We hear a lot about the global cyber security skills gap. Publications like Forbes point out that US businesses struggle to fill roughly 200,000 cyber security related positions every year, but what many of these articles fail to address effectively is how we’re going to get this army of defenders up to fighting strength.
Sure, there are courses to attend and certifications to achieve, but security is as much about experience and intuition as it is about knowledge and qualifications. The best security people I’ve worked with tend to have spent considerable time in other disciplines (usually networking / systems engineering) and in doing so have built up not only a wealth of specialist knowledge, but also a finely tuned nose for “unintended features”. To meet market demands, we’re going to have to take on massive amounts of newly skilled security analysts, and this presents us with an interesting set of problems.
New analysts often lack the breadth of knowledge to pivot through the various elements of a system the way an attacker would. A recent breach had me locking down Linux boxes for breakfast, dissecting packets over lunch and hunting unsanitized inputs in a language I’d never used before come dinner time. Security: "Full Stack" before it was cool on LinkedIn. Expecting the next generation of analysts to navigate complex systems the way a seasoned pro would is unreasonable, which brings me to my second issue.
"Education through Escalation" only really works if the number of experienced analysts is equal to or greater than the number of juniors. Much of what I know was learned by bothering people smarter and more experienced than me, which can be a great way to learn if your seniors have the both the bandwidth and the patience to deal with the “FNG”’s questions. Currently though, our industry demands that the amount of juniors working their way up the ranks far outnumber the amount of seniors there to help them along. Often I’ll see senior team members defending with one hand, slapping down “escalation spam” with the other and taking 10 minutes a week to talk strategy over tactics. To quote a client who was offered three new junior analysts–"I’m too busy to take on any help”
So, how do we wrangle a industry that requires more than half of it’s workers to be new on the scene, a shortage of domain experts and an old-guard that’s already overworked?
Firstly, we need to minimize the need for subject matter expertise at the lower levels of an investigation. A junior analyst shouldn’t need to have detailed knowledge of multiple protocols or services to understand what’s going on, any they should have to log into multiple devices to get the relevant information. Ideally we want to surface the relevant information in an easily understandable manner to provide analysts with the context they need do to their investigation without getting bogged down in the esoteric details of command-line arguments or held up due to restricted access to assets.
Secondly, we need to get better at sharing information throughout all layers of the SOC. At Gemini we call it “tribal knowledge”, but I think of it as “escalation management”. Sharing investigation information across all layers of the SOC in a manner that can be easily understood by any level of analyst provides powerful benefits. Senior analysts should be able to make investigations available for others to work through and learn from, junior analysts should have a standardized method of forwarding investigation progress upstream when escalating, any finally investigations should be available to all for post-event review.
We’re about to enter a period of unprecedented growth in our industry, and this growth will require us to adapt to the new reality of increased workloads and mixed levels of experience. Clever tooling and improved communications are going to become increasingly important in managing this new landscape.