Universal talent gap in cybersecurity hinders the ability to run investigations

Introduction

This blog post is the second post of a blog series covering the key findings of our first research report “Top Challenges in Cyber Investigations & Recommendations for SecOps Leaders”, published on September 10, 2024. You can read the first blog post of this series here:  

• The Goal, Scope and Methodology of Command Zero’s Recent Research on Cyber Investigations

In this post, we will cover the first key finding of this research:  

Universal talent gap in cybersecurity hinders the ability to run investigations 

It is no surprise that a significant challenge for cyber teams is a pronounced skills shortage in the industry. The gap between the demand for experienced cybersecurity professionals and the available talent pool is widening for all cyber disciplines. This research indicates that this gap is even more acute for incident response and cyber investigations. This finding can be explained by the high skill requirements for investigators. Analysts who are tasked with resolving cases need to be subject matter experts in the analysis and have admin-level knowledge of data sources.  

The scarcity of experts leads to situations where existing teams are often stretched thin grappling with the dual responsibilities. Namely, staying abreast of the latest cyber threats while also ensuring that day-to-day security operations run smoothly. This oversubscription creates room for potential oversights and burnout, undermining the effectiveness of overall security measures. Security teams must foster a culture of continuous learning and collaboration to navigate complex scenarios, yet this is challenging when teams are constantly in fire-fighting mode.  

Before the wide adoption of cloud computing, servers, networks and data storage were deployed locally in on-premises environments and controlled data centers. The surge in SaaS and cloud computing adoption has created the need for cyber investigators to now perform across SaaS applications, traditional on-premises environments, cloud environments, as well as hybrid deployments. Similarly, the complexity of securing organizational assets has also increased. The need to understand dozens of individual technologies and tools creates significant challenges. In addition to the tech stack, security operations teams find themselves in a relentless race to master a growing arsenal of specialized cybersecurity/investigation tools.  

Key findings

88% of respondents expressed concerns about operational issues related to the lack of access to skilled staff and high attrition rates. Undoubtedly, high attrition impairs institutional knowledge and processes for all organizations as a result.  

Cloud environments are a significant part of enterprise IT infrastructure today and are projected to become an inevitable business necessity by 2028 (source: Gartner Says Cloud Will Become a Business Necessity by 2028). Yet, cloud environments are relatively new and not all analyst teams have the skills to run investigations in the cloud. 74% of respondents stated they felt their team lacked the skills in public clouds to perform high-quality investigations. This is likely caused by a lack of cloud expertise and cloud security solutions, explaining the booming segment of cloud security and visibility.  

Interview responses also showed that 72% of organizations were not confident about their ability to track an intruder through their environments within an incident. The respondents cited reasons including a lack of data collection coverage, investigation expertise, investigation resources and technology skills. The responses indicated that most organizations are unsure if they’re collecting the right data. Many organizations also lack the resources and skills to integrate all relevant data sources (especially when it comes to collecting critical SaaS logs). 

Command Zero’s perspective  

Cyber investigations and incident response (IR) are innately challenging even in traditional IT environments where infrastructure, compute and storage are managed on premises or in fully controlled data centers. Security practitioners working in hybrid or cloud-born enterprises face not only these challenges but also additional issues. The absence of centralized control over the creation and monitoring of cloud tenants and assets often leads to a complex infrastructure with vast data sprawl. Additionally, frequent, and relentless innovation in IaaS, PaaS, and SaaS technologies result in a persistent learning curve. Unfamiliarity with conducting cloud-based investigations further steepens this curve. 

The situation is even more daunting and complex for hybrid environments consisting of both legacy infrastructure and cloud platforms. This added investigation challenge is not easily solved as existing security products typically focus on cloud or on-prem environments with little or no overlap or consistency between them. 

The stark reality is that as an industry, we had not invented a scalable way for cyber operations for fully controlled environments (think on-premises or private cloud). The widespread adoption of SaaS and cloud have only made the problem worse. As a result, defenders keep struggling with security operations fundamentals. 

There is an obvious and significant shortage of seasoned investigators. Inexperienced analysts lack the expertise needed to navigate complex incidents and make use of large volume of security data. To make matters worse, budgetary restrictions result in understaffed teams. Understaffed (or oversubscribed) analyst teams are put in a no-win situation where they simply cannot keep up with all of the alerts across all the various platforms. They cannot properly investigate and properly conclude cases that are brought to their attention.

This situation not only increases organizational risk, it often leads to employee burnout and high rates of turnover. This is compounded by the fact that onboarding a new analyst to full productivity typically takes 6 to 12 months. Historically, finding skilled security personnel was already a challenge. Now, the need for expertise in both traditional systems, emerging cloud and SaaS technologies further increases the demand for skilled responders in an already deficient market. (While most of this is true for the average organization, there are analysts out there with these rare skillsets. These people selflessly and single-handedly lift security operations of the organization they are part of. You are the true warriors; we appreciate and salute you!)

Another consistent concern among respondents was the heavy reliance on key individuals. Organizations with a single point of personnel failure place their security program in a vulnerable position. In some scenarios, a single senior analyst is the only person on the team with unique knowledge and contextual understanding of the company’s environment and security posture. In some enterprises, the key individual has developed bespoke tools specific to the organization and is the only one able to maintain and support the nuanced tool. Loss of a key analyst can lead to operational inefficiencies and even catastrophic security lapses. 

The skills gap in cyber is a reality we’ve been living with for decades. However, the problem is more acute and damaging for advanced skill sets, such as tier 2 and 3 SOC analysts, investigators and IR. Cyber investigations are both art and science when the analysis process depends heavily on the individual skillset and tools, making the results hard to predict, report or review. Organizational investigation capabilities depend on keeping and growing individual talent, and the survey respondents reveal that as an industry, we’re unable to keep security operations talent at this time (88% of respondents expressed concerns about operational issues related to the lack of access to skilled staff and high attrition rates).  

Recommendations 

1. Investing in analyst career paths and continuous learning can improve job satisfaction.  

2. Improving the efficiency and job satisfaction of teams is critical for short- and long-term talent retention. Giving teams the expert tools and the content they need to operate within complex environments, adopting automation and AI capabilities where possible can reduce the burden on analysts.  

Conclusion & What’s Next

We covered the first key finding of this research on this blog post, we will dig into other key findings and recommendations on our next blog post in this series.  

If you’d like to read the full report, you can download a copy from the report overview page on our website.