About a month ago, DomainTools and the Ponemon Institute announced the results of its third annual "Staffing the IT Security Function in the Age of Automation" report.  The survey of more than 1,000 IT and IT security practitioners analyzed the impact of automation on current IT security practices and staffing in the U.S. and UK.

To dive in a bit deeper and learn more about those findings, VMblog reached out to and spoke with Corin Imai, Senior Security Advisor at DomainTools.

VMblog:  How is automation increasing productivity alongside reducing stress in the lives of security personnel across industries?

Corin Imai:  According to 43% of respondents, automation increases the productivity of current security personnel and reduces the false positive and/or false negative rates, as 60% of respondents say automation is helping to reduce the stress of their organization's IT security personnel. 

The goal, like any solution created for the market, is to solve a problem - practitioners saw a need and therefore, decided to create a solution. In the case of automation, we can use the example of Security Orchestration Automation Response (SOAR) platforms that look to align playbooks and workflows to automated actions, thus ideally solving the issue with regards to the length of time in which SOCs need to meet the needs of increasing threats. The ability to take a tool and create automated actions, is not without cost. The human element of understanding the core goals of the organization, documenting a workflow, and analysis are necessary to make sure the false positives are not outweighing the ideal benefits of automation tools. 

VMblog:  Why are employees becoming increasingly concerned that they will lose their jobs in the age of automation?

Imai:  Employees, according to 37% of respondents, believe they will lose their jobs as a result of automation, a significant increase from 28% of respondents in 2019. Of the 37% who say they are concerned about keeping their job, the majority believe this will happen in an average of 4 years.

Some of the solutions that are coming to market are looking to automate functions within an organization. The common misconception with most solutions, is that they will replace the human component required to make these solutions truly successful. Some of the misconception comes from the way these solutions are presented to the market, while other beliefs come from fear that the functions becoming automated are all that practitioners have to offer. 

VMblog:  And why does the human factor remain the utmost important player in information security as companies continue to adopt automation tools?

Imai:  Automation will improve productivity, but the human factor is still important. Automation is not capable of performing certain tasks that the IT security staff can do, as reported by 74% of respondents and 54% of respondents say automation will never replace human intuition and hands on experience.

VMblog:  In which areas do organizations find themselves lacking the most when it comes to core competencies rather than individual skills?

Imai:  The three core competencies that organizations lack the most are:

• IT Infrastructure
• Security
• Compliance

As opposed to individual skills, it is more important to think in terms of the core competencies in which organizations find themselves lacking. Staff are missing in key areas such as IT Infrastructure, security, and compliance - all of which are significant areas of importance for organizations hoping to achieve an appropriate security posture. 

This year's DomainTools and Ponemon report on cybersecurity hiring and automation, which surveyed over 1,000 IT professionals, found that the majority of respondents believed that automation will decrease the security headcount, but will not replace human expertise. 

Therefore, the security industry needs to continue to think creatively about drawing talent into cybersecurity, and governments need to recognize the importance of properly funding training schemes for cybersecurity. As data surpasses oil in 2019 as the most valuable commodity on earth, keeping this data safe and out of the hands of criminals should be a top priority.

VMblog:  Are hiring managers focusing on the appropriate skills and backgrounds when it comes to considering new hires?

Imai:  There has certainly been a push to include more STEM programs in school curriculums, although more needs to be done to encourage children from diverse backgrounds to pursue these subjects in higher education. 

In the United States, master's in cyber security programs are offered at University of North Dakota, University of Maryland Global Campus, and Southern New Hampshire University, along with Hackbright Academy, a software engineering school for women in San Francisco. 

GCHQ has a list of approved courses based in the UK, among which Edinburgh Napier University's MSc in Advanced Security and Digital Forensics, Lancaster University's MSc in Cyber Security, the University of Oxford's MSc in Software and Systems Security, Royal Holloway's MSc in Information Security and the University of York's MSc in Cyber Security. 

Increasingly, however, hiring managers are looking for soft skills, rather than purely technical backgrounds. Educational centers wishing to introduce cybersecurity programs must bear this in mind when designing the study curriculum, and make sure they account for the comprehensive expertise, flexibility, communication skills, and adaptability that the cybersecurity workforce of the future will need.

Equally, hiring managers should be open minded about the candidates they consider for positions within the IT security functions, as an unusual route into this career can be an invaluable asset in today's evolving threat landscape. 

VMblog:  How does automation impact the requirements for a given role if they are enabling certain automation tools?

Imai:  It might increase the requirements for a role if they are enabling certain automation tools. 

VMblog:  Due to the number of unfilled positions in cybersecurity, how likely is it that automation will replace the hiring of new employees?

Imai:  It is unlikely in the coming years that automation will replace the need for new employees. By looking at the sheer volume of unfilled positions in cybersecurity, there is no way for automation to fill more than 4 million positions of which automation still does not solve for the human element needed in the majority of these roles. 

VMblog:  And finally, how does automation affect the skills that will be needed in the future versus now? 

Imai:  Automation does not impact the skills needed in the future as compared to today. In the near future, we will not only need the core skill sets of IT infrastructure (systems administration, networking, etc.), programming languages, and a large passion for solving problems, but we will need more people.