Addressing Security Analytics and Operations Issues
Security budgets are up in 2017 and in many cases, dollars are earmarked for enhancing security operations. According to recent ESG research, 81% of cybersecurity professionals agree that improving security analytics and operations is a high priority at their organizations.
So, what exactly needs improving? The research also provides visibility into where things are lacking. For example:
- 72% of survey respondents strongly agree or agree with the statement: My organization’s security analytics and operations are anchored by a few key individuals. Of course, these individuals are in high demand and could easily increase their compensation by 20% or so elsewhere. CISOs must do all they can to retain these key individuals with financial, educational, career building, and lifestyle incentives.
- 64% of survey respondents strongly agree or agree with the statement: It is difficult to keep up with security analytics and operations due to the number of new IT initiatives in progress. In these instances, the security team is asked to “bolt on” security once new IT initiatives are ready for production. Alleviating this issue really depends upon security teams getting more involved in the business itself.
- 63% of survey respondents strongly agree or agree with the statement: Security analytics and operations processes are not as formal as they should be. In this case, key individuals take over security operations with their own methodologies and everyone else gets out of the way. Unfortunately, informal processes like these don’t scale or help new employees. CISOs must study formal cybersecurity frameworks like ISO and NIST, pick the most appropriate aspects, build their own documented frameworks, and follow them religiously.
- 60% of survey respondents strongly agree or agree with the statement: Security analytics and operations effectiveness is limited because it is based upon too many manual processes. In this case, CISOs must assess and document these processes, create formal runbooks, and then use automation/orchestration technologies to improve operational efficiency. Addressing this reliance on manual processes has caused a flurry of activity the technology market. Witness IBM’s acquisition of Resilient, FireEye’s grab of Invotas, Rapid7’s purchase of Komand, and Microsoft’s stealthy procurement of Hexadite.
- 59% of survey respondents strongly agree or agree with the statement: Security analytics and operations effectiveness is limited due to problems in the working relationship between cybersecurity and IT operations team. If you want to know why ServiceNow has been so successful with SaaS for incident response, look no further than this data point. Security and IT operations teams often have different goals, metrics, and compensation plans, causing the two groups to clash on collaboration. CISOs and CIOs need to provide leadership here. It doesn’t hurt when the two teams are “singing from the same hymn book” as well, so common tools or an integrated architecture (as ESG has identified with SOAPA) can also be beneficial.
- 58% of survey respondents strongly agree or agree with the statement: Security analytics and operations effectiveness is limited because of employee skills gaps.Once again, the global cybersecurity skills shortage is in play. Other than hiring and training, CISOs must look for new types of intelligent security analytics technologies, automate/orchestrate security operations processes, or find managed service providers who can fill these gaps to bolster the productivity of the existing cybersecurity staff.
Security analytics and operations is complex work that requires more than just a crackerjack staff. Formal processes, process automation/orchestration, and strong collaboration across security and IT should be top priorities for all CISOs.