People, process and technology challenges with security operations

These days, it’s tough for any organization to keep up with cybersecurity operations. Why? Well, the bad guys are pretty persistent for starters, launching a blitzkrieg of attacks and new types of exploits all the time. 

OK, hackers are relentless, but we’ve always know this, and their behavior isn’t likely to change anytime soon. What’s really disturbing, however, is that a lot of problems associated with cybersecurity are based upon our own intransigence. And organizations aren’t struggling with one issue, rather cybersecurity operations challenges tend to be spread across people, processes and technology. When it comes to security operations, it’s kind of a “death by a thousand cuts” situation. 

Here’s some recent ESG research that backs up this conclusion. When asked to identify their biggest security operations challenges:

• 35% of cybersecurity professionals say, “keeping up with the volume of security alerts.” These organizations may not have the enough security people or the right skills in place to separate the security alert wheat from the chaff, or the right processes to investigate and prioritize alerts in an efficient manner. Oh yeah, their technology likely needs tuning to eliminate some loose alerts, while the alerts themselves need more enrichment, synthesis and analysis to filter out some of the noise. Security technologies must also contextualize and enrich security alerts to do some of the heavy lifting for security analysts.
• 29% of cybersecurity professionals say, “security tools are not well integrated.” This is likely a historical technology problem, as best-of-breed security tools weren’t always designed for security operations in the past. It could also be a people problem, however, because many firms don’t have the right resources to write custom code to glue tools together or craft scripts for integration. 
• 25% of cybersecurity professionals say, “security processes are too informal and depend upon the skills and techniques of a few key employees.” I’ve seen this one too often—organizations are willing to leave difficult security tasks to cybersecurity superstars with no questions asked. Unfortunately, this creates a real problem when these key staffers walk out the door and take their homegrown security operations methodologies with them. 
• 25% of cybersecurity professionals say, “maintaining the right skills needed for security operations.” Of course, this is related to the global cybersecurity skills shortage, as CISOs can’t hire their way out of this mess. Additionally, it is also due to the fact that many organizations simply don’t keep up with the right level of training for cybersecurity staff. For example, a 2016 research project from ESG and the Information Systems Security Association (ISSA) revealed that 56% of cybersecurity professionals believe their organizations should provide more training so the cybersecurity team can keep with business and IT risks. If your people don’t have the right training, all the technology and processes in the world won’t matter. 
• 24% of cybersecurity professionals say, “coordinating security operations between the cybersecurity and IT operations staff.” Clearly, there is an organizational issue here, but these two groups often use their own tools and reports so they are never actually “singing from the same hymn book.” 

As you can see, there are plenty of problems to go around, so ripping and replacing technology is an incomplete solution at best. A more comprehensive approach must involve:

• Process formalization, orchestration and automation. Processes need to be formalized and well documented—the NIST 800 series could be helpful here. Furthermore, CISOs must figure out how to orchestrate security operations processes, including machine-to-machine, machine-to-human and human-to-human handoffs. Finally, process automation should be employed, especially around simple tasks such as gathering data or blocking malicious IoCs.
• Continuous training. CISOs must ensure that their people are in constant education mode, while cybersecurity professionals must take it upon themselves to stay current with their education. Note that cognitive computing tools such as IBM Watson for cybersecurity can help augment staff and skills shortages here.
• Organizational affinity. CISOs and CIOs must get together to make sure security and IT operations teams have the right organizational models, goals and compensation in place so they work in concert, not in conflict. 
• A security technology architecture. Security tools must work together collectively to analyze data and automate tasks. ESG calls this a security analytics and operations platform architecture (SOAPA). Every organization should be planning or undertaking SOAPA projects at this point.