There’s a Gap in Security: It’s Not Going to be Filled with People or AI Alone
By: Kathleen Moriarty
Despite numerous colleagues out of work, the myth that there is a multi-million professional deficit in security continues. Fully buying into the rationale due to the number of breaches that occur, I even cited figures on that deficit in my book published in 2020.
Ben Rothke did some important research and uncovered the falsehood and that the statistics we’ve been presented with are not factual. Having written a book that emphasizes using architectural patterns that scale in order for skilled resources to have a greater impact I think about the gap that does exist a bit differently. Through a range of roles over 30 years in the industry, my conclusion is that the attacks will not stop by hiring more people that adhere to the security architecture that proliferates industry.
While serving as CTO for Center for Internet Security, a county-level CISO said to me,
“My local entities are lucky to hire a high school student on break to do their security.”.
This was just the sentence I needed to hear and have shared it many times as their statement is impactful. While applications require expertise to customize, secure, and audit, numerous organizations do not have the resources to accomplish the required tasks.
Security today is complicated! We are following traditional architecture requirements when we apply security as infrastructure may be aligned to traditional, virtualized, or cloud native architectures. The controls continue to be add-on and we have to ensure our policies meet the requirements across the board in order to maintain compliance to regulations.
This is the heart of the security professional deficit. Take the following simplified network architecture that focuses on security tooling. Each organization is expected to run infrastructure protection controls such as the ones listed in order to prevent breaches. The rate of breaches continues at a steady pace as this is not achievable by organizations with few resources.
Typical set of Security Add-on Tools for a Well Resourced Organization
The architecture requires a minimum of about 10 resources to manage each add-on security control. Now, multiply this by the number of organizations globally, and you can see why one would conclude the very large numbers associated with the stated security professional deficit. Except, it does not factor in the reality of the above mentioned quote, small and medium sized organizations do not have the resources to manage security tooling at this scale.
The Burden of Security Architecture Today
Transformation is necessary, which is why SecurityBiaS has attracted incredible talent to work together to solve this problem. The current path is not working, we are working on a different one, reach out to learn more!
