“We’ll Never Make It!” – The Fear Complex in IT Security Today
For no malicious reasons, we’re hearing this type of doom and gloom forecast in the security industry today. We are suffering from the worst-ever, out of control data breaches where targeted attackers are penetrating some of the world’s largest organizations at-will and apparently able to operate with unfettered access for months without notice. The industry is starting to take a hard look at itself in the proverbial mirror, and recognize certain flawed assumptions with prior models, new emphases, and objectives.
One of the new recognitions that I’ve seen recently is the mammoth shortage of trained security professionals available to secure our networks in light of these growing data breaches. A detailed recent survey completed by Frost & Sullivan, (ISC)2, and Booz Allen & Hamilton captured these shortages quantitatively.
”A perfect storm is enveloping the information security workforce with the resulting wake being a widening gap between the number of security professionals needed and the actual number available to be hired,” the report stated. (The 2015 (ISC)2 Global Information Security Workforce Study, April 16, 2015) The report included a survey of over 14,000 security professionals, and more than 62% of them responded that they had “too few” security professionals on staff. The report went on further to predict an outrageous shortfall of 1.5 million IT security professionals by…2019! The report also identified the job title in highest demand is “Security Analyst,” and that the specific targeted skills needed are: 1) Risk Assessment, and 2) Incident Investigation and Response.
And these Security Analysts’ tasks are prone to inefficiency when using legacy log-based and SIEM-based systems. According to the ninth SANS Log Management Survey, 80% of those surveyed acknowledged that current methods of log analysis to accurately detect suspicious behavior indicative of a breach is “difficult” to “moderately difficult.” So, not only do we need to hire boatloads of newly trained security professionals, but the work that they do is highly inefficient given the available tools.
There is no doubt that if the industry continues conducting security analysis with these same log-based and SIEM-based tools that have been used over the last decade, we will certainly have to integrate massive numbers of new security professionals to meet the growing breach detection gap that has hit our industry. But, has anyone done the rough analysis to understand the potential financial and budget implications of this forecast? Let’s take a minute do some basic math. Try these numbers on for size:
- 1.5M Security Analysts at $100,000/year = $150,000,000,000 (yes, $150B!)
That compares to…
- Global IT Security spending (all Products & Services) ~ $70,000,000,000 (yes, that’s only $70B)
Um…Houston, we’ve got a problem. So, the question is how can we ever scale up to meet the challenge of sufficient security analysis? Clearly, we can not hire our way out of this problem. The answer is that we must automate the security analysis, breach detection and incident investigation functions much the same way that we’ve automated other technical functions in our lives and workplace. We need tools that offload the manual triage, investigation and research functions that only happen today in the most well-funded organizations that can afford a fully functional security operations center (SOC) with dozens of security analysts.
Glum was right, we’ll never make it if we don’t change the way that we think about security analytics. If you’re an optimist that believes in technology innovation, check out the latest that companies are using to find active, post-intrusion data breaches… For those of you naysayers, Glums, and negative-Nellies, you will never make it!