Could Working From Home Help Close The Cybersecurity Skills Gap?

Cody Cornell is Co-Founder and CEO of Swimlane, an independent leader in security orchestration, automation and response (SOAR).

Most people work from 8 a.m. to 5 p.m., Monday through Friday. Security operations (SecOps) teams, however, are required to maintain 24/7/365 business continuity, which includes the dreaded night shift. At the end of each shift, the SecOps handoff usually consists of throwing a spreadsheet on the board in a conference room to discuss open incidents, passing the baton — rinse and repeat.

When I worked in a security operations center (SOC), we had a plan to maintain this critical continuity of service no matter what might happen. If one location was hit by a hurricane, we had contingency plans to travel to a new “warm site” where workstations and connectivity were waiting for us. However, none of our disaster preparedness plans accounted for the possibility that no one could go to the office anywhere, we couldn’t travel and the only option was total remote work.

Then, seemingly overnight, we all had to figure out how to “go remote.” Organizations that depended on the physical handoff at on-premise SOCs had to figure out how to keep their continuity of service going while also maintaining their own network security with all of their employees working from home networks. Now, even though states are trying to figure out how to reopen and get back to normal, it doesn’t appear the new normal of remote work is going away anytime soon. Many agree it is still the safest option for those who are able to do it, and this could be good news for your SOC.

The cybersecurity industry faces a dire skills shortage that we have been lamenting for some time. A recent Cybersecurity Workforce Study conducted by (ISC)2 reports a shortage of 2.8 million cybersecurity professionals around the world, with about 500,000 in the U.S. alone. The study also claims the cyber workforce needs to grow by 145% globally and by 62% in the U.S. if the industry hopes to keep up with demand.

This vast skills gap is concerning for a number of reasons. For one, bad actors are becoming increasingly sophisticated, and the surface area that organizations are responsible to manage is only accelerating (look at the recent Meow attacks as an example). Security analysts who are responsible for protecting their organizations from these entities are overworked and understaffed and at an increased risk for burnout, which increases their organization’s vulnerability to security incidents or even breaches.

I have been known to say a combination of cross-industry collaboration and automation can help solve this problem. Perhaps a remote workforce can help as well.

Automating Our Way To A Remote SOC

Let’s revisit the SOC team 24/7/365 staffing schedule. What if there was no night shift? What if you were able to staff your organization in time zones across the world, ensuring you always had analysts working a typical 8-5 schedule while still maintaining continuity of service?

When we talk about the cybersecurity talent shortage, we’re often talking about a shortage of talent in key metropolitan areas where the demand is very high, such as Washington D.C., Boston, the Bay Area, etc. What about Bozeman, Montana? There’s likely someone living there who would be an asset to your SOC team. No longer being restricted by geography could help you solve a bevy of hiring problems, including skills, talent and time zone coverage.

Of course, this new way of working is not without its challenges. I have learned how much I used to depend on being able to walk around the office and ask how things were going, but you can’t do that over Zoom. So, you must figure out how to collaborate and track project progress in a consistent, repeatable way with a single source of truth. Is there a specific platform or project management system your team can work from? Of course. You just need to find one that suits your team’s unique needs.

Let’s revisit the on-premise SOC. When two analysts are sitting by each other, they know when one gets up, the other has to keep an eye on things. In a remote SOC, analysts aren’t sitting side-by-side and may not know if someone isn’t looking at their screen. Even a brief moment when no one is paying attention could be a critical moment of vulnerability to the organization. Enter automation.

Security automation solutions are known for receiving an alert and completing the first steps of an organization’s incident response plan (IRP) no matter what. If the first five steps get done and two minutes later someone doesn’t do something about it, there are other systems in place that can bring that to the SOC’s attention. There’s a backstop.

Achieving this backstop is not too difficult. Here’s an example of how your organization could do it:

• Review your IRP.

• Ensure escalation procedures exist for unattended investigations and incidents with clear metrics, timelines and responsibilities.

• Prioritize events and alerts based on inactivity/age and criticality.

• Set up alerts for management when target remediation times are missed.

As you get more advanced with your automation solution, you can:

• Provide leadership with bulk metrics on detection, activity and resolution times automatically.

• Add individual context to investigations (analyst notes, event metadata, actions taken, etc.).

Now it’s possible to manage events proactively, conduct more in-depth investigations and avoid critical analyst burnout.

Remote work in the time of Covid-19 hasn’t been easy for anyone, but it has shown us it is possible to run a SOC like this. Maybe we should consider making the change permanent. Perhaps now is the time to commit to this model and expand our security talent pool outside of the usual high-demand areas. We weren’t able to plan and lay the infrastructure for remote SOCs in the ways we would have liked, but we’re here now and are doing okay. Yes, it’s an unprecedented and stressful moment, but security operations has the potential to benefit from it in the long run.

Forbes Technology Council is an invitation-only community for world-class CIOs, CTOs and technology executives. Do I qualify?

Source Article