Automation Appears to Worsen Current IT Skills Shortage

Artificial intelligence is currently not a dependable tool; and automation will not reduce the need for IT security professionals. Many activities will require highly technical staff, intensifying the skills gap further.

Those are among the eye-openers of a new Ponemon Institute survey report, “Staffing the IT Security Function in the Age of Automation,” sponsored by Seattle-based DomainTools, which studied how organizations address the need to hire and retain qualified IT security practitioners and the effects of automation and AI.

IT security functions continue understaffed and at risk. One of the principal barriers to a strong security posture, according to the research, is not having a team of security professionals that can deal with complex and serious internal and external threats to the organization. “Unfortunately, improvements in staffing are not happening,” according to the Ponemon research.

More than surveyed 600 IT and IT security practitioners – including almost 20% from financial services, who participate in attracting, hiring, promoting and retaining IT security personnel within their companies – disclosed companies are falling behind in keeping IT security functions, already suffering from acute deficiencies, adequately staffed with the adoption of automation technologies.

More respondents in this year’s study indicated they have understaffed IT security functions than in 2013 (75% vs. 70%). Specifically, only 25% of respondents said their organizations have no difficulty attracting qualified candidates, compared to 34% in 2013. Only 28% reported their organizations have no difficulty retaining qualified candidates compared to 42% of respondents in 2013. Compounding the issue, 76% believe machine learning and artificial intelligence tools and services aggravate the problem by increasing the need for more highly skilled IT security staff.

Forty-one percent of organizations said the inability to properly staff security positions increased investment in cyberautomation tools. Yet despite the hype around this technology, only 26 % of organizations currently use automation tools as part of IT security, and only 15 % stated that AI is a dependable and trusted security tool for their organization.

“One of the biggest barriers to a strong security posture is attracting and retaining the right people that can deal with complex and serious internal and external threats to the organization,” Dr. Larry Ponemon, chairman and founder of the Traverse City, Mich.-based Ponemon Institute, said. “This research reveals that despite the adoption of advanced and automated tools, the skills gap has increased, leaving organizations more vulnerable than ever before.”

Additional survey findings:

• Sixty-three percent said human involvement in security is important in the age of automation.
• Sixty percent believed automation will improve their IT security staff’s ability to do their jobs because it will enable them to focus on more serious vulnerabilities and overall network security (68% of respondents).
• Only 23% said automation will reduce the headcount of their IT security function.
• Sixty percent indicated on-the-job experience is more in demand than a degree.

“As cyberthreats and threat actors grow in numbers and expertise, organizations worldwide rely on both highly skilled staff and advanced technology to combat these threats,” Tim Helming, director of product management at DomainTools said. He added, that while research found automation great for certain low-skill tasks, additional work on more advanced threats requires high-skilled security professionals, which continue to be in very short supply.

The research found an understanding of potential cybersecurity threats is important for entry-level and highly experienced job candidates. Respondents said their organizations have great expectations that highly experienced job candidates will bring more general knowledge to their positions.

The top three categories of general knowledge for entry-level candidates are an understanding of potential cybersecurity threats (39%), familiarity with security regulations and standards (25%) and experience with intrusion prevention and detection systems (19%). Similarly, expect highly experienced job candidates to understand potential cybersecurity threats (85%), experience with intrusion prevention and detection systems (81%) and an understanding of information security frameworks (75%).