Finding and retaining talented cyber security professionals, once an afterthought on the IT department’s checklist, has become a critical and seemingly impossible task to fulfill, especially in the financial SOC. According to a recent study by Cybersecurity Ventures, information security currently boasts a zero percent unemployment rate and there are over 1 million vacant security positions across the US alone. Industry experts expect that figure to grow to 1.5 million slots by the end of the decade, leaving execs in a panic. It’s not simply that there aren’t enough people to fill those spots; there aren’t enough highly-skilled people, those with the ability and experience needed to take on today’s complex security challenges.
The Talent Gap and the Financial SOC
Certain industries have more to worry about than do others when it comes to finding the right people for the job and it certainly doesn’t take an insider to understand why the banking and financial industry is particularly concerned. When cornered, famed bank robber Willy Sutton told reporters that he robbed banks “because that’s where the money is”. Accordingly, in 2015 and 2016, banking was the third most targeted industry in the US. And though traditional services like ATMs and POS, and new FinTech applications including banking apps, digital wallets and other forms of mobile payments make banking more convenient for customers, these venues provide attackers with yet another way to target financial institutions and their patrons with fraud and ID theft.
The natural reaction to the barrage of attacks is to scramble to hire more analysts. Although some high profile financial institutions have the resources to pay out millions of dollars each year to hire additional talent, many simply do not have that kind of money. Even when they do, as is sometimes the case for big banks and financial institutions, they may still find themselves at the center of large-scale breaches. JPMorgan Chase, for example, spent $250 million on security in 2014 and still experienced one of the largest data breaches on record.
But even when banks and financial institutions can set aside huge budgets towards hiring additional talent for their SOC, the number of qualified professionals needed to fill the gap cannot be found. According to Marc van Zadelhoff, general manager of IBM security “Even if the industry was able to fill the estimated 1.5 million open cybersecurity jobs by 2020, we’d still have a skills crisis in security. The volume and velocity of data in security is one of our greatest challenges in dealing with cybercrime.”
This doesn’t mean that there isn’t any ‘young blood’ entering the profession, but organizations are often wary of adding on less experienced hires, preferring to hold out for highly skilled and seasoned veterans. In the end, positions are either begrudgingly given to the “tier one” hires who may not have the depth of skill to perform the abstract processes needed, or, as is more commonly the case (and as is much more problematic) they are left unfilled, placing the burden upon existing teams.
And the reality is that even when those highly-skilled hires are snatched up, they will find themselves fighting a slew of adversaries that they don’t yet know how to combat in their new setting, along with unknown threats that even the most veteran team members are challenged with managing. It is exactly against this muddled backdrop that alerts are missed and incidents begin to fall through cracks.
Evolving Attacks, Too Many Alerts
As banks explore ways to fortify their security posture, attackers are challenged to evolve their tactics — and they pivot with ease. Their diverse and shape-shifting tool set includes: Distributed denial of service (DDoS) attacks used to create smoke screens, diverting attention away from the more sophisticated attacks taking place behind the scenes; Botnets such as Zeus that netted over $100 million during its successful run; POS malware campaigns like the complex Carbanak ATP, which stole an average of $8 million from each bank it targeted; Attacking third-party networks like SWIFT, which was targeted numerous times in 2016; and via spearphishing techniques such as conning employees into opening infected email attachments, which played a significant role in all of the above methodologies.
With these tools and more, attackers netted more than one billion dollars from financial institutions in 2015 alone. And one anonymous, global financial institution has disclosed that they are barraged with over two billion cyber events, like malicious emails and alerts — each month.
The influx of events and alerts directly lead to alert fatigue — too many alerts coming in from too many tools that don’t integrate properly. Add this element to the constantly evolving and growing nature of the attack methods and it’s clear that even an army of the most skilled analysts cannot be expected to investigate every nuance of each new threat in time to prevent and thwart attacks.
Closing the Gap
At this point, one thing is certain — There will never be “enough” analysts to completely secure the financial SOC. There are simply too many outside threats and too much internal complexity. The real key to securing the financial SOC lies in maximizing the value of your team with the right combination of automation, orchestration and training — and putting it all into one transparent framework.
Automation helps you prioritize your work based according to business impact and lets your team focus on what matters the most, making the most of analyst time and skills. Instead of deploying a fleet of analysts to try to catch each alert as it comes in, free the ones you already have to do higher level triage and investigation, while addressing far more events with less manpower. Automation accelerates incident response and grants maximum visibility across your security landscape, to ensure that no alerts go unchecked, no threats slip through cracks.
No two SOCs have the same needs, the same exact tool set, or the same analysts. Flexibility within automation, or semi-automation, allows teams to make automation a dynamic process rather than rigid rules set in stone. Automation controls and oversees the process; human intellect, able to perceive threats and factors beyond what rules and playbooks can see, controls and oversees that malleable automation.
Orchestration allows teams to connect the dots, find meaning, and understand the story of what’s really taking place behind those nameless, out-of-context events.
The typical SOC is comprised of a mountain of individual tools that don’t integrate and don’t communicate; Orchestration draws each one out of its own silo and provides the underlying infrastructure, creates interoperability, shares insights, and automates workflows and responses between those tools. With one single screen, your analysts can see the entire spectrum of events and tools.
Training keeps your team ever-ready for whatever comes their way, making sure that all your analysts are actively working on their skills. From your most veteran analysts to your newest members, establishing training modules that incorporate guidance and supervision ensures that knowledge and ability is always being refreshed and enhanced.
One of the most common reasons that skilled analysts jump ship is the stress of the overload, also known as burnout – A regular cycle of training means that newer analysts can shoulder some of the burden, while lowering apprehension regarding their potential lack of skill.
Grow Your Team from Within
Stop worrying about finding more talent to fix what’s broken in your SOC — and start growing it within the team and tools you already have. Effectively addressing the talent gap means adopting a perspective of optimizing from the inside out, through a framework automation, orchestration and training.