Companies Get Creative to Relieve Shortage of Security Professionals
"But the root cause of the shortage is that you have, in effect, inefficient tooling. You need tools that are smarter and can augment the human. Otherwise, you are not going to be able to address the shortage." Veeramachaneni expects that better security technology can help the humans peer through the weeds and locate the real threats much more quickly, saving time and allowing humans to focus on triaging a small number of alerts. Yet, for many companies that have little or no security staff, such technology, which is designed for trained security analysts, may not help. Instead, the market has to find ways to spread the knowledge of the current supply of cyber-security workers around to reach more companies. In many ways, that's just what cloud-security and managed-security service providers (MSSPs) are doing today. Both consolidate security expertise—another reason that salaries for cyber-security professionals have risen—and then deliver security offerings to the customer, as a cookie-cutter service in the case of a cloud firm and as a more flexible managed offering for MSSPs."If you look at how consulting is done, you hire someone and they hand you a report and leave," he said. "With our service, you can hire cyber-security experts quickly, but it is really to build out your team." Stealth Worker's most popular service is a virtual chief information security officer (CISO), a top-tier professional that may work for four or five different companies, each for 10 hours a week. "There are a lot of companies that need people to run their whole program," Baylor said, adding that a specialist CISO can quickly get a company up to speed. "It's like when you build your first house—it is hard and you make a lot of mistakes, but the next one is easier. It's the same when rolling out a security program." The trend in finding ways to share security experts' time—the time-sharing of effort—does not end there. Other companies are finding ways to bring in freelancers to help companies with specific security problems. HackerOne and Bugcrowd, for example, are two startups that have focused on finding ways to offer a specific security service, vulnerability assessments and research by allowing experts to freelance. Bug bounties are a way to pay for vulnerability assessments of Websites, services and software, allowing a company to pay only for results—actual bugs—and not a permanent hire. Companies will have to find additional ways to work around the shortages in security professionals, Bluelock's Ton said. "The problems are not going away," he said. "I think the challenge is to figure out how people are going to fill those roles. That is going to be one of the critical pieces in security over the next 5 to 10 years."
However, other firms are finding ways to divvy up the experts' time, allowing companies to gain the benefit of security specialists without having to fill a full-time position. Unlike consultants, the worker is not there for a single job, but hired for a specific long-term function, said Ken Baylor, CEO and founder of Stealth Worker, a startup that enables fractional assignments for security professionals.