After a week away from all things cybersecurity, I’m back at work and focusing on security analytics and operations again. Alarmingly, most organizations readily admit to problems in this area. For example, a recent ESG research survey of 412 cybersecurity and IT professionals (Cybersecurity Analytics and Operations in Transition) identified some of the biggest security analytics and operations challenges. For example:
- 30% of respondents say that their biggest cybersecurity operations challenge is the total cost of operations (TCO). What does this mean? Based upon my qualitative interviews with CISOs as part of this project, many organizations are spending lots of money on security operations but attaining marginal results. CISOs are willing to invest more but want to see vast improvements in security operations efficacy and efficiency for their money.
- 27% of respondents say that their biggest cybersecurity operations challenge is that the SOC team spends most of its time on high priority/emergency issues and not enough time on strategy and process improvement. Imagine the work environment at these organizations – constant firefighting, high stress, employee burnout, and staff attrition. This alarming situation is not exactly a recipe for success.
- 23% of respondents say that their biggest cybersecurity operations challenge is that it takes too long to remediate security incidents. Many of these firms have too many manual processes or a rocky relationship between security and IT operations teams. Either way, lengthy remediation cycles leave organizations at risk.
- 21% of respondents say that their biggest cybersecurity operations challenge is that their organization does not have the tools and processes in place to operationalize threat intelligence, making it difficult to compare on-premises security issues with what’s happening “in the wild.” Operationalizing threat intelligence remains a difficult task, requiring advanced skills and the right tools. This is one reason why threat intelligence platforms (TIPs) and managed services are gaining traction.
- 21% of respondents say that their biggest cybersecurity operations challenge is that their organization doesn’t have the appropriate skills or staff size to keep up with all the tasks associated with security analytics and operations. Ah, the global cybersecurity skills shortage rears its ugly head yet again. Little wonder then why security services revenue is growing twice as fast as security product revenue.
- 21% of respondents say that their biggest cybersecurity operations challenge is that their organization has added new network hosts, applications, and/or users so it is difficult for the cybersecurity team to keep up with the scale of our IT infrastructure. In this case, IT and cybersecurity priorities remain out of synch. Here’s one of Oltsik’s laws: ‘When you ask the cybersecurity staff to play catch up, it never, ever actually catches up.’
- 21% of respondents say that their biggest cybersecurity operations challenge is that security alerts don't provide enough context or fidelity so it’s difficult to know what to do with them. This is one reason why the industry is gaga over automation/orchestration tools as they can help combine, enrich and contextualize the increasing flood of prosaic security alerts.
As the ESG research indicates, when it comes to cybersec operations, many organizations suffer from ‘death by a thousand cuts’ syndrome with multiple issues across people, processes, and technologies. Given this, CISOs should think in terms of 3-year strategic security operations planning rather than adding the latest next-generation security tool and only exacerbating operational inefficiencies.