When Chinese hackers attacked Google servers six years ago, it was like the first grenade lobbed in an all-out war between hackers and cybersecurity experts.
"Since 2010, we've been in a battle, a race, to help companies protect their intellectual property," said Peter George, CEO of Fidelis Cybersecurity, which is based in Washington D.C.
The battle rages on—notably, with the recent data breach of the Democratic National Committee, as well as breaches at LinkedIn and the IRS—but troop supply is limited due to a shortage of talent and expertise in the cybersecurity world.
More than a million jobs in the cybersecurity industry are vacant around the world, according to labor statistics cited in a 2016 report funded by Trustwave, one of the largest cybersecurity firms with over 3 million clients in 96 countries.
In the same report, more than 80 percent of the security professionals surveyed said they felt they needed increased security staff sizes to adequately prevent cyber threats. Of that group, over 20 percent felt they needed to quadruple their staff size.
"[The workforce shortage] may be the single biggest problem in the industry today and the thing that keeps information security officers up at night," George said.
Contributing to the workforce shortage is a lack of expertise in and knowledge of the cybersecurity industry. According to the 2016 Data Breach Report conducted by the Identify Theft Resource Center, only 31 percent of security professionals are confident their teams can detect data breaches, and 42 percent said they believe their teams could handle only minor breaches.
"We see the skills gap as one of two interrelated issues," said Steve Kelley, chief marketing officer of Trustwave. "The advanced types of malware and security threats that we see today are becoming increasingly complex and sophisticated, and in addition to that, the amount of budget and resources are still somewhat limited."
Fidelis, Trustwave and many other cybersecurity companies are trying to partner with educational institutions to make students aware of careers in cybersecurity and to create specific degree programs for careers in the industry.
"The strategic problem is that we need to reach further down in the educational chain to encourage young folks to pursue this as a career," said Rick Howard, chief security officer of Palo Alto Networks, a cybersecurity company based in California.
Palo Alto Networks has launched two educational initiatives to bolster the cybersecurity workforce. One initiative is to partner with universities to hold cybersecurity events, such as their "Unit 42 Capture the Flag" contest, in which students can win scholarships to pursue careers in the cybersecurity industry and potentially intern at PAN.
Trustwave has also partnered with an online education company called LifeJourney, which pairs students with mentors from Fortune 500 companies and gives them the opportunity to test a STEM career through its software program.
The results of these initiatives will not been seen for years, however, until after high school and college students graduate from the programs. And having a college degree or experience working in tech is also not enough to work in the security industry, said Trustwave's Kelley. Most cybersecurity professionals have two to three additional certifications and there are more than 300 industry certifications, he said. Because of this, many security companies offer company training programs to equip basic IT professionals to become security analysts.
Automation and AI Technology
Investing in artificial intelligence technology and automation is the fastest and most immediate solution for the cybersecurity industry, and many companies are already pursuing this route.
Cybersecurity platforms started out as multiple prevention and detection products that were assigned specific functions to prevent and protect company networks at each step of the infiltration process, Howard said.
Now PAN has a completely automated system that compresses multiple prevention and detection products into one system, he said.
Trustwave has automated its data collections processes with AI technology so that human analysts don't have to manually sort through data to find potential security threats. Instead, its software analyzes the data and alerts human analysts to potential threats that can be detected from abnormal company network activity.
"Think about the self-driving car and all the advances going on in self-driving cars," said George. "We are trying to do the same thing in the security industry to make the security products automated and integrated, so you don't need a lot of security analysts looking at monitors and taking action. The action happens automatically."
George said that Fidelis is also investing more money into machine learning and AI technology.
Even with the automation of cybersecurity platforms, a high-level of expertise is still needed to maintain, operate and improve the platforms.
"Once we automate the tools and invest in those cyber warriors, then hopefully, we will be able to get ahead of the curve," George said.