By Ray Birch
SAN FRANCISCO—The problem of shortages in IT staff is “colliding” with escalating cybercrime, leaving organizations—particularly small CUs—ill-equipped to manage and respond to cyberthreats, asserts one analyst.
Sam Curcuruto, head of product marketing for cyber security firm RiskIQ, says there is far greater demand for cyber defense IT positions than there is talented staff to fill them.
“Smaller credit unions, in general, are struggling to afford enough staff to cope with the daily requirements of the credit union and the mounting compliance burden. So adding to the IT team is about impossible for many,” said Curcuruto, who emphasized that the issue is as much about finding the people as it is the money to pay their rising wages.
Curcuruto delved into what’s behind the growing cyber security staffing problem.
“First, there is negative unemployment for cyber security. There are more positions available than there are people to fill them,” he said. “And what it really comes down to is that there’s not enough people that have the required skills to step in right now and make a difference. That is a big problem.”
It’s an issue exacerbated by the fact many talented cyber experts—many of the first wave of IT professionals to understand the growing cyber threats—are heading into retirement.
“Many of the skilled people, who have been around and on the job since cyber attacks began escalating, are naturally retiring, matriculating out of the system, and this situation is only going to get worse,” said Curcuruto. “This is a very specialized space.”
The best cyber security experts are created on the job, those who have worked defending against hackers for years, and who have developed expertise through their daily work and through the strong relationships they have built within the cyber security community.
While many young IT professionals are leaving college and heading into the workforce, most still have many real-world skills to learn, Curcuruto said that it will take time for the new wave of cyber security experts to get up to speed.
“I think there are two very distinct levels of cyber security education—book smarts and street smarts. It’s just like a rookie who has just graduated from the police academy, you don’t go right to detective. You have to really understand who the criminals are, their MOs, their techniques and tactics. Until you work in the real world and make the connections yourself, do the research and look for the signs of trouble…until you do those things for some time you will miss things.”
Adding to the problems for small credit unions, reminded Curcuruto, is the issue of retaining talented staff. It isn’t just about salaries, he said, noting the bigger CUs also offer more high-tech tools and sophisticated working environments.
“The smaller organizations, too, tend to work their cyber security experts to the bone, simply because they are small,” said Curcuruto. “With the bigger organizations and their larger staffs, this is less likely to happen.”
Can't Ignort Issue
This is not a problem that small CUs can ignore, said Curcuruto, since regulators hold small financial institutions to essentially the same cyber security standards as large FIs, and they face similar costs.
“God forbid you are breached and the regulators say you did not address something, why did you miss this? I don’t think they will accept the answer that you simply did not have the resources or the time to see or defend against the impending attack,” said Curcuruto.
For some, said Curcuruto, the answer has been outsourcing or employing tools to automate internal cyber security processes.
“Some of our customers are outsourcing to managed security providers. They are contracting with external consultants to do the cyber audits and penetration tests. They are looking for help outside their four walls,” said Curcuruto.
But smaller FIs are also looking at tech tools that can help them streamline internal cyber security processes, and are also taking steps to minimize their risk from attacks, said Curcuruto.
“If a tool has the ability to automate some of the processes or activities related to cyber defense that would normally take a person to do, possibly require additional headcount, that can be a big benefit,” said Curcuruto.
What are some of the processes and activities that are being automated?
“A big one is threat detection, and being able to look across the Internet and all of cyberspace to find the needle in the haystack, or reduce the size of the haystack so that you are able to focus your efforts on the things that are actually cyber security pressing matters for you,” he said. “Automation can be a small organization’s best friend.”
Curcuruto explained that leveraging automation is not a means to review more data, in fact, it’s more about looking at less data—but the right data that is most important to the organization to detect and defend threats.
“These folks are already inundated with alerts and constant advisories,” said Curcuruto. “The last thing they need is one more firehose to drink from. So tools to help them automate threat detection. Think about having 100 tabs open on your Internet browser, that is 100 ways a hacker could potentially get inside your firewall. But reduce those tabs to 10, and suddenly the effort is more manageable.”