Mitigating the Security Skills Crisis - Cyber Security Experts ... · investment really always lags threat. The cost of cyber risk has shot up over the last few years. Gartner says

FireEye’s Gareth Maclachlan on the Merits of Near-Term, Long-Term Solutions

Mitigating the Security Skills Crisis

Security leaders for a decade now have been discussing the profession’s growing skills gap. But what is its true business impact, and what are some near-term and long-term strategies to mitigate it? FireEye’s Gareth Maclachlan shares insight.

Maclachlan, vice president of product strategy, managed security services and intel at FireEye, says the skills crisis has evolved from strictly an HR discussion to one that now involves true business impact.

In an interview with Tom Field of Information Security Media Group, Maclachlan discusses:

• The business impact of the crisis;• Near-term and long-term solution strategies;• The value of managed security services as an option.

Security Skills CrisisTOM FIELD: So, Gareth, we’re well aware of the long-term security skills crisis. It’s something we’ve been talking about in various stages for a decade now, but I want to ask you about the impact. How bad is the crisis today in terms of, one, the impact on the business?

GARETH MACLACHLAN: Well, you’re right, Tom, that we’ve been talking about this for some time. But it’s in the last 12 months or so that we’ve really started to see it come to a head for most organizations. As many as more than half of the organizations out there now say that there’s a problematic shortage of cybersecurity for them, and that’s grown from around about one in 10 organizations four years ago. So it’s really starting to bite for CISOs and CIOs that we talk to.

And if you think about what that means for a business, well, we know that security investment really always lags threat. The cost of cyber risk has shot up over the last few years. Gartner says it’s gone up by about fourfold, and organizations are always playing catch-up trying to work out how much money that they should put to work in order to mitigate the risk that’s there.

As a security professional, if you’re trying to run a team, if you’re trying to keep your business protected, you’re having to work through questions such as: “How do I actually identify and understand that risk? And how do I decide how big to make my team in order to solve it?” And if you’re taking that mindset, if you’re thinking about how to solve things using an internal team, actually what you’re doing is making your business exposed to your HR policies. How quickly can you actually recruit and retain the people we need for your team?

So we’re seeing this real challenge. Something which should be a function which you should be able to decide each year how much exposure you have, and what you can put in place in terms of technology to solve it, has now pivoted to, “Can I actually get and keep the right people to keep my business safe?”

Gareth Maclachlan

Maclachlan is vice president of product strategy, managed security services and intel at FireEye. He previously worked on developing the firm’s cloud product strategy. Before joining FireEye, he founded and was COO of a global telco security company covering 1.8 billion subscribers and customers, including AT&T, Sprint, Vodafone, BT, MTN and Bharti Airtel. He also worked within UK intelligence agencies, developed business strategy and consulting across multiple sectors and was a venture capitalist and nonexecutive director for several start-ups.

Mitigating the Security Skills Crisis 2

The ImpactFIELD: So Gareth, that’s the impact on the business. What toll do you see being exacted from the existing security professionals within organizations? They’re being taxed.

MACLACHLAN: They are, but it’s also a bit of a double-edged sword for many organizations. Because at one level, if you can’t get the people in to help build your team, then the employees that you have usually end up having to firefight. They end up having to try and do the work of two or three people, which means they only focus on the tier one activities. They haven’t necessarily got the freedom to look a little bit more strategically at the security problem. They haven’t necessarily got the time and the resources to actually build out and maintain their skills. They can’t move into more of a tier two or tier three set of capabilities, doing things like hunting, proactively looking for attackers within the environment. So you’re losing on one end as a business, because the guys are really having to paddle frantically just to try to come to grips with the alerts that are happening on a daily basis and aren’t thinking across the issue as a whole.

But on the other side, as a professional, you’re also sitting there going, “When I’m in this situation where demand outstrips supply so significantly, am I even in the right place? Could I actually earn a little bit more if I move on?”

And so we’re starting to see the churn in security professionals grow exponentially. People are now starting to move on far more frequently they did before. They’ll look for that opportunity to find the next role at a higher salary. So a business is not only struggling to bring people in but struggling to hold on to people. And even the cost of keeping the team that you have is going up.

The gap between the number of cybersecurity professionals available and the demand globally is projected to hit three and a half million within the next three years. Now, three and a half million is a ridiculous number. We went and looked at this. There are 400,000 computer science graduates coming out of the U.S., India and Europe every year. So even if you took all of them and turned them into a cybersecurity professional, all you would do is stop the problem from getting worse. There’s no way that we’ll actually ever be able to get enough trained cybersecurity professionals to fill the gap that we’ve already got for ourselves.

The CISO’s RoleFIELD: Gareth, I’ve heard you say elsewhere that the CISO’s job is actually at risk. Can you explain that, please?

MACLACHLAN: It’s an interesting one to talk through when we want to sit down with some of our customers. We’ve grown up in an industry where we’ve assumed that the way that we should keep our businesses safe is to be able to go to the CIO, go to our executive team and say, “I need to increase my team. I need to have another four or five people this year. I want to build out a 24/7 capability. I need to be able to add some malware reverse engineers or instant responders or build an intel team.” You’re

actually really exposed as a CISO if you make that case, and the organization gives you budget, because you’ve effectively now said that, “If I can get these people on board, and once I’ve been given the budget to do so, then the business should be safe.”

So if I then struggle as a CISO to hire people, to actually fill those slots that I’ve now had created; if I struggle to keep the people; if I lose someone and I can’t replace them quickly enough; or even worse, if I said that I think I need this mix of skills, and I actually find it was a different mix – in all of those cases, the business risk, the exposure, now falls on my shoulders as a CISO. I’ve told the business I should be able to keep them, and I failed to put the team in place.

“So a business is not only struggling to bring people in but struggling to hold on to people. And even the cost of keeping the team that you have is going up.”

Mitigating the Security Skills Crisis 3

So there is that concern that a CISO has to think through, of, “If I ask, and I get, am I actually taking on some of that risk personally? Are there smarter routes that I can take, which help me defer some of that risk and actually remove the recruitment and retention policies from being a critical part of our cybersecurity profile?”

Force MultipliersFIELD: Gareth, let’s talk about this problem from a couple of different angles. And the first I want to ask you about is: What do you see organizations doing long term to address the crisis?

MACLACHLAN: Going back to the point that we are never going to be able to catch up with the gap that we already have, all we can hope for, at best –if we focus on doing things the same way as we do today – is to stop it from getting any worse. So much of the focus long term is going to be around bringing force multipliers in for the existing teams. How do we actually get better at doing more, whether that’s more intelligently, faster, more efficiently with the teams that we’ve currently got, rather than always trying to build out the teams and aim to have a 24/7 capability?

So the sorts of technologies that are coming to market which help with that are things around security operations automation. How do you actually start to take the benefit and knowledge from experts and make that available to every organization? That’s one of the things we’re doing on FireEye with Helix, for example. It’s just trying to make sure that it is as quick and easy for a security team to know what to focus on and to take it through from alert to fix in as fast a time as possible.

The second area is also making sure that we pivot as an industry from throwing money at putting more tech in place to actually being intel-led in our security investments. Now, I’ve often said, “The last thing the security industry needs is yet another alert,” but that’s what we’ve built over the last 20 years as the industry focused on just creating more alerts.

Intel-led security investment is actually trying to say, “How do I find out and work out what is the most effective next investment to actually drive down risk?” And the Verodin acquisition that we’ve done recently at FireEye is a move into that space. How do you help understand really what the gaps are and continually test to identify: If I make this change, am I actually going to reduce the risk for myself as a business and make it more effective for my security operations teams to work?

So I see those things as being the routes that we will take as an industry over the next two to five years to start to address this security gap, but it still leaves customers and organizations exposed in that near term.

Near-Term SolutionsFIELD: That’s the flip side of the question. What are some of the near-term solutions you’re seeing employed?

MACLACHLAN: The key one whenever you have this sort of resource gap in any industry is to look at outsourcing first of all. How do you actually start to take advantage of organizations that can provide you a different way of getting access to the skills and the expertise that you need? How do you put that in place so that it is as flexible as you would like and, in many cases, something where you can dial up and dial down as you need?

Now, the traditional routes for outsourcing in the industry, effectively outsourcing your tier one SOC operations to an MSSP, don’t really fit that flexibility. They don’t necessarily reduce the impact upon your organization. Most organizations I know who use an MSSP still then have to have their own in-house team to go and do the follow-on investigation and remediation work for that particular MSSP.

So what we’re going to see is the emergence of a different type of flexible outsourcing. That was one of the insights we had, which led FireEye to the creation of Expertise on Demand as a way to say to an organization, “You could never tell at the start of a year what sorts of skill sets you might need. You don’t know whether you’re going to be hit with something, which means you now need to be able to put investigation or instant response teams in place, or whether you are going to need to have access to malware reverse engineering skills. Or maybe there’s going to be something which requires you to build out and think about your hunting capability, and you want to pull an intel analyst in.

It’s difficult to predict, so why try? Why not go for a flexible model, which allows you to get access to the range of skill sets that you need when you need them without having to try and staff for all of those within your own team?”

It starts to take us to the application of the gig economy type model to cybersecurity. One of the directions that we’re taking things within FireEye is to also recognize that many of the professionals out there could actually build quite successful careers for themselves operating across multiple customers. Why take a role

“Much of the focus long term is going to be around bringing force multipliers in for the existing teams.”

Mitigating the Security Skills Crisis 4

as an employee tied to one particular organization if you are a malware reverse engineer or if you’ve been tracking and investigating and researching the TTPs of a particular group? Why not make your expertise available across multiple customers?

So bringing some of those types of capabilities to the market is a route that we’re taking, and I’m sure other organizations will follow.

FireEye’s RoleFIELD: Well, Gareth, my final question is about FireEye. Tell me a little bit more. What are you doing to help organizations to address these security skills crisis challenges we’ve talked about here today?

MACLACHLAN: As I’ve mentioned a couple times, Expertise on Demand was our first play into helping solve the near term issues. Some of the technologies we’re bringing to market around Helix, Enterprise and Verodin are solving for some of the longer-term issues. But let me talk a little bit more about Expertise on Demand itself.

We took the view from talking to many of our customers that we had a huge range of resources within FireEye, but we weren’t necessarily making those available to customers in an effective way. … In a traditional security consulting company, an organization would have to know what they wanted to achieve and actually engage with a sizeable project to get people on board. But most of our customers want something which was more akin to an insurance policy. Instead of hiring four or five people, they want to be able to take some of that budget and put it on retainer with us to be able to call down and use whatever resources we had.

With Expertise on Demand, what we’re aiming for is to feel like the security analyst sitting in the virtual cube next door. So we become baked in as part of a customer’s security operations. Our customers use our Expertise on Demand model to be able to reach out to us on a daily basis. If they’ve got a question about a particular domain they’ve just seen, or a piece of malware, or they’re not sure whether or how to investigate a particular technique that they’ve just seen, they can reach out to us and we’ll help on that particular problem.

So it really changes the current outsourcing consulting model on its head, and we’ve seen that find a lot of favor with customers. It’s been in the market for about four months, and we’ve already got substantial take-up from our existing customers. n

“With Expertise on Demand, what we’re aiming for is to feel like the security analyst sitting in the virtual cube next door.”

Mitigating the Security Skills Crisis 5

902 Carnegie Center • Princeton, NJ • 08540 • www.ismg.io

About ISMG

Information Security Media Group (ISMG) is the world’s largest media organization devoted solely to information security and risk management. Each of our 28 media properties provides education, research and news that is

specifically tailored to key vertical sectors including banking, healthcare and the public sector; geographies from North America to Southeast Asia; and topics such as data breach prevention, cyber risk assessment and fraud. Our annual global Summit series connects senior security professionals with industry thought leaders to find

actionable solutions for pressing cybersecurity challenges.

Contact

(800) 944-0401 • [email protected]

CyberEd