Companies won’t ever be able to hire enough qualified pros. Partnering with full-service cybersecurity providers is now a viable alternative.
By Gary Fish
Whether you’re responsible for managing IT security at a large multinational corporation with facilities spread across the globe or at a startup in Boulder or Beaufort, chances are your cyber defenses don’t measure up to the high standards you set when you took the job.
I would also bet that the biggest single reason is an inability to hire enough personnel with the skills and experience necessary to mitigate your worst cyber threats. And even if you have beat the odds and assembled your cyber dream team, try retaining them when another company comes along tomorrow promising larger paychecks or more authority.
The Resources Gap is Worse Than You Think
There’s no question that the skillsets of today’s top cyber-defense personnel are far superior to their predecessors. The problem is that there simply aren’t enough of them to go around. Even individuals with base-level qualifications are getting harder to find, and more expensive to hire.
Worse yet, the gap is getting wider, not narrower. In a well-known 2017 study, Cybersecurity Ventures predicted there will be 3.5 million open cybersecurity positions worldwide by 2021, with at least 500,000 of those unfilled jobs in the U.S. alone. That’s more than triple the shortfall that existed just two years ago.
With cyber-attacks expected to cost global enterprises some $5 trillion annually by 2020, according to a leading cybersecurity expert, companies are under intense pressure to demonstrate they have the security in place to protect against the diverse types of technological and behavioral threats they face.
Many are counting on colleges and universities to start churning out large pools of qualified recruits. But while computer science departments everywhere are making great strides in expanding their undergraduate and masters programs, most are still years away from producing sufficient numbers of graduates with the qualifications that are most relevant to today’s cybersecurity challenges — let alone tomorrow’s. We’re going to need several dozen Carnegie-Mellons, not just one.
Other promising avenues exist. Women, currently only about 15% of the cybersecurity workforce, are being more diligently recruited than ever before, as are military veterans. Promoting, training and certifying tech-minded staff from within is becoming more common, too. The more daring companies are even hiring kids with cutting-edge IT skills straight out of high school. Geek Squads and Genius Bars also make very good farm teams.
As commendable as these initiatives are, however, they could take up to a decade to have a meaningful impact. In the near to medium-term, meanwhile, demand for cybersecurity jobs in both the private and public sectors will continue to far outstrip the available supply of people, a shortage that is exposing organizations to ever-greater levels of risk.
Cyber-Partnerships to the Rescue
If organizations won’t be hiring or training their way to full strength any time soon, then what’s the solution?
In my ongoing discussions with CIOs and CISOs, I’m seeing a much greater willingness to forge close partnerships with specialty companies that can meet some or even all of their cybersecurity mission requirements.
Behind this long-overdue shift in thinking is an acknowledgement among corporate leadership that: 1) cybersecurity has become too specialized, technologically complex and labor intensive to manage only in-house; and 2) digital transformation — in particular the adoption of cloud-based platforms, artificial intelligence-based analytics and open-source software — is making these partnerships a viable option even for something as consequential as their company’s own security.
This new breed of partner is neither a conventional outsourcing firm nor a pure consultancy. Instead, it is deeply embedded with the client and offers hybrid cloud-based and on-premises solutions — plus services like managed detection and response — using data-driven analytics, a high degree of automation and some staffing support. At the top end it can include subscription-based ‘security as a service’ offerings, plus strategic staffing and advisory services.
Enterprise-Level Security for Everyone
A well designed cybersecurity partner program offers several distinct advantages over a purely in-house operation. These include:
- Adaptability. The cyber-threat landscape is evolving at warp speed, as are the technological countermeasures. Meanwhile, organizational security priorities are shifting in fundamental ways, for example from protection and prevention to detection and response (an overdue acknowledgement that not all cyber threats will be stopped by perimeter defenses). The expectation of rapid adaptability is not something that should be imposed on already overtaxed security organizations.
- Scalability. As threats grow in scope and complexity, companies will fall further behind, putting their systems, facilities, finances and people at risk. Detecting the most advanced persistent threats also will require more data sources, not less. This is a significant problem when so many security analysts are already experiencing alert fatigue just from monitoring network data. Partners with strong data science teams can help, for instance by applying machine learning and other artificial intelligence techniques to reduce the noise and highlight the biggest threat signals. Likewise, leveraging the operational efficiencies, rapid elasticity and on-demand resourcing of the cloud is critical in managing analytics at the volume, velocity and variety of today’s threat data. This integration of AI, open-source software and the cloud produces solutions that alleviate a major work burden from the client’s security team.
- Automation. A third way to address the staffing shortfall is orchestration and automation, which offers a ‘force multiplier’ for overworked analyst teams. The best outside providers can tailor such a system to take account of an organization’s existing policies and procedures, for faster and more automated incident responses.
Finally, from a top- and bottom-line perspective, the biggest advantage of cyber-partnerships is cost-effectiveness. Small and medium-sized business are looking at bare-minimum outlays of $1-2 million apiece to stand up a security operations center (SOC) with three shifts of three analysts each, plus backups. Organizations with more than 5,000 employees require even more expansive (and expensive) cybersecurity operations, while multinationals will need a SOC not just in the U.S. but most likely in Europe and Asia as well.
A partner with virtual SOC capabilities, by contrast, can offer superior 24/7 security for a fraction of the total cost of ownership — due to economies of scale, reliance on cloud infrastructure and deployment of AI techniques to handle the heavy analytical lifting, while limiting human involvement only to the most critical cybersecurity management functions. For smaller companies in particular, partnering with an outside provider is probably the only way to obtain enterprise-level security without breaking the bank.
In order to get more comfortable with cyber-partnerships, IT security leaders are developing their own set of selection criteria. Some of the most critical differentiators they look for are:
- Full-Spectrum Expertise. We’re no longer in an era when one IT security expert can understand an organization’s entire risk profile and manage its mitigation efforts. The threats have become too multifaceted and the solutions too specialized. In addition to the right technologies, a partner needs a deep bench of human expertise to keep up with and help explain the complexities of the cybersecurity landscape, freeing the client to focus its internal resources on what it does best.
- ‘Hybrid Cloud’ Experience. Cloud-only cybersecurity solutions offer superior capabilities to on-premises hardware and software. But while many users assume that cloud adoption means life will be easier, in reality it often means the opposite. The primary challenge is that many companies have invested heavily in on-prem solutions, but these can’t realistically be transitioned to the cloud. As a consequence, a partner’s ability to design and manage hybrid cloud/on-prem architectures will be critical for the foreseeable future.
- Vendor Agnosticism. Many companies have discovered that they are ‘locked in’ to particular point solutions. This is dangerous in an industry that: 1) has fragmented into a bewildering assortment of sub-disciplines; and 2) is simultaneously undergoing a wave of consolidation that will result in a number of vendors going out of business or being absorbed into larger entities. The best cybersecurity partners will be independent of, but deeply familiar with, all the players. They thus can recommend the best integrated solution based on the user organization’s size, geographic scope, threat priorities, legacy systems and future needs — without favoring one vendor over another.
- Consulting Culture. Companies need help fleshing out their cybersecurity programs, filling in capability gaps, transitioning to the cloud, understanding new threats and much more. The ideal partner spends a lot of time fully understanding the strategic priorities and operational protocols of a company’s security team in order to craft right solution the first time.
Not too many years ago, it was unthinkable to organizations that they would permit their operations and sensitive intellectual property to be placed in the cloud. Yet that’s exactly what happened. I would argue we are well past that inflection point when it comes to staffing cybersecurity operations. With plenty of evidence in hand about the growing cyber personnel shortage, alternatives should have already been put in place.
Fortunately, many organizations are now seeing that the best way to alleviate their current long-term staffing drought is to find a trusted partner that excels at leveraging cloud, AI and open-source technologies into integrated solutions that are optimized to mitigate the cybersecurity risks of today and tomorrow.
About the Author
Gary Fish is Founder and Chief Executive Officer of Kansas City-based Fishtech Group. Gary’s focus is to set strategy, assemble top talent, point the team in the right direction and let them do what they do best. Gary has over two decades of experience as an entrepreneur, technologist and CEO in the cybersecurity space. In his career he has bought and sold over a dozen companies and established himself as a thought leader in his space. Gary founded and built FishNet Security, the largest cybersecurity integrator in the world, and he also founded FireMon, the first software company focused on firewall policy orchestration. Gary graduated from DeVry University and was a proud member of the US Army National Guard. Learn more about him, here.