A CISO Challenge: Cybersecurity Talent Shortage

Mark Leary, Chief Information Security Officer, Regeneron Pharmaceuticals

Mark Leary, Chief Information Security Officer, Regeneron Pharmaceuticals

With the year-over-yearincrease of cybersecurity incidents, the demand for cybersecurity professionals has equally increased.  A recent survey of over 1,200 IT leaders found that 60 percent struggled to recruit cybersecurity talent and 67 percentidentified the lack of qualified candidates created greater risk to the company.  In fact,80 percentindicated that at least one data breach was attributable to the cybersecurity skill gap.There are simply not enough cybersecurity professionals and will require cybersecurity leaders to develop several strategies to address demand.

Reduce dependence on staff performing transactional tasks by usingAI/ML and automation

One effective strategy associated with the cybersecurity talent shortage is to rely less on staff and more on intelligent automation.  Cybersecurity staff personnel, mainly operators, spend an incredible amount of time pouring over logs and alerts, manually hunting for and remediating threats. As an alternative, Artificial Intelligence/Machine Learning (AI/ML)powered threat identification, detection,and response – which learns and continually improves – can reduce analytical effort and improve situational awareness.

Cybersecurity staff, analysts and operators alike, also desire to be liberated from time-consuming, routine, transitional tasks so they can focus on more important work.   Complementary to AI/ML, Security Orchestration, Automation, and Response (SOAR) solutions and tools that allow organizations to optimize cybersecurity operations in threat and vulnerability management, incident response, and cyber operations automation.  SOAR solutions can save operational cycle-time, reduce manual errors, and allow cybersecurity staff to focus on important activities.In both cases, the investments can save both time and effort while potentially improving retentionthrough more challenging and rewarding activities than deary and mundane tasks.

At Regeneron, we made the investment in applying SOAR-like automation technology in a novel manner.  Our centralized security monitoring and alerting platform provides alert feeds to our security incident response case management tool that, in turn, creates security tickets based on predefined rules.  Using Robotic Process Automation, we use orchestrators and bots to monitor their assigned ticket queues to perform standardized procedures, such as blocking spam or cleaning malware from devices, to free up our human staff to deal with the more complex security incidents.

Supplement retained staff with staff augmentation and managed security servicesproviders

Many cybersecurityleaders have overcome staffing shortages through a mix of staff augmentation and managed security service providers (MSSPs).  Staff augmentation can includearrangements with service providers or bycontracting with independent contractors to provide technical assistance or subject matter expertise.  As a strategy, this approach hasseveral advantages to address the shortage of cybersecurity professionals.  Under the staff augmentation model, contracting for temporary requirements and disengaging once those requirements have been met is significantly faster than the time to identify, recruit and hire staff.  Staff augmentation requires minimal contracting effort, can scale up or down quickly, and has minimal impact on the existing operating model of a cybersecurity organization.

The MSSPmodel differs from staff augmentation.  An MSSP offersa set of defined security services based on measured outcomes at a flat fee. A managed security service is typically comprised of their technology deployed and tuned to the customer on-premises and/or Cloudenvironments.  With an MSSP, a dedicated team keeps up with current threatsand instrument their technology to protect their customers around the clock.The MSSP market has matured over the past years and become a reliable, stable source of cybersecurity services at a known quality for CISOs to pull from.

However, there are some disadvantages in both cases. The cybersecurity team will eventually lose their subject matter expertise with little choice in the matter. Temporary individual contractors or consultants, who have intimate knowledge of the company’s cybersecurity needs, will be required to leave over time or face significant tax consequences.  Likewise, with the MSSP, companies have very little leverage over MSSP staff retention or the vetting of qualified replacements.

For a CISO managing the cybersecurity talent shortage, it’s a careful balance of staff augmentation and MSSPs to support a cybersecurity team.One model that has workedin the past is to reserve the management layer and higher-level knowledge workeras retained staff, staff augmentation for technical engineering or project-based activities, and a MSSP for the highly transitional, routine tasks or specific subject matter expertise.  This is not a generic recipe and tailoring is expected; many cybersecurity teams have different needs based on the size, scale,and technology of the company they serve.

Leverage nontraditional sources of cybersecurity talent

Also due to the cybersecurity talent shortage, cybersecurity leaders are required to get creative in attracting and hiring cybersecurity professionals. Expanding the aperture to underutilized cybersecurity talent pools should include underrepresented groups such as diversity candidates, former veteran or government employees, and other nontraditional sources of candidates.

As an example, Historically Black Colleges and Universities (HBCUs) have played a major role in science, technology, engineering, and math (STEM).  HBCUs produce 32percentof Black bachelor's degree-holders in STEM fields including cybersecurity.  HBCUs with leading cybersecurity programs are Grambling State University, Hampton University and Talladega.  Cybersecurity leaders should leverage their talent acquisition teams to engage with these institutions.

Neurodiverse individuals with autism spectrum disorder, dyslexia and dyspraxia have also demonstrated to be a great source of cybersecurity talent. These individuals possess strengths in pattern recognition, analytics and are detail-oriented and, combined with focus and integrity,are well positioned for a cybersecurity role. They possess an exceptional aptitude to observe patterns from the “noise” that may be indicators of an attack. This pool is still vastly underleveraged.

The are several public-private partnerships that companies may want to consider partnering with.  One example is the Cybersecurity Talent Initiative that allowsparticipants complete a two-year placement with afederal agency, then two years at the partnering private sector company.  For military veterans, CyberVET is an initiative dedicated to transitioning veterans, often with no IT background, to develop cybersecurity skills.  These programs do require some sponsorship from participating companies but can help establish a pipeline of qualified cybersecurity professionals. 

Another strategy to close the gap is by using more capabilities-basedjob specifications that focus on the abilities workers already have. From there, the company can build upon these innate capabilities with training to grow the individual into the role.IT support staff with technical skills like troubleshooting and repair only need a few key skills like incident response or computer forensics to qualify as a cybersecurity analyst.My best SOC Manager was a gaming enthusiast with a Sociology degree who was originally hired to build high-end desktop workstations.

Searching for cybersecurity recruits with specific cybersecurity degrees and certifications will constrain your talent acquisition team and narrow the candidate pool too much.  Investing in automation, balancing the resource mix of retrained staff and outsourcing, and broadening the search to include nontraditional sources of talent will help companies address the critical need for cybersecurity talent.

Read Also

Navigating the Changing Cybersecurity Landscape

Navigating the Changing Cybersecurity Landscape

Mark Leary, VP & CISO, Regeneron Pharmaceuticals
The Changing Facets in Enterprise Security Space

The Changing Facets in Enterprise Security Space

Greg Barnes, Global CISO at Amgen
Open Sources, Open Doors or How to Innovate in a Competitive Cloud Market

Open Sources, Open Doors or How to Innovate in a Competitive Cloud...

Garrick Stavrovich, the Lead Product Manager for Nasdaq’s Global Information Services
How AI will play a crucial role in the defense against cyber attacks

How AI will play a crucial role in the defense against cyber attacks

Scott Southall, Regional Head of Innovation, Asia Pacific, Citi
Building NextGen Enterprise Risk Management Capabilities

Building NextGen Enterprise Risk Management Capabilities

Chee Kong Wong, EY Oceania and EY Asia-Pacific Governance Risk and Compliance (GRC) Technology Leader
Implementing IAM to Boost Growth

Implementing IAM to Boost Growth

Tamsyn Weston, Head of IT Solution Development, EUROPEAN TYRE ENTERPRISE LIMITED