The prerequisites for becoming a security elite create a skills ceiling that is tough to break through – especially when it comes to hiring skilled EDR or XDR operators. How can businesses crack this conundrum?
Human resource professionals know that the market price for a skilled operator can go beyond what a company would want to allocate for such a hire. Simply, HR is in a bind – they have to overinvest in someone without knowing whether the hire will A. be skilled enough to properly manage the company’s increasingly complex security solutions; B. even stick around after probation; or C. burn out due to the security team’s high workload.
The answer is right where the problem is – hiring can only be solved by investing in talent with demonstrated experience. Or? Perhaps via outsourcing – for example, by employing skilled professionals from a security partner.
A difficult market to crack
The job market for IT security professionals is often dictated by the potential hiree, not the employer, and this creates a dilemma – will Chief Information Security Officers (CISOs), security managers, or technicians be able to rationalize the rising employment costs, or would they be better off building internal talent from the ground up?
While hiring for an incident response team, for example, there is always the inevitable moment when a question is asked – whether the candidate has enough practical experience with Endpoint Detection and Response (EDR) or Extended Detection and Response (XDR) products and processes, which represent the major solutions they’d be using daily.
Related questions are equally important: Can they prioritize detections and incidents well enough? Are their risk assessment skills on target – despite false positives and “noise” often vectoring from too many default rules? Can they write custom rules relevant to the employer’s network/ecosystem? How do they handle alert fatigue? How familiar are they with the tactics, techniques, and procedures (TTPs) related to attackers targeting the business’s vertical?
These concerns extend from the interview right down to the company’s actual Security Operations Center (SOC) or admin desk. They are of perpetual concern for any business that wants to take its security seriously.
The truth is that as much as detection and response tools are proven to provide a powerful set of insights into a network and its endpoints, their use is demanding. Frankly, experienced admins are even harder to secure than cost-effective products. Thus, when hiring a security admin or security operations center staff, organizations have to ensure that the same staff can efficiently leverage expensive detection and response tools and insights with a high level of facility.
Closing the skills gap with the right tools?
Bridging the skills gap between a top security admin, contrasted with maturing a novice admin in progressing into a pro may be delivered by supplying them with the additional understanding necessary to be able to classify threats and prioritize mitigation. To most effectively support a team in this regard involves reducing the burden of analyzing and interpreting data from the dashboard concerning network detections.
Modern AI-native solutions can greatly help young professionals here by contextualizing and prioritizing those detections that are highly suspicious and deserve some “special” treatment. Such a solution can not only trace potential threats to their sources but also give a wider context, eliminating the frustrating experience of having to sift through endless amounts of notifications and configurations.
Security operators, who, by consulting a dashboard, can locate the right correlations thanks to better process transparency between such factors, gain experience on the spot, grow in confidence, and in the end, become skilled security defenders who can easily look beyond the usual categorization of detections, rules, triggers, and such within EDR and XDR solutions.
However, identifying the right product that enables great visibility and transparency into its processes, with a low total cost of ownership (TCO) and features supporting skill maturation, then becomes a critical part of decision-making for any hiring party – including the CISOs and HR personnel. Many of these important qualities are explored in depth by tests done by third-party analysts like AV comparatives or SE Labs, so looking for the right fit that combines the right tools for experience building should not pose such a hurdle, but it still requires some time investment for research.
Alternatively, the time invested could also be focused on searching for other solutions – those that come with personnel from the get-go – which might mean contracting a managed security service provider (MSSP) or a security vendor for managed detection and response (MDR). This combination delivers the knowledge of security professionals coupled with an intimate understanding of the products they serve. This creates a powerful combination that leapfrogs the hiring of expensive professionals or the need to train them.
The cost of doing business
Companies expect a tangible return on investment when they acquire both detection and response tools and the staff to operate them. Thus, features that provide significant enhancements to the analytical capabilities needed by security administrators, threat hunters, and security operations center (SOC) teams in general are critical in ensuring a positive ROI. Ultimately, if staff can apply their expertise more easily, they can secure an organization’s confidence in their demonstrated ability to analyze events effectively and prioritize protection decisions correctly for a prevention-first approach.
Ultimately, a key goal for security engineers is to become familiar with their organization’s systems and prioritize protection accordingly. This is in addition to basic security practices, which should always be in place. Leveraging detection and response is about gaining intimate knowledge of your environment so that your organization can mature in its security posture.
To do so, a company does not need to look further than its own talent, as it in and of itself has hidden security potential. But even then, in case in-house talent growth is slow, alternate solutions like MDR might be what satisfies even the most demanding security operation.
by Mark Szabo, ESET
Comments