contact us

How Automated Risk Prioritization Could Reduce the Security Skills Shortage

by Mar 25, 2019

How Automated Risk Prioritization Could Reduce the Security Skills Shortage

Cybersecurity has never been easy, but new challenges and tools are shaping today’s security practices.

One challenge is the accelerating growth of an organization’s attack surface. Wide adoption of hybrid and multi-cloud architectures is one reason for this, as is explosive growth in Internet of Things (IoT) devices. This no longer only involves copy machines, coffee pots, cameras, and cell phones: We’re also talking about smart sensors and industrial control systems, autonomous vehicles, HVAC systems, lighting, and a great deal more. As 5G connectivity matures, IoT and edge computing devices that connect in plug-and-play fashion will become more common. To further compound the challenge, every connected partner also has an attack surface that is growing for all the same reasons, and those partner connections contribute to your growing attack surface.

Larger attack surfaces provide more opportunity for cyber thieves, but that is only one piece of the puzzle. Another is the growing sophistication of cybercrime. It’s estimated that if cybercriminals are reinvesting 20% of their illicit earnings in new attacks, they are currently spending about three times more than the entire global spend on cybersecurity.[1] Cybercrime is well-funded, in some cases by state sponsors, and cyber thieves are employing the latest technology to exploit vulnerabilities in ways that are very difficult to detect.

This challenging threat landscape begs for more resources and qualified security professionals to combat potential attacks. But we are in the midst of a severe shortage of qualified cybersecurity professionals, and the shortage is deepening. Various industry estimates say that within the next three years, there will be 3.5 million unfilled IT security positions globally. In the meantime, attacks continue to grow, and costly mistakes are happening. The entirely preventable Equifax breach, for example, exposed 145 million customer records, while the recent Marriott incident revealed data on 500 million customers.

The simple fact is that security and IT staff are overloaded, and the threats they need to address are increasing in number and complexity. The only solution is to give security pros tools that will help them do more of the right work. We are seeing this in technologies such as artificial intelligence (AI)-driven endpoint detection and response (EDR) solutions, which help identify incidents earlier and respond to them faster by automating analysis and response functions. Another critical part of an effective security practice is risk prioritization, which keeps teams focused on tasks that mitigate the greatest risks to the business, and spend less time chasing low-risk threats.

Although security and IT teams have never been able to address every possible threat and vulnerability, the need to focus on the greatest risks to the business has never been more important. That’s why it is imperative for security and IT staff to adopt technologies that automate more of the risk-assessment process and make prioritization a continuous process that happens in real time. An effective risk-prioritization tool should be able to do these things:

  • Identify threats and vulnerabilities, quickly assess their criticality and exploitability, and show which pose the greatest risk to the business at any given moment in time. Note that “risk to the business” encompasses more than just the likelihood of an exploit or the technical nature of the vulnerability. It must also consider assets that would be compromised, costs to the business, and how a compromise would affect operations. These all need to be part of the risk-prioritization calculation.
  • Show what immediate impact remediation actions will have in reducing business cyber risk, and direct the necessary actions and resources to carry out the highest-priority remediations. These tools will facilitate data sharing and collaboration between IT, security, and other business stakeholders involved in prioritizing risk-remediation efforts.

Automating risk scoring and prioritization based on criteria specific to your business may not totally solve the global security-skills shortage, but it will enable your security and IT teams to work more effectively to reduce cyber risk using the resources they have. Attacks are still going to happen. The key is to minimize the damage they cause. Automating a business-centric approach to cyber-risk scoring and prioritization enables security teams to focus on those things that are most dangerous to the business at any point in time.

Pull Quotes

  • “The fact is security and IT staffs are overloaded, and threats they need to address are increasing in number and complexity.”
  • “The need to focus on the greatest risks to the business has never been more important.”

Key Points

  • An effective risk-prioritization tool identifies threats and vulnerabilities, assesses their criticality, shows which pose the greatest risk to the business at any given moment in time, and shows the immediate impact remediation actions will have in reducing risk.
  • Automating risk scoring and prioritization based on criteria specific to your business will enable your security and IT teams to work more effectively with the resources they have to reduce cyber risk.

 

[1] Kelly Sheridan, “Cybercrime Economy Generates $1.5 Trillion a Year,” DarkReading, April 20, 2018