Q&A: Maximising and augmenting security analyst capability with artificial intelligence

New Zealand Security Magazine, April-May 2018

John Martin - IBM New Zealand
John Martin, Senior Security Architect & Security Practice Leader at IBM New Zealand.

John Martin is Senior Security Architect & Security Practice Leader at IBM New Zealand and President of the New Zealand Chapter of ISC2. He spoke to NZSM about how ‘new collar’ recruitment, micro-skills training and AI can solve the cyber skills shortage.

There is a global cyber security skills crisis, and it’s not getting any better. In New Zealand – as with many other countries – the rate of demand for cybersec professionals continues to outstrip supply. And with Bachelor degrees the minimum qualification preferred by most employers, a resolution looks remote.

NZSM: All reports point to a lack of skilled professionals in the cyber security labour market and a lack of graduates being produced by training programs. What are your thoughts on this?

JM: Our understanding of the current market is that there is a high demand for cyber security practitioners and looking across the recruitment agencies you can see that on both the commercial and government sides.

There is a lack of these specialists available in New Zealand, and worldwide there is a huge shortage. The latest statistics are pointing to the fact that by 2022 there will be 1.8 million unfilled cyber security jobs. This is why in IBM we’re actually advocating more of a ‘new collar’ approach to security hiring.

NZSM: What initiatives are you aware of in terms of addressing that challenge in the government and private sectors?

JM: From an IBM perspective, we are trying to change the perception of where the talent comes from away from the traditional methods. We’re using a ‘new collar’ approach, which is characterised by new employee profiles, new roles and new relationship perspectives. A recruit needn’t have a degree, but they obviously need to have an aptitude towards security and a mindset that puts them in those roles.

This approach has already had some success, especially in our security operations centres in the US. Since 2015 these ‘new collar’ cyber security professionals have actually accounted for about 20 percent of IBM’s hiring. We’ve brought them in and placed them into a working environment, mentored them and coached them to become professionals.

From that perspective, we would advocate that other organisations – especially in New Zealand – redefine their hiring models to identify people with the right attributes and skills – and give them a chance.

Because we’re realising that we can’t limit ourselves to just universities, we’ve identified the need to expand to community colleges and other education programs – so we now, for example, have a relationship with Unitec. It’s really about creating new partnerships to recruit the people we need.

We’ve also placed a real emphasis on ‘micro-skills’ and earning ‘badges’ to get the skills you need rather than completing a whole degree. IBM has partnered with Acclaim, and one of the things we have in IBM is something we call the ‘Think 40’. [It’s a program in which] everybody is encouraged to do at least 40 hours of personal development per year, if not more, for our certification.

During this digital transformation that all organisations are currently facing, it’s quite dynamic and we need a new skills sets – like data science and cyber security – and we need to invest in people to get the best of people.

Enjoying this article? Consider a subscription to the print edition of New Zealand Security Magazine.

NZSM: Can one say that the idea of a three-year degree no longer appears to be something of continuing relevance for the sector, or is that perspective mistaken?

JM: Because of the levels of demand we need to build up the right skills and aptitude. Traditionally, people coming from the military or government-type roles have the right talent, and they have the right mindset, which in turn means they have the right level of integrity, ethics and trust.

What we’re saying is “let’s turn things upside down and encourage these people to stay with an organisation and then [at some point later] go on to university.”

Taking things a step further, this is where we see IBM’s Watson and security and artificial intelligence coming into play – the technology can supplement the people skills.

You can bring in ‘new collar’ people and using Watson you can augment their current capabilities and mentor, train and guide them.

NZSM: So, is the idea that we meet the skills shortfall by developing these people but at the same time increasing their effectiveness via AI capabilities such as Watson?

JM: Absolutely. Take the example of security analysts. From our last two years of doing this we have been able to measure a 60 percent increase in the effectiveness and efficiency of a security analyst’s ability to cope with the number of security events [they’re having to manage].

We’ve actually trained this system to understand the language of cyber security. It’s actually ingested more than a million documents on cyber security, intelligence etc. We’ve had to train it from the level of a toddler to a Phd and to be able to relate information directly to a human being using the natural language process we’ve applied.

The fact is that there are about 10,000 security research papers published each year and about 60,000 security blogs. If a security analyst can only read even a small percentage of these, you can see the great demand in terms of being able to holistically grab that information.

Watson can actually digest information and remember it, unlike you and me. It can look for the patterns and for different perspectives of what is happening within an organisation. It can understand structured and unstructured information and return that information in a natural language that a human being can actually process.

The key thing here is the quicker you identify that there has been an indicator of cyber compromise to your organisation you can analyse the impact on the organisation very quickly and therefore you can respond and avoid the significant financial impact of the organisation having to clean up afterwards.

Basically, Watson has a more holistic perspective. Where a security analyst may have identify “I’ve detected something in front of me,” Watson returns in a few minutes or a few seconds and says “In fact, the impact on your organisation is this”.

NZSM: One of the major issues in terms of cyber breaches is that lag time between the breach occurring and it being identified and treated. Can Watson play a role in actually identifying a breach or is it more in terms of working out what actually happened?

JM: We’ve had use cases whereby during the beta testing (with eight universities and about 40 beta partners) the security analyst actually detected a DDoS attack on the organisation. What the security analyst didn’t realise was that attack was actually a ‘blinder’ – a misdirection.

Watson was able to indicate to the security analyst “in fact you’ve been compromised, and this is how you’ve been compromised.” It gave a very full indication of how they’d actually been compromised – what the original attack did – despite the security analyst being unable to see it.