ESG just published a new research report titled, Cybersecurity Analytics and Operations in Transition, based upon a survey of 412 cybersecurity and IT professionals working at large midmarket (i.e., 500 to 999 employees) and enterprise (i.e. more than 1,000 employees) organizations in North America and Western Europe.
The data is quite interesting, to say the least, so look for lots of blogs from me over the next few weeks on a myriad of security operations topics we covered in this project. Furthermore, my esteemed colleague Doug Cahill and I are hosting a webinar this Wednesday, July 19. Feel free to attend, more details can be found here.
When I do end-user research on cybersecurity topics, I usually ask respondents a basic question: How are things today compared to 2 years ago? This research project was no exception and, as it turns out, 27% of survey respondents say that cybersecurity analytics and operations is much more difficult than 2 years ago while another 45% say that cybersecurity analytics and operations is somewhat more difficult today than 2 years ago.
All told, 72% of cybersecurity and IT professionals believe that cybersecurity analytics and operations is more difficult in 2017 than 2015. Why is this the case? The top reasons making things more difficult included:
- The threat landscape. Survey respondents admit that it has become extremely difficult to keep up with the volume, sophistication, and dynamic nature of cyber-threats. In many cases, cybersecurity teams don’t have the right skills to monitor and proactively respond to changing threats, which gives the bad guys a distinct advantage.
- Changing regulatory compliance demands. A constant stream of regulatory compliance mandates perpetually increases the workload on the security operations center (SOC) staff. With regulations like the New York State department of financial services and the general data protection regulation (GDPR) in Europe, regulatory rules and changes aren’t going to get any easier either.
- The growing volume of security alerts. Organizations are adding new tools for threat detection but this only increases daily security alert storms. Security analysts are then called upon to triage, investigate, and prioritize these alerts but in reality, all they can do is cherry pick and focus on obvious security incidents. This means that more difficult and stealthy attacks tend to go unnoticed.
- Gaps in security monitoring. To me, this one is pretty frightening. Cybersecurity professionals admit that there are systems, network segments, applications, devices, etc., that fall outside of the scope of their security monitoring tools and processes. To paraphrase the old business school adage, ‘you can’t secure what you can’t measure.’
After spending the last few months buried in this research, I’ve concluded that there is no one killer problem with organizations’ cybersecurity analytics and operations. Rather, cybersecurity analytics and operations suffer from ‘death by a thousand cuts.’ CISOs are often faced with organizational, process, and technology problems that keep getting worse.
When I chat with CISOs about this situation, they often lament that they know they have to do something to improve cybersecurity analytics and operations but aren’t sure where to start. What are the best practices here and what are leading-edge cybersecurity organizations doing to improve SOC efficacy, efficiency, and productivity? Doug and I will touch upon this in our webinar later this week. I’ll also continue to blog about what we learned in this research project, so stay tuned.