People, Process, and Technology Challenges with Security Operations
These days, it’s tough for any organization to keep up with cybersecurity operations. Why? Well the bad guys are pretty persistent for starters, launching a blitzkrieg of attacks and new types of exploits all the time.
Okay, hackers are relentless but we’ve always known this and their behavior isn’t likely to change anytime soon. What’s really disturbing, however, is that a lot of problems associated with cybersecurity are based upon our own intransigence. And organizations aren’t struggling with one issue, rather, cybersecurity operations challenges tend to be spread across people, processes and technology.
Security Operations: The Challenges
When it comes to security operations, it’s kind of a ‘death by a thousand cuts’ situation. Here’s some recent ESG research that backs up this conclusion. When asked to identify their biggest security operations challenges:
35% of cybersecurity professionals say “keeping up with the volume of security alerts.” These organizations may not have enough security people or the right skills in place to separate the security alert wheat from the chaff, or the right processes to investigate and prioritize alerts in an efficient manner. Oh yeah, their technology likely needs tuning to eliminate some loose alerts while the alerts themselves need more enrichment, synthesis, and analysis to filter out some of the noise. Security technologies must also contextualize and enrich security alerts to do some of the heavy lifting for security analysts.
29% of cybersecurity professionals say “security tools are not well integrated.” This is likely a historical technology problem as best-of-breed security tools weren’t always designed for security operations in the past. It could also be a people problem, however, as many firms don’t have the right resources to write custom code to glue tools together or craft scripts for integration.
25% of cybersecurity professionals say “security processes are too informal and depend upon the skills and techniques of a few key employees.” I’ve seen this one too often – organizations are willing to leave difficult security tasks to cybersec superstars with no questions asked. Unfortunately, this creates a real problem when these key staffers walk out the door and take their homegrown security operations methodologies with them.
25% of cybersecurity professionals say “maintaining the right skills needed for security operations.” Of course, this is related to the global cybersecurity skills shortage as CISOs can’t hire their way out of this mess. Additionally, it is also due to the fact that many organizations simply don’t keep up with the right level of training for cybersecurity staff. For example, a 2016 research project from ESG and the Information Systems Security Association (ISSA) revealed that 56% of cybersecurity professionals believe their organizations should be providing more training so the cybersecurity team can keep up with business and IT risks. If your people don’t have the right training, all the technology and processes in the world won’t matter.
24% of cybersecurity professionals say “coordinating security operations between the cybersecurity and IT operations staff.” Clearly, there is an organizational issue here but these two groups often use their own tools and reports so they are never actually ‘singing from the same hymn book.’
Solving the Security Operations Problems
As you can see, there are plenty of problems to go around, so ripping and replacing technology is an incomplete solution at best. A more comprehensive approach must involve:
- Process formalization, orchestration, and automation. Processes need to be formalized and well documented – the NIST 800 series could be helpful here. Furthermore, CISOs must figure out how to orchestrate security operations processes including machine-to-machine, machine-to-human, and human-to-human handoffs. Finally, process automation should be employed, especially around simple tasks like gathering data or blocking malicious IoCs.
- Continuous training. CISOs must ensure that their people are in constant education mode while cybersecurity professionals must take it upon themselves to stay current with their education. Note that cognitive computing tools like IBM Watson for cybersecurity can help augment staff and skills shortages here.
- Organizational affinity. CISOs and CIOs must get together to make sure that security and IT operations teams have the right organizational models, goals, and compensation in place so they work in concert, not in conflict.
- A security technology architecture. Security tools must work together collectively to analyze data and automate tasks. ESG calls this a security analytics and operations platform architecture (SOAPA). Every organization should be planning or undertaking SOAPA projects at this point.