Understanding the Mechanics Behind the Cyber Skills Shortage

CyberSeek publishes and maintains a Cybersecurity Supply / Demand Heat Map online, as summarized below. The site tracks open job postings across the United States, and today reports that there are over 313,000 job openings.

This metric is indicative of an underlying problem that many CISOs are not aware of. The reason there are hundreds of thousands of openings is because the systems we are building are simply not safe enough, and the vendors that we rely on to add safety are in fact fraudulent.

But how is this fraud exactly?

Complex computer systems are often built using a mixture of enterprise software and custom written code. Once deployed, we manage the various risks posed to these systems through active testing and passive monitoring.

To add these safety mechanisms, we make two further investments:

  • Enterprise security software licenses (plus hardware)
  • Engineers and analysts to operate the security tools

People are required to perform manual analytics work and act as a buffer between the tooling and the other processes to maintain safety (e.g. reporting a flaw to a product owner, or containing a confirmed incident).

Also, virtually every security product has two interlinked deficiencies:

  • They lack sufficient context
  • They produce ambiguous output

The scale of the problem caused by these deficiencies grows as our systems become more complex, which in-turn demands more human resource to counteract and solve. This delta increases daily, and indicates a widespread fraud being perpetuated with the market today.

Operating in an emerging, unregulated space, cybersecurity vendors are incentivized to ultimately sell you the cheapest product at the highest price.

Aided by slick marketing, security vendors sell ineffective products to unwitting security organizations and maintain a status quo that is beneficial to them. Vendors are able to achieve this because consumers are unable to calculate the true total cost of ownership for a given product, or the benefit (i.e. the additional safety) that is realized.

If CISOs measured cost / benefit with regard to their security tooling, many would choose to build safer systems, reduce technical debt, and purchase products that didn’t require a large amount of human capital to operate.

Building more efficient systems

A quick win to reduce the need for people within the systems we build is to choose tools that produce high fidelity (less ambiguous) output. Many technology companies have been building platforms in-house to support this kind output in recent years. Notable projects include:

At AlphaSOC we are laser-focused on both the context and fidelity problems. Our analytics engine process 3B network events daily (egress DNS, IP, and HTTP events from customers) to generate actionable alerts that can be loaded directly into SOAR and ticketing systems in an open JSON format, as below.


On the topic of fidelity

Consider the pyramid below. The best sources are tripwires, honeypots, and canaries, with the highest fidelity. As we move further up the stack, our visibility increases, alert fidelity significantly decreases. If you have a staffing problem within your security organization, it’s advisable to understand and focus on your high fidelity sources in particular.

In closing

Seek to improve your security posture by choosing to invest in systems with safety built into them into the long-term, and by focusing your efforts on high fidelity signals that you can automate around in the short-term.

The distraction of low fidelity signals produced by ineffective tools introduces a large human cost, and represents significant technical debt that should be understood and managed.