By Ofer Or, VP of Product, Tufin
Organizations across the globe are struggling to recruit the talent they need for their open security roles. Unfortunately, the problem is expected to worsen. In fact, Harvard Business Review first identified the problem in 2017, stating that the issue had actually been top of mind in some organizations since 2015. Fast forward four years later and current research shows that more than half of global companies are at risk of cybersecurity attacks as a result of the shortage.
The following are several ideas on how to combat this problem, ranging from internal changes to technology-based tactics that organizations can begin implementing today.
Manage Network Complexity
An organization’s cybersecurity needs are directly related to the size of its network. In other words, the more complex and fragmented the network, the more work that must be done to protect it. As complexity increases, visibility and control remain critical but become even more difficult to attain.
One approach to combatting the cybersecurity skills gap is to examine areas where your own organization could reduce the workload while maintaining or increasing efficiency and thus requiring fewer man-hours to complete. While reducing the number of vendors and platforms is typically not an option in large organizations, a few considerations that could streamline the management of your complex hybrid IT environment include:
- Centralizing Network Security Policy Management: Managing security configurations across vendors and platforms, on-prem and hybrid cloud, from a single console will reduce the effort of managing multiple platforms and ensure consistency across the distributed network.
- Providing Network Visibility: Understanding the connectivity of your network allows you to identify the specific elements to be modified, meaning change requests can be fulfilled easier and with better accuracy.
- Documenting Network Changes: When it comes time to proving compliance, if all network change requests are documented, searchable and readily available, your audit tasks will be fulfilled, and your staff’s time will be freed up for other critical functions.
- Policy Cleanup Automation: As time goes by, firewall policies tend to grow in size and complexity. The new access is added, but rules and objects are never removed. Cleaning up redundant rules can create a more readable, easier-to-manage policy, but firewall teams seldom have the time for a cleanup project. By automating the decommissioning of redundant rules and objects this can be achieved quickly and with a fraction of the effort.
Automate Network Changes
Far too many organizations manually process routine and low-risk connectivity requests. These manual processes not only require a significant amount of time, but they’re also prone to errors and misconfigurations which can lead to serious downtime, a failed audit, or worse yet, a breach.
Automating network changes through a well-documented process increases an organization’s operational efficiency, without the need for additional staff. It also eliminates resource-intensive mistakes and re-dos. Ultimately, this means gaining better control over access changes and reducing overall risk, using the staff that you already have in place.
Empower Novice Engineers
In many cases, the skill shortage means that the team has diverse knowledge levels leading to an uneven distribution of the workload. Experienced engineers who are very familiar with the network and/or the security standards will be assigned with most routine changes and tasks and will not have time to work on any strategic projects. The only way to distribute the load more evenly is to integrate the expertise into an automated process to empower the novice staff with the daily changes.
For example, a large utility company in the US leveraged security policy automation to empower their entry-level engineers and free their experienced staff to focus on strategic projects. By leveraging automated risk analysis against a unified security policy (USP) they were able to ensure that access requests did not violate their network segmentation policy and did not introduce new risks. By leveraging policy-driven automation, the company ensured a valid implementation of changes even by those engineers who hadn’t memorized every routing table. The automated process itself also helps ensure consistent implementation and documentation of all changes across the team.
Empower Other Teams
Network and security teams are often assigned tasks that originate from other teams in IT. In some cases, these tasks can be offloaded into the broader IT group, especially with the right tools in place. Gartner fellow and research vice president Tom Scholtz states, “Many routine security functions can be performed as well by other IT or business functions.” Tom recommends that organizations identify functions or capabilities (such as user awareness communication) that can be handled elsewhere in the business or IT department.
One example is provisioning network access for new servers or decommissioning access for outdated servers. The server team can be tasked with these changes as long as they have appropriate guidelines and guardrails to ensure they do not introduce new risks. An automated process for cloning the access policy from one server to another (or to a group of servers) can repeatedly save valuable time for the network team. Another automated process for decommissioning server access can complement the task and tighten network security.
In addition, with automation, these tasks can be automatically integrated into the work of other teams and be completed without needing additional assets from the scarce cybersecurity resources. In this way, teams can decommission servers in the firewalls as part of the actual server decommissioning process that is happening elsewhere in IT, or clone its firewall rules as part of setting it up. This is also the case with risk analysis. In the manual days, every change request had to be manually checked for risks using resources that are in short supply. With change automation, risk analysis can happen as part of the automated change process, and only in cases where there is an actual risk, it will be forwarded to the risk officers for further analysis.
Another example is managing application connectivity. Network teams have to enable connectivity for application teams in order to support the business. The language barrier between application owners and network engineers doesn’t make the task any easier. Application-driven automation for establishing and troubleshooting connectivity empowers the application teams to initiate requests and analyze disconnects, ensures security policy controls are baked into the process, and leads to tight cooperation between the teams.
With analyst firm ESG’s annual global IT survey found that the cybersecurity skills shortage has been increasing steadily – with 53 percent of organizations bemoaning a lack of necessary talent – it’s difficult to overstate the need to approach this problem in an inventive way.
Organizations need to look for fresh ways to manage complexity and improve operational efficiency, which in turn will improve security. Security policy management and automation can enable organizations to better meet the demands of the modern era without being derailed by the cybersecurity skills shortage.
About the Author
Ofer Or has been with Tufin for six years and currently serves as the vice president of the product. Prior to working with Tufin, Ofer held several titles at Check Point Software Technologies and Microsoft. Ofer received his Bachelor’s in Political Science and Sociology and his Master’s in Law from Bar-Ilan University. You can connect with Ofer on LinkedIn: https://www.linkedin.com/in/ofer-or-662503/