Organisations are able to collect more data about security breaches than ever but face an ironic challenge because most still lack the skills to effectively interpret and act upon that data, a security consultant has warned.
Despite years of investing in security information and event management (SIEM) tools to improve analysis of security data, C-suite leaders still haven't invested in the right staff to support the rapid growth in data volumes, Alexander Moss, US-based managing partner at security consultancy Conventus, told CSO Australia.
“The C-suite wants to be secure and compliant, and to manage their budget as best they can, and they are putting down governing rules to say that they've attempted to be secure,” he explained.
“We keep putting in all these new technologies – and the neat thing about software-based solutions is that they generate data. All this investment has created a monumental amount of data just sitting there in the background. A lot of it is garbage data, and a lot of it is important – and people are having a hard time differentiating between the two.”
C-suite leaders had not yet adjusted their hiring patterns and mindsets enough to compensate for the shift in demand, he warned.
As a result, IT leaders were still being relied upon to not only implement appropriate security solutions, but were also being expected to apply specialised data-analysis skills that they almost never actually have. Investments in correlation-based SIEM tools had been a comfortable middle ground for many, but increasing data volumes meant over-reliance on those relatively limited tools was often masking important security events and trends.
“The skill set in IT, and the people you typically have in IT – and particularly in IT security – are not data analysts and certainly not data scientists,” Moss said.
“In thinking that we have this wealth of data – and I would argue that IT security probably has more data than any other division in the organisation – we still don't have the talent to analyse, digest, and consume it to look for patterns and anomalies.”
That put IT-security practitioners on the opposite end of the scale from marketers – another data-hungry part of the business that is filled with analysts that had long struggled to find ways to get enough data on their target markets.
“The biggest problem for them was getting that data,” Moss said. “IT has the data but we don't have the talent. It's not a knock on IT people – they're smart people – but it's a different discipline.”
Fixing this discrepancy would require business executives to shift their investment from simply pushing IT leaders to implement security tools, to adapting recruitment and training initiatives in a way that allowed organisations to broaden their definition of what an IT security professional should be able to do.
“Hopefully what we'll see is that more and more companies are going to invest in hiring talent,” Moss explained, noting that some of Conventus' largest clients were only starting to take the psychological step towards sourcing broader analytical skills.
“They'll be saying that we don't need an IT security expert – we need someone that is truly a data analysis expert. This will be someone whose job is not necessarily to understand the minutiae of the data, but their job is to interpret and understand trends or anomalies in that data. This requires digesting data from a data analysis standpoint, and not from a traditional correlation perspective.”