic Lynx' Focuses on Email Fraud
Kelly Sheridan, Staff Editor, Dark Reading,  7/7/2020
Lessons from COVID-19 Cyberattacks: Where Do We Go Next?
Derek Manky, Chief of Security Insights and Global Threat Alliances, FortiGuard Labs,  7/2/2020
Register for Dark Reading Newsletters
White Papers
Current Issue
Special Report: Computing's New Normal, a Dark Reading Perspective
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
The Threat from the Internetand What Your Organization Can Do About It
The Threat from the Internetand What Your Organization Can Do About It
This report describes some of the latest attacks and threats emanating from the Internet, as well as advice and tips on how your organization can mitigate those threats before they affect your business. Download it today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2020-07-08
Buffer overflow exists in Geovision Door Access Control device family, an unauthenticated remote attacker can execute arbitrary command.
PUBLISHED: 2020-07-07
An issue was discovered in CMSUno before 1.6.1. uno.php allows CSRF to change the admin password.
PUBLISHED: 2020-07-07
Victor CMS through 2019-02-28 allows XSS via the register.php user_firstname or user_lastname field.
PUBLISHED: 2020-07-07
A memory leak in Openthread's wpantund versions up to commit 0e5d1601febb869f583e944785e5685c6c747be7, when used in an environment where wpanctl is directly interfacing with the control driver (eg: debug environments) can allow an attacker to crash the service (DoS). We recommend updating, or to res...
PUBLISHED: 2020-07-07
Gossipsub 1.0 does not properly resist invalid message spam, such as an eclipse attack or a sybil attack.