Security teams under pressure

Brian Martin at Integrity360 explains why in-house incident response is struggling to keep pace with the threat landscape

 

To be effective, incident response (IR) has to be able to prioritise and escalate alerts based on risk. While automation can help, it’s essentially down to the security analyst to spearhead investigations and the CISO to oversee how incidents are dealt with. There is no getting away from the fact humans are an integral part of the process.

 

But, as threats ramp up, so too do alert volumes and the sheer number security teams are now dealing with is seeing them become overwhelmed.

 

A staggering 89% saw an increase in the volume of security alerts over the past 12 months according to a recent Integrity360 survey of over 200 IT security decision makers. Of these, 76% reported an increase of between 1-50% in alerts and 26% an increase of 26-50%. On average, teams are dealing with 61 alerts per week, which has risen by almost 30% compared to the same time last year. 

 

Yet this increase in threat activity is not being matched by an increase in resource. Insufficient budget was named as the top challenge by 31% of those questioned, indicating that many don’t feel there is enough investment, while 20% cited a lack of dedicated IR tools.

 

Furthermore, almost a quarter (23%) also highlighted the lack of IR skills and experience, revealing that the skills gap is now reaching crisis point. These deficits are creating mounting pressure on security teams, leading to a higher risk of compromise.

 

IR challenges

Upon closer inspection, however, it becomes apparent that different roles perceive there to be different challenges associated with IR. The complexity of the incident was the main focus for information security analysts (37%), followed by lack of board level understanding (33%) and untested incident response plans and processes (26%).

 

In contrast, for the CIO, after lack of budget (33%) it was lack of tools (30%) and then the complexity of the incident (28%). This seems to suggest that analysts feel unsupported in terms of the strategic lead coming from the C-suite.

 

With regards to concerns, chief among them was speed. Time is of the essence when it comes to incident response and the pressure to reduce Mean Time to Response (MMTR) saw 40% citing this as the most stressful aspect. This was followed by the sense of responsibility (31%), taking the right initial steps in response (25%) and ensuring effective communication (25%). Interestingly, the fear of being wrong (24%) ranked higher than difficulty in diagnosing the incident (22%).

 

But again, looking at answers across the different roles proves revealing. The relentless need to focus upon the incident until it is resolved made the top three for information security analysts, with 26% finding this stressful. In contrast, just over a quarter of CIOs and CTOs fear being wrong compared to 19% of information security analysts, perhaps because the fallout from a poor response to a cyber incident could be worse or even catastrophic for them and their career. 

 

CIOs also reported feeling worried about pushback on the recommended response (30%) and feeling under pressure from the C-suite (28%), highlighting the fact decisions weigh heavy upon them. 

 

Dealing with the problem

What is clear is that regardless of the part they play in the process, all are feeling more stressed and under resourced due to rocketing volumes. To counteract this, organisations need to look again at their cyber-security spend and ringfence that which is dedicated to incident response.

 

Failing to allocate enough budget is undoubtedly a false economy as the financial and reputational ramifications of a breach will often outweigh any initial investment in cyber-security tools and processes. 

 

For those businesses that are struggling to keep on top of IR, it could be time to take a look at how they intend to provision the security team going forward. Technological advances such as Generative AI are liable to increase alert volumes still further by automating and lowering the bar of entry for attackers and continuing skills shortages will make it challenging to recruit to keep pace.

 

It’s estimated that 41% currently have an internal skills gap when it comes to IR which is trending upwards, from 27% in 2020, 32% in 2021 and 37% in 2022, according to the Cyber security skills in the UK labour market 2023 report.

 

Addressing that skills gap will require some tough decisions. Do you build out your IR in-house and invest in training and expertise, perhaps even upskilling existing staff? Admittedly this does leave the risk of them leaving with their newfound skillsets which are in high demand.

 

Or do you look to outsource to a Managed Security Services Provider (MSSP), taking the pressure off the security team who can then apply their time and resources to other priorities? This does ensure access to an on tap scalable resource, access to multiple tools and an evolving offering but will require time to be spent evaluating the merits of different providers.

 

What’s right for one company won’t necessarily be right for another, so looking at the metrics within the organisation itself is key. Consider the number of alerts, MTTR and types of attack the business is being subjected to in order to determine the right course of action.

 

But across the board it’s fair to say that the upward trajectory of alert levels shows no pace of slowing, making it imperative that the organisation takes action to alleviate the strain.

 

---

 

Brian Martin is Head of Product Development, Innovation and Strategy at Integrity360

 

Main image courtesy of iStockPhoto.com