Today's companies are having a hard time finding and retaining cybersecurity talent to keep up with the growing number of threats. A new report by McAfee surveyed hundreds of security professionals from different organizations, and found that many feel their departments are understaffed and underprepared to face new threats due to high turnover in the field.
According to the survey, cybersecurity professionals believe they will need an IT staff increase of about 24 percent to keep up. Organizations need their available personnel to proactively brace their networks for unknown cyber threats all the time, but they can often be bogged down with day-to-day tasks and maintenance.
To address the shortage of skilled cybersecurity professionals, the report offers up two solutions. One is a way to increase career interest and job satisfaction in the cybersecurity field, while the other is a way to make up the gap from the loss of personnel.
"With cybersecurity breaches being the norm for organizations, we have to create a workplace that empowers cybersecurity responders to do their best work," Grant Bourzikas, chief information security officer at McAfee, said in a statement. "Consider that nearly a quarter of respondents say that to do their job well, they need to increase their teams by a quarter, keeping our workforce engaged, educated and satisfied at work is critical to ensuring organizations do not increase complexity in the already high-stakes game against cybercrime."
From video games to real cyber threats
Experts suggest that the next generation of cybersecurity workers should come from the world of gamers. About 72 percent of cybersecurity managers say the generation of candidates who have been raised on playing video games are strong candidates for entering the field and a good way to curb the shortage. This is due to the common traits and mutual talents required in the field of cyber threat hunting which include logic, perseverance, an understanding of how to approach adversaries, as well as a fresh outlook and approach to cybersecurity. Experts say these kinds of traits go a long way and even make up for a lack of experience or training.
To drive interest for this group to enter the field, experts say many aspects of the job should be subject to gamification. By applying the same type of challenge and reward systems that are common in video games to a cybersecurity job, departments can find an increase in performance and job satisfaction. Departments can hold game-centric competitions such as hackathons, capture-the-flag and bug bounty programs. Playing games can increase awareness of threats, knowledge and teamwork to better prepare staff to identify and counter new threats.
Hackathons are fast-paced programming projects, usually with a team competition element, where competitors collaborate to solve a technical problem as fast as they can, according to a Rasmussen College blog. For cybersecurity purposes, the competition could be to see which team can find an efficient detection method for a new threat the fastest. Companies can disperse rewards to teams for their work. These types of competitions can be simulations to hone skills or to combat real, newly-surfacing threats.
Another example of gamification, utilized by data protection company Digital Guardian, is the use of game design elements such as point scoring, leaderboards and rewards for the top scorers.
Among McAfee respondents whose organizations use gamification techniques, more than half say they are satisfied with their positions. The reverse trend is also true: Most cybersecurity employees who are dissatisfied with their jobs work for organizations that don't run gamified events.
If companies are unable to fill the gap with new talent, another way to keep up and stay prepared for new threats is deploy new forms of automation to their security suite. Advanced machine learning in the cybersecurity field is allowing automated programs to handle routine and basic security protocols while human operators have more time to proactively identify and prepare for new threats. Machine learning and AI can better sort through the large volume of data and potential threats that organizations deal with daily. [Read related story: Machine Learning or Automation: What's the Difference?]
Most cybersecurity departments say they can put automation processes to work on identifying all locations of a threat, correcting and remediating threats, detecting threats across IT architecture and threat containment. Doing so would increase efficiency and allow staff to dedicate more of their resources to threat hunting. Tasks such as endpoint detection and response, behavior analysis and sandboxing potential threats and executing them can be automated, which lifts more burden from staff.
Once human experts identify and successfully deal with a new threat, those same processes can be recognized through machine learning and automated. The machine can handle those same threats even more efficiently since it can detect and respond to those threats faster than a human can identify them.