A lot has been said and written about the security talent shortage. A report by Cisco pegged the amount of unfilled cybersecurity jobs in 2019 at 1.5 million. A more recent report by Cybersecurity Ventures estimates 3.5 unfilled positions by 2021. Wherever the truth may lie, one thing is clear – the industry is not manufacturing cybersecurity professionals at a fast enough rate to meet current and future demand, so no one is expecting the security talent landscape to get better anytime soon.
CISOs and security teams have been doing their best to find creative solutions to this problem. For example, many have hired IT professionals and setup training programs to provide them with cybersecurity skills. This stopgap approach provides some relief, but is in no way a silver bullet. Furthermore, security leaders will tell you the greatest challenge lies in hiring experienced security professionals, and those can’t be created overnight. (Last I checked, a security professional with 10 years of experience takes about …well… 10 years in the making).
Nowhere is the skills shortage more prevalent than inside the SOC, where the increase in the volume of alerts requiring action far outpaces an organization’s ability to hire skilled analysts (AKA “Alert Fatigue”). It comes as little surprise therefore, that Security Orchestration, Automation and Response (SOAR) is gaining traction at such a break neck speed. (A recent report by Gartner predicts 15x growth in adoption over the next 3 years). At its core, SOAR is about increasing the efficiency of existing SOC analysts and helping security teams get more work done. Organizations who have embarked on the Security Orchestration journey have realized additional benefits that help them do more with less.
Here are some trivial and less trivial ways that SOAR tools help security teams deal with the talent shortage:
- Orchestration of disparate tools – when you break down the work of your typical SOC analyst, a lot of time is dedicated to “swivel chair integration” such as copying pasting results from one tool into another or switching between screens and tools. Security orchestration does more than integrate disparate tools in a single pane of glass (which of course saves precious time), it also eliminates a lot of the specialization that is required to run each security tool independently.
- Automated playbooks – Scalable and repeatable processes for iincident response and triage are vital to analyst productivity. Security orchestration lets teams automate the repetitive and manual tasks that are carried out in response to common IOCs.
- Tribal knowledge capture – What’s worse than trying to higher a new analyst? Having your most experienced analyst leave, along with the wealth of knowledge he or she has accumulated over the years. Security orchestration’s playbooks put the wisdom of your most experienced analysts at the hands of everyone.
- Faster analyst ramp-up – with a structured workbench for the SOC analyst, new hires can execute playbooks practically on day one, with step by step guidance on how to proceed with an investigation and clear escalation paths.
- Self-documentation – “I love documenting security incidents” said no-one ever. Security Orchestration’s built-in collaboration and case management allows security analysts to spend more time investigating and less time creating documentation and generating reports.
- Bottleneck identification – The best security orchestration platforms include powerful BI and reporting that let SOC managers identify bottlenecks and take action to remediate them, further increasing analyst productivity.
There is no single silver bullet to the cybersecurity talent shortage, but when you can’t just “throw bodies at the problem” organizations need to jump at every opportunity to automate repetitive tasks and make their existing and scarce security teams more productive.