The risk of suffering a security breach is no longer ‘if’ or even ‘when’ – it’s more a question of ‘how often’. In the UK the number of cybercrime victims per million internet users was heading for 5000 last year – up 40% from just two years before. In response, organisations naturally look to technology, automation, and AI based solutions to deliver their primary prevention and mitigation strategies. Unfortunately, what is often overlooked is the crucial role human expertise plays in defeating the wide range of malicious activities that are routinely part and parcel of everyday IT operations. Without a holistic approach in place, organisations are likely to find it increasingly difficult to build the levels of resilience required to meet the varying challenges they face.
Indeed, cyber resilience is one of the pillars of the UK’s National Cyber Strategy, published late last year, and without it, the UK “ cannot hope to take full advantage of the transformational potential of digital technologies.” This isn’t just a matter of increasing the use of cybersecurity technologies, because as the strategy document quite rightly points out, “The cyber domain is a human-made environment and is fundamentally shaped by human behaviour. It amplifies such behaviours for better or worse, the impacts of which are usually also felt in the physical world.”
Automation – an Aid but Never a Replacement
With these issues front of mind, where are we heading? Many businesses have started to fully integrate technology into their security processes, assuming it will improve overall effectiveness. Technologies such as Static Analysis, Dynamic Analysis and Software Composition Analysis. These solutions offer a scalable approach to security testing. AI promises to accelerate these technologies, allowing vulnerabilities to be detected and fixed earlier in the SDLC, and the economic model allows continuous testing of an application, matching the speed of development. This approach focuses on the lines of code of an application, or the message exchange of a running service. This is what I call a reductionist approach to cybersecurity.
But ask yourself this – how are cybercriminals discovering and exploiting systems? They are certainly using tools, and may have automation, but the majority of breaches are driven by skilled humans on keyboards. From recon to exploitation, the process is highly manual, exploring techniques such as vulnerability chaining, business logic flaws and security misconfigurations of poorly understood cutting edge services. Cybercriminals look at an organisation holistically.
Beyond Automated Solutions – The Layered Approach
Organisations are better served by adopting a layered approach to cybersecurity, ensuring that there is always a human in the loop when security testing. A holistic approach should combine automation with the most effective tech and human qualities: code review in development, pentesting in staging, bug bounty in production.
It is important to stress the crucial role that the ethical hacking community performs in identifying, sharing, and mitigating emerging vulnerabilities and threat actor tactics. In organisations everywhere, human security experts uncover vulnerabilities missed by traditional tools and testing. In fact, nearly 85% of bug bounty programmes expose one or more high or critical vulnerabilities, while 92% of hackers claim they can uncover vulnerabilities scanners can’t.
The best way to prevent getting hacked is to invite ethical hackers to hack you first.
Bridging the Cyber Talent Gap
Arguably, the biggest illustration of the importance of human skill sets within the cybersecurity context comes from the dearth of talent seen in cyber teams and organisations worldwide. The 2022 (ISC)² Cybersecurity Workforce Study, for instance, found that there is a global workforce gap of 3.4 million people. In the US specifically, there are currently just over 1.1 million people employed in the cybersecurity industry but also over 750,000 job openings, according to CyberSeek.
This comes at a time when, according to the World Economic Forum, “59% of business leaders and 64% of cyber leaders ranked talent recruitment and retention as a key challenge for managing cyber resilience.”
While this challenging situation is one of the key drivers behind the push for greater automation, it also underlines the fact that a combination of human and tech-led capabilities offers organisations the best and most practical approach to building an effective security strategy.
Human Intelligence and Automation, Hand in Hand
At a time when cyber threats are evolving at an alarming rate and threat actors are building a huge criminal industry based on extortion and theft, organisations must continually evolve their approach to security to keep pace with the speed of change. Without the human touch, network infrastructure and data assets will remain extremely vulnerable, even with a comprehensive suite of automation technologies in place. Cybercriminals continue to look for ways onto an organisation’s system without their permission. The best way to prevent a security breach is to invite ethical hackers to hack you first, in a code review, in a pentest and in a bug bounty.