Graeme Dawes - Fotolia
Cybersecurity automation won't fix the skills gap alone
Joan Pepin, CISO and vice president of operations at Auth0, says cybersecurity automation makes her job possible, but it can't replace the human talent her industry badly needs.
What used to be considered forward-thinking of CISOs who implemented cybersecurity automation is now the standard. Gone are the days when antimalware was protection enough for sensitive data. Today, security professionals must face off against massive phishing campaigns, advanced persistent threats, insider threats, web application attacks and more.
It is unfair to expect IT personnel to combat this changing threat landscape alone -- especially considering how many attacks are carried out by automated bots. To combat automated attacks, infosec professionals have to fight fire with fire, and use all the sophisticated tools at their disposal to protect data.
In this Q&A, Joan Pepin, CISO and vice president of operations at Auth0, discusses the pros and cons of automation, and how automation and better hiring practices can alleviate the skills gap and gender disparity in her industry.
Pepin, whose background in IT began at the age of eight when she enrolled in computer programming summer camp, expressed why the necessity of cybersecurity automation cannot be underestimated. In her 22 years in the industry, she has witnessed the sophistication of cyberthreats and the rollout of new machine learning technology. New automation technology available has not made her job easy, nor has it solved the cybersecurity skills gap.
Editor's note: This transcript has been edited for length and clarity.
You've witnessed the trend toward cybersecurity automation in your discipline. Has it made your job easier?
Joan Pepin: It's made the job possible. Things are happening on such a massive scale. Millions and millions of events per minute -- terabytes of data, petabytes of data are exchanged. The scale has gotten so massive that it is simply impossible to think of modern information security without automation.
We need to put real thought into where machine learning is still not up to the standards of what a human security professional can do. We need to know what kinds of problems we can solve with automation, and what kinds of problems we need to point at a human being. We also need to arm that human being with contextual information so they can effectively perform their function.
As an industry we are getting better at that. But it's been a long, slow journey. It does not feel like it's been evolution at the same pace as other technologies have experienced. Social media has evolved and driven the scale up on the internet. Cybersecurity has not kept that pace, but we continue to get better.
How will automation affect the cybersecurity skills gap?
Pepin: There's definitely a gap in cybersecurity engineering. But more painful than the lack of engineers is the gap in security leadership. There's a shortage of people who have a technical security background who can also run a security team and set goals for that team that are aligned with business goals.
I don't see us solving those problems with automation. The internet keeps getting bigger and faster with more and more transactions per second. Each transaction has some probability of being illicit, or some reason to be audited, monitored and met with a response. As that scale keeps growing, we need automation just to keep up with that.
But that is not getting us ahead of the problem. We need skilled, talented people who can architect and monitor secure systems and we need leaders who can direct those resources.
In a Ponemon Institute study, many respondents said the more machine learning-powered tools they bring in, the more they needed experienced staff to deal with those tools. What is your advice for CISOs who struggle to find talent with the skills to manage automated tools?
Pepin: These are sophisticated tools that have sophisticated output. You need a sophisticated security and engineering response team to understand that output, translate that output into action and be able to take the appropriate action. All that automation still points to a job that needs to be done by a human. We don't have enough humans who can do those jobs.
There's a lot that you can outsource to managed security service providers, but MSSPs still need to work with someone inside the business who knows the company, knows the employees and who has access to internal systems.
Is filling the gap internally, say by hiring networking staff, a smart way to hire?
Joan PepinCISO and vice president of operations, Auth0
Pepin: A tried and true path into security has been from networking. I think that's actually become difficult, as everything has shifted more and more to the cloud. There are fewer network engineers in IT today because the corporate network has become completely commoditized and more services are external, cloud-based services. Those hardcore network engineers that we used to recruit into the security team understood network protocols and understood what good traffic and bad traffic looked like. They had all the fundamentals that could make them good security engineers.
I think IT and engineering are great places to recruit security talent. We've also pulled people from compliance, which is adjacent to security as well. But that traditional path from network engineer into network security into security generalist -- there are fewer people on that path these days.
How should CISOs respond to business leaders who do not understand that their business is a constant potential target for cyberattack?
Pepin: It's easy for us to come off as alarmist or having only one focus. I think a lot of people in infosec make the mistake of assuming that everyone sees the world the way they do. It's all about putting things in business terms. Explain to business executives that if we don't pass these things on time, then we could be vulnerable to an attacker who could gain access to sensitive information. Explain that you're there to prevent a lawsuit that could cost millions of dollars and result in brand damage. Obvious outcomes of a bad patching policy to an infosec professional may not appear obvious to a vice president of finance or marketing.
You've spoken up about gender disparity in your industry. What can cybersecurity leaders do to address it?
Pepin: Technology is not a gender-diverse field right now. What should we do? To get more people into the field -- including more women and underrepresented groups -- the whole industry needs to be a little friendlier.
Also, I think most of us in the field need to work to make it safe, and to advertise and bring people in. Say: We need help here. Explain that people with an applicable background should apply for that job. Help them touch up their resume. Help them prepare for the interview.
Those of us in management should advocate for women and underrepresented groups by making sure we treat our employees equitably and pay them equitably. We should make sure we're not saying things about women that we wouldn't say about men. Are we checking our privilege and our unconscious bias as much as possible to make the industry safe? I think we need to do all of those things.