Allen Westley, CISSP, MBA
Pragmatic Leadership | Risk Management
Cognitive Fatigue - The Consequence of a Task Saturated Cybersecurity Workforce Trying to do Work Best Left to Computers
Current trends indicate the Department of Defense (DoD) is increasingly interested in how well Cleared Defense Contractors (CDCs) are protecting their equities. While we have frequently seen DoD Inspectors conduct their inspections of CDC sites on interval, I have noticed a new level of intensity and punitive consequences for poor inspection results in this era of data breaches, infiltration, ex-filtration, and insider threats. We operate in a space where adversaries are staging multi-prong attacks; social engineering, Phishing, Spear Phishing, Whaling, Insider attacks, Malware, Malicious Code, and Advanced Persistent Threats (APT). All of this and more as we become increasingly dependent on technology as a society. The lines between personal information and Organizational information have become blurred. Because of this we must assume that all information is at risk.
It is becoming clear that something is happening inside the CDC community. It has become increasingly difficult to keep qualified Cybersecurity professionals on any team. This challenge impacts our day to day battle rhythm. Leaders must split their attention between providing strategic direction for teams in the Cybersecurity Organization and finding ways to slowdown the turnover rate within those teams. There is a limited pool of qualified talent juxtaposed with a very competitive industry looking for that talent. I literally have seen people jump across 3 to 4 major defense contractors in the space of 2 years. What is the cause of this endless churn? Money, management, position, work-life balance…these causes have all been called out during exit interviews. Having seen these things being offered and declined as ways to stop cybersecurity professional from leaving; I can conclude with a strong level of confidence that those things are not the only reasons for such high turnover.
With such a high rate of turnover in the ranks, it is nearly impossible to develop a mature cybersecurity workforce that has a deep understanding of the Organization’s business objectives, historical trends, and the cybersecurity posture of systems processing the information they protect. There is a direct correlation between the abundance of data generated by information systems and the cognitive fatigue that continues to manifest itself within the cybersecurity workforce through high rates of turnover. I believe this is the underlying reason why so many are leaving their current positions looking to escape that fatigue. The reality of the situation is there is no place to run in DoD where the problem does not exist.
Articles written about the subject of cybersecurity workforce management suggest ways to relieve the problem through the use of more women in a male dominated field of Cybersecurity (Diversity), broadening the aperture on what constitutes a qualified cybersecurity professional (Do you really need to have a degree or a degree in Cyber?), and automation. These are all good suggestions and in some cases are already being used, but it has not stopped the hemorrhaging of talent.
CDCs have a very complex situation that contributes to the problem:
Clearance:
How to solve the complexity of attracting clearable talent and then getting them cleared to work on specific programs. The backlog on clearance processing and DoD customer approval pipelines for clearance, all delay getting qualified cybersecurity professionals on-boarded, in seats, and on systems.
Mounting frustration on the faces of cybersecurity professionals hired to do a job but are sitting on the bench while they wait to be cleared to a program adds to the challenge.
Technology:
The ability to leverage modern technology in ways that could take human error and cognitive fatigue out of the equations is very limited due to current isolated architectures. The way these siloed architectures work… forces CDCs to stand up siloed teams of cleared people to perform repetitive data review and analysis that would be far better suited for Security Information and Event Management (SIEM) tools leveraging machine learning and artificial intelligence to review the abundance of security data generated by the systems inside these siloed architectures.
Cybersecurity professionals efforts are better suited taking the actionable data pulled from information systems and building risk profiles and planning mitigation or remediation efforts to close or buy down the risks.
Modernization efforts resulting in exponential rates of data generation makes this siloed approach for cybersecurity workforce teams high risk and unsustainable.
Commercial Sector Attraction:
As the commercial sectors become “woke” to the threat of data breach inside their organizations, they view the frustration and high turnover in our community as an opportunity.
They can offer something to the disenchanted cybersecurity professionals sitting on the bench in their current role an opportunity to put their skills to work in a less restrictive environment that does not require a clearance. And yes, they are willing to pay to get that talent. Who knew you could make almost six figures working as an ISSO at Wendy’s.
The bottom line is clear, humans cannot do the analysis and correlations of 60,000 security log events every 15 minutes and expect to find anything actionable. There is no quantifiable number of people you can throw at this problem and fix it. Yet this is what we are faced with.
Technical solutions offered by SIEM tools operating in a siloed architecture will leave blind spots in the overarching security posture because they can’t build correlated events across all the siloed programs to deliver a comprehensive threat analysis.