With a huge shortage in cybersecurity staff and automation alone unable to fill the gap, security operations centers need a new strategy.

Government agencies and companies wage daily battles against sophisticated hackers and unexpected intrusions. A good security operations center should operate like a hospital emergency room where physicians rely heavily on the support of their team. Nurses measure vital signs and aggregate answers to common questions. Specialized technicians provide imagery such as CAT scans and x-rays. With all the requisite information prepared, the physician can make an informed diagnosis and begin treatment.

By contrast, typical secure operations center analysts are left to their own volition, more often than not carrying out repetitive, error-prone and frustrating tasks.

This year the global cyber workforce deficit will reach almost 3 million people and it’s expected to continue rising. Those are huge numbers for an industry people are clambering over each other to get into. The skills gap within cybersecurity is not a new problem, and the underlying issues of employee burnout and attrition, coupled with the nature of the industry’s constantly changing landscape, mean there is no easy fix.

I see this phenomenon every day in the SOCs and computer incident response teams or CIRTs for a large government agency. As government agencies and companies have built and deployed ever more sophisticated tools to handle the growing cyber threat, they have also created a growing gap between the amount of data facing security operations analysts and their ability to triage and respond to this data.

One big issue we have frequently encountered is the amount of time our best talent was spending on repetitive work, which left little or no time to focus on the tasks for which we really need their expertise.

In recent years, a growing number of companies have come to view automation as the solution to the skills gap. After all, when those that make technology encounter problems, they tend to try to fix them by making more technology.

On the surface, it seems to be a simple solution: There aren’t enough qualified people to perform cybersecurity services and those able to do so are in high demand and cost too much to waste their time carrying out repetitive, programmable tasks. A recent report by Gartner showed that by the end of 2019, more than 70 percent of SOCs will have adopted automated tasks in their security vulnerability and configuration scanning for open-source components and commercial packages, up from just 10 percent in 2016.

As we trend toward more automation, however, the constantly evolving landscape of cyberwarfare will raise questions about the ability of a computer to keep up with these real-time shifts. Finally, some simply believe that automation cannot do enough to bridge the cyber skills gap.

Although there may not be a silver automation bullet, there are actions that can be taken to address this challenge:

• A successful solution must focus not just on defending against cyberthreats, but on creating a solution that fits the needs of the people tasked with safeguarding the data. 
• Enterprises should collate insights from a number of sources and presenting those results under a single pane of glass.
• Analysts should be freed to leverage their cognitive abilities where they matter most: hunting for targeted threats as opposed to responding to garden-variety malicious background noise.
• To avoid being overwhelmed, SOC analysts need a virtual support team.

The one key takeaway: Automation in cybersecurity needs to be tightly managed, which means closely monitoring which tasks are automated and which are completed manually. Factories with a tandem robot/human workforce outperform factories staffed solely by one or the other.

Pedram Amini, chief technology officer for InQuest LLC, a network-based cyberthreat eradication platform, wrote this for SiliconANGLE. He’s an author of the book “Fuzzing: Brute Force Vulnerability Discovery” and has presented and given courses at Black Hat and other information security conferences.

Photo: Michael L. Lewis/U.S. Army