Oh, My Aching Headcount!

Whether you’re an enterprise or an MSSP,  you’re battling today’s acute shortage of cyber- security skills. Depending on whose numbers you believe, there’s something along the lines of 1 million open cyber-security jobs in the world today. Gartner analyst Earl Perkins summarizes the problem best: there is a 0% unemployment rate in cyber security.

According to a survey conducted by Enterprise Strategy Group (ESG) and the Information Security Systems Association (ISSA), 33% of respondents said their biggest shortage of cyber-security skills is in security analysis and investigations. Additional ESG research found that 54% of survey respondents believe their cyber-security analytics and operations skill levels are inappropriate, and 57% feel they’re under-manned and under-skilled in cyber-security analytics and operations.

The age-old cure for any skills shortage is to outsource, and make staffing someone else’s headache. In the cyber-security market, this means turning to MSSPs to augment or replace internal security functions. Considering the data above, it’s not surprising that event analysis and investigation is one of the prime areas of outsourcing for enterprise security organizations.

While outsourcing this function certainly shifts the burden of hiring onto the MSSP, security remains a shared function. We all remember the Target breach, where an outsourced team in India successfully identified the attack, but sent the information to the client as one of hundreds of routine “malware.binary” alerts, which caused the internal security team to overlook the threat. Even though the outsourced team caught the threat, they still included so many other similar-yet-not-important events that the Target internal team could not discern the catastrophic from the trivial. Did the outsourced team do its job? Technically, yes. But practically, no – the client was breached.

Target is no different from any other enterprise – in a world where security incident response teams are inundated by alerts, most of which are unremarkable, it is unreasonable to expect human beings to separate the needle from the haystack with anything approaching a high degree of proficiency. For MSSPs, the stakes of the game are higher. Their entire business is predicated on keeping clients secure. Every alert ignored is a potential lost client and a damaged reputation, so their only option is to increase headcount in an attempt to match the ever-growing flood of alerts. This headcount amounts to serious money that cannot be invested in other parts of the business. We call this “Alert Tyranny,” where MSSP business models are autocratically determined by the need to process alerts. 

There’s been a lot of hype about how automation – particularly security orchestration systems -- will rescue beleaguered incident response teams and curb headcount growth. But instead we’re seeing the manifestation of Bill Gates’ two rules of automation:

  • The first rule of any technology used in a business is that automation applied to an efficient operation will magnify the efficiency.
  •  The second rule is that automation applied to an inefficient operation will magnify the inefficiency.

When it comes to alert overload, automation is not solving the problem. Instead, it is magnifying the inefficiency. Processing more “non-events” does not enable SOC operators to break out of Alert Tyranny, because human beings must perform the analysis and investigation. As a result, automation simply increases the velocity of nonproductive activity, and Alert Tyranny remains in power.

The only way to tackle Alert Tyranny and the headcount beast is to fix the process – and that means dramatically reducing the number of pointless alerts people must analyze. This would not only decrease headcount requirements; it would also make security orchestration systems more effective, since actual threats could be introduced to the orchestration system with much greater accuracy and speed. How does one reduce the number of pointless security alerts? Check out our earlier blog post, The Boy who Cried “Alert!”