The cybersecurity skills gap is one of the most daunting challenges facing the industry. We have a vibrant ecosystem of technology vendors developing shiny new tools, but the people who must use these tools to defend our sensitive networks are getting harder and harder to find.
What’s more, demand is continuing to increase at a much faster rate than supply. If you have tried to hire cybersecurity professionals recently, you are fully aware – security is a candidate’s market right now and the evidence indicates this trend will continue for some time.
So, what can information security leaders do? As the NIST Computer Security Incident Handling Guide plainly points out, effective incident response (IR) programs are a big undertaking that require substantial planning and resources. Teams need to be continually monitoring for attacks but also need to have clear procedures in place to help them prioritize which attacks are critical. Communication with other internal groups – such as human resources and the legal team – along with external groups is a huge factor.
In thinking about the skills gap that currently exists, implementing an effective IR program can seem like a daunting task. We all understand IR requires substantial planning and resource, however, it’s finding those resources that has become a struggle. In the current situation, the best way to maximize resources is to automate IR as much as possible to multiply the IR capacity of each human analyst.
When thinking about the bigger picture, information security leaders must aim to automate as much of the IR cycle as possible. However, this does not mean automation can replace humans. Cybersecurity analysts are highly skilled and valuable professionals, which is precisely why leaders should automate tasks that can be handled well by computers and free up the precious time and resources of human analysts to tackle the most difficult challenges.
Everyone involved in cybersecurity IR, at all levels, should constantly have one question in mind, “Can this be automated?” By the end of 2018, humans should only be spending their time doing work that absolutely must be done by a human analyst.
In addition, keep in mind that adversaries are already using automation to scale cyberattacks. If your enemies are using automatic weapons, you better be armed with more than a single-load musket. One of the most troubling consequences of the lack of IR automation is that not only are more instances of compromise occurring, but they are also taking cyber defenders much longer to detect and remediate.
The slower the IR, the worse the damage done. To make your teams more efficient and to maximize their skills, automate time intensive tasks that bog them down. There is no way we will be able to keep pace without maximizing the use of automation ourselves.
Admittedly, when looking at all the tasks that your teams handle, it can feel overwhelming to determine which ones to automate. Here are a few factors to consider that will help make implementing an automation process easier. First, think about data collection. If you look at a typical scenario and find that there are a set number of data collection tasks you run through on an incident, then you should be automating those functions. Tap your high value resources to develop the standard catalog of collection. In addition, constantly look for opportunities to streamline and simplify. Are you subscribing to threat feeds? Are you automating that threat intelligence into your IR process? These are simple tasks that, when automated, can be automated to free up team’s time to focus on larger incidents.
If you haven’t already started your incident response automation overhaul, now is the time to get it underway. The payoff will be well worth the effort.