Cybersecurity professionals are more aware than most that their work doesn’t happen in a vacuum. Threats evolve constantly as external factors, from economic uncertainty to geo-political tension, influence threat actors. The tools designed to combat threats evolve constantly too, and so do the skill sets and availability of security teams. This often puts security leaders in a reactive position of continuously adapting and responding to external and internal change. Tools and personnel are purchased and recruited at different times, all contributing in different ways to the overall strategy.
Periodically, however, it is useful to pause and assess the maturity of the components of your cybersecurity strategy. By understanding what tools, processes and teams you’re using, how you’re using them and what impact this has on your security posture, you can set a framework for progress allowing you to absorb outside impacts but also proactively move your approach in the direction it needs to travel.
Maturity models – lessons from the “hype cycle”.
When we assess the state of cybersecurity maturity in the business, we’re really talking about three interdependent elements: the tools and technology we have in our locker, the processes we have developed and implemented around those tools, and the teams who are working with them.
Where analyzing tools maturity is concerned, one of the most well-known models is Gartner’s hype cycle. This tracks tools through the initial “innovation trigger”, through the “peak of inflated expectations” to the “trough of disillusionment”, followed by the “slope of enlightenment” and finally reaching the “plateau of productivity”.
When reviewing our in-house security tools and externally sourced feeds, we can usually place them on our own internal cycle. There are well-established, highly productive tools at the heart of the security stack. Then we have more recent acquisitions that are starting to deliver the outcomes that fit with our particular use case. These tools are beginning to add value to the organization. And there are the latest acquisitions, brought in to address a new threat or to increase efficiency, that may not yet be delivering the promised results.
This is a lifecycle that we have identified during research into cybersecurity automation that we have been conducting for the past three years in the US, UK, and Australia. As cybersecurity automation adoption has progressed in different geographies and sectors, we have seen enthusiasm wax and wane, then wax again. Finally, once organizations have overcome the challenges associated with implementing new technology and succeeded in identifying the use cases that deliver value for their business, we’re seeing cybersecurity automation as an effective, productive component of security strategy.
So, what questions should you ask when you review the security tools you have in the business? Firstly, decide where they sit on your internal adoption curve. How are you using them? Are you getting value from them? Did you just “set and forget” them or are they part of an iterative, continuous improvement process? Are they point solutions operating in a standalone capacity, or are they integrating with other tools? Are they well-used and valued by your team, or are they causing frustration due to poor tuning or implementation?
Processes – from primitive to powerful
Similarly, we can explore how our processes wrap around tools and whether they are tuned to deliver optimum efficiencies and outcomes. Regular process reviews are critical to maximizing the benefits of cybersecurity automation, for example.
Areas to explore include threat intelligence collection, prioritization, contextualization, and response processes. It is also worth evaluating the data the processes are working on to check that it is appropriate and comprehensive enough for the process to work effectively.
Look at whether existing processes can be streamlined or automated. Could the number of playbook runs be reduced to avoid wasted time and resources? Is the system tuned to learn and improve over time?
If the answer to any of these questions is “no”, or “we don’t know”, it is worth investing resources in process optimization.
Teams – from tactical to strategic management
The goal of refining tools and processes is ultimately to support teams to deliver a stronger and more responsive security strategy. Therefore, the third part of the maturity review must involve the impact these are having on people working in security teams.
Like with security tools and process adoption, teams evolve through different maturity levels at different times – and they may move backward, as well as forward, as the business changes.
It’s uncommon that a security department has all the resources it needs to function at the level it would like. There’s rarely enough time and skill, and attrition rates can be high in security teams because of the high-pressure environment analysts work in. Nevertheless, as organizations increase the maturity of their tools and processes, teams often follow suit. They either get more accomplished through experience, through training and – if they are lucky – through additional headcount.
The process of maturation in personnel is often reflected in the way these teams are measured. Less mature teams tend to be measured on activity metrics and KPIs around how many tickets are handled and closed, for example. In more mature organisations the focus has shifted towards metrics like team satisfaction and staff retention. This has come through strongly in our research. Last year 61% of cybersecurity professionals surveyed said that the key metric they used to assess the ROI of cybersecurity automation was how well they were managing the team in terms of employee satisfaction and retention – another indication that it is reaching a more mature adoption stage.
Organizations with mature cybersecurity approaches understand that tools and processes need to be guided through the maturity path, but that the reason for doing so is to serve the people working with them. The maturity and skillsets of teams should also be reviewed, and members should be given the opportunity to add their own input. What is their experience of the tools and processes in place? Do they trust the outcomes they are getting from AI- and machine learning-powered tools and processes? If not, what are their principal concerns? What training or external support do they need? What use cases do they think could be automated or streamlined and where are their pain points right now?
Undertaking a cybersecurity maturity review helps leaders establish a benchmark from which to build a proactive improvement strategy. Understanding where the tools, processes, and teams sit on the cycle of adoption and efficiency enables leaders to supply the right support and investment to accelerate the path to productivity.