Arguably the biggest challenge facing the cyber security industry today is the shortage of skilled professionals. The worldwide skills gap is much reported and debated, with many organisations feeling the strain of not enough viable candidates to fill their vacant positions in an area that is seeing significant expansion in many organisations who are rightly beginning to take cyber security seriously. The numbers vary across sources, but most estimate the number of unfilled cyber security positions today in the millions worldwide.
However, the root of the problem is not the availability of incoming candidates, but the ability to retain skilled and experienced employees. More colleges and universities than ever are offering cyber security courses, and online learning programmes continue to make cyber security fundamentals more accessible than ever – a far cry from how many older professionals today first cut their teeth in the industry. But ultimately, no certification or e-learning is a substitute for hands-on experience. Whilst there are more people attempting to enter the industry than ever, specialist disciplines and mid-level positions continue to pose a challenge in terms of recruitment and retention.
It can take anything from six months to a year for a new cyber security analyst to become fully proficient, whilst the typical lifetime of a security practitioner working in a typical operating model is around 2 years – leaving only a narrow window in which the employee can add real value to the company.
The data tells us that skilled and experienced professionals are leaving the industry due to burnout and disillusionment. In the UK, the cybersecurity workforce reportedly shrank by 65,000 last year and according to a study from earlier this year, 1 in 3 current cyber security professionals are planning to change professions. According to ISACA’s State of Cybersecurity 2022 report, published in March, the top reasons for cyber security professionals leaving their jobs included being recruited by other companies (59%), poor financial incentives in terms of salary or bonus (48%), limited promotion and development opportunities (47%), high levels of work-related stress (45%), and lack of management support (34%).
When discussing the skills shortage, many by default think of businesses struggling to recruit for their internal cyber security vacancies. But this is equally challenging for specialist providers of consulting and managed cyber security services. Businesses are increasingly reliant on third-party managed services, particularly mid-size organisations where outsourcing to a Managed Security Service Provider (MSSP) represents a much more commercially viable solution with considerably less up-front investment.
The global managed security services market size was valued at $22 billion in 2020, and is projected to reach $77 billion by 2030, growing at a CAGR of 14% from 2021 to 2030 – a sizeable chunk of the projected total cyber security market size of $376 billion.
For many MSSPs, resource scarcity is driving comparatively higher rising costs of employment, which in turn is contributing to an unhealthy working environment, characterised by an excessive workload and long, unsociable working hours.
There are a number of factors driving an unhealthy working environment. Arguably the most impactful is the unsustainability of many MSSP operating models, which remain heavily reliant on the manual analysis of vast numbers of security events and alerts. Aggressive customer acquisition and business growth strategies coupled with a model that is not inherently scalable, whilst needing to maintain price competitiveness, naturally means that these organisations must extract more from their employees to maintain profitability. In a typical large-scale MSSP, the ratio of analysts to clients simply does not support the delivery of a high quality service.
Many monitoring solutions of different types – e.g. SIEM, SOC, SOAR, XDR rely heavily on automation to scale beyond the limits of a human-driven model. However, product-centric ‘silver bullet’ solutions are being increasingly found out in the wake of rising incident numbers related to ransomware operator activity, raising awareness amongst the buyers of security solutions that they aren’t getting the level of service and protection that they thought they were paying for.
Designing a sustainable service model
We want to ensure that our services, and the systems that support them, are sustainable and durable. This means creating a mode of operation which delivers real security advantages without burdening analysts with excessive workload. We believe that achieving this will result in JUMPSEC being an attractive destination for skilled professionals, creating a model that is capable of beating the trend of analyst burnout.
We’ve established seven key principles for our service which set out how we aim to address and overcome the key challenges facing both buyers and providers of services in the cyber security industry today.
P1: Augment people with technology
As explored earlier, both human- and product-centric offerings have significant limitations which are contributing to falling service standards and unsustainable operating practices.
The most effective models today retain intelligent human operators at the heart of the service. But failing to take advantage of the multitude of technologies available today will see traditional offshoring providers continue to lag behind. Utilising intelligent automation and the advanced capabilities provided by technology is key to streamlining ‘mandraulic’ effort and focusing time and resource in the areas which matter most. However, this approach is only possible if you…
P2: Be pragmatic and detect what matters
As we explored in a recent article, the industry has an unhealthy obsession with ‘100% detection’ which is a symptom of failing to understand what an effective cyber defence looks like.
In reality, it is impossible to achieve 100% prevention or detection. Stretching resources too thinly by expecting analysts to process the excessive numbers of alerts required for the illusion of 100% detection will only make them less effective by encouraging the wrong behaviours. Instead, organisations should focus on building a strong baseline of defensive controls, with a suite of detections appropriate for the environment. This should include both relevant detections for commonly used TTPs, as well as more contextually tailored detections that are tuned to the specific ways an attacker is likely to traverse the environment (see our article on Attack Paths for more information). The worst way to find a needle in a haystack is to make the haystack bigger.
P3: Respond on the front foot
Detection means nothing without the ability to do something about it – but response remains a glaring capability gap for many organisations and service providers.
Our experience of managing and responding to real-world cyber-attacks has provided first-hand experience of how unprepared organisations fail to effectively manage security incidents. From poor decision making under pressure and ineffective communications channels, to gaps in visibility and data retention, to untested backup, recovery, and redundancy procedures, most organisations are simply not set up to respond effectively.
This issue is exacerbated in that most typical MSSPs prioritise detection over response. The containment and eradication of threats is not always included in the service offering and many times is handed back to the client, or to a third-party. Where response is included, it is often slow moving, hampered by the absence of joint operating procedures and poorly clarified roles and responsibilities (as well as the more general issue of under-resourcing). In any case, this is not a gap that can be adequately filled by a third-party, and there is no substitute for a robust playbook and well-drilled internal team when responding to an incident. This is one of the reasons why we…
P4: Avoid dependency to enable progress
One of the biggest misconceptions in cyber security is that if you outsource to the right provider or buy the right ‘silver bullet’ product, the problem goes away.
An MSSP is only as effective as the security baseline of the organisations they work with. The second principle we discussed stresses the importance of a pragmatic and realistic approach to threat detection. If the client has a porous network that is riddled with vulnerability and misconfiguration, this becomes significantly harder, even impossible. An MSSP that is willing to accept the risk of defending a fundamentally insecure organisation whilst maintaining standard SLAs is not acting with the best interests of its clients or employees at heart.
It is important to us that we help our clients to better themselves and leave them in a more secure position than when we began working with them, raising awareness and appreciation of the importance of effective cyber security across the organisation. Without this, it’s very difficult for any MSSP to succeed.
P5: Be visible and transparent
When responding to incidents on behalf of our clients, we frequently encounter situations where the client has noticed signs of malicious activity before being notified by their MSSP. Sometimes, the MSSP fails to find evidence of malice at all (despite, in some cases, quite obvious indicators of an ongoing ransomware attack).
The underlying problem here is that the communication and visibility offered by many MSSPs is poor. This can lead to a false sense of security and the notion that ‘no news is good news’. This can lead to gaps in detection being missed until compromise occurs.
It’s important to us that our clients have confidence and evidence that our solution is as effective as we say it is. This means continuously testing and validating that our defences remain effective – in light of both emerging attacker TTPs, and network changes that might interfere with the configuration of detections.
JUMPSEC is well-positioned to continuously validate that our defences are functioning as intended, thanks to the mix of offensive and defensive disciplines that our consultants specialise in. This symbiotic relationship means that our defences can be continuously updated to reflect the latest attacker TTPs, and our offences can be continuously improved to find ways of circumventing those controls – enabling defences to be shored up before bypasses emerge in the wild.
P6: Be flexible and adaptive
Most organisations in 2022 have made prior investments into security tooling, products, and services. Equally, no two organisations will have the same digital infrastructure and operations. Despite this, most MSSPs look to use a standard deployment approach and technology stack – even when investments already made by the client may deliver the same advantages if used correctly.
We aren’t wedded to a specific technology stack and will always consider what already exists on the client network before making decisions around the nature of the deployment. Most organisations fail to extract maximum value from their products and services. Harnessing them as part of the service will ensure they can be used to their full potential, avoiding the need to duplicate historical investment.
P7: Embed continuous improvement
In addition to encouraging development and progress for our clients, we want to achieve the same for ourselves. The ISACA 2022 report mentioned earlier cited limited progression opportunities and a lack of support as some of the key factors driving analyst dissatisfaction. We believe that the best way to offer opportunities for development is to continuously innovate – finding more efficient ways of doing core tasks to be able to spend more time working on more progressive initiatives.
By committing to continuously ‘making ourselves obsolete’, we can unlock more exciting and stimulating opportunities working alongside our clients. This means searching for incremental improvements, however small they appear, without waiting for major transformations or upgrades – as the many increments add up. As our clients’ progress, we progress too.
The skills shortage is not something that can be solved by simply bringing more people into the industry. We have to work smarter and treat current industry professionals better by creating more sustainable systems that will maximise their performance and beat the trend of analyst burnout plaguing the industry today.
Head of Enablement
As Head of Enablement at JUMPSEC, Dan is responsible for shaping the solutions that JUMPSEC offer, working with our clients to deliver the outcomes they need.
Head of Defensive Security
As Head of Defensive Security at JUMPSEC, Matt is responsible for shaping and leading the defensive operations team for JUMPSEC.