Security Experts:

Decision Fatigue is Real - In Life and In Security

“The world is your oyster!” “The sky’s the limit!” Those may sound like encouraging words, but according to ‘millennial therapist’ Tess Brighman the biggest complaint among millennials is having so many choices that they struggle to make decisions. Why is this such a problem for this group? Information overload. 

Think about it. Born between 1981 and 1996, this is the first generation to grow up with information at their fingertips. At the beginning of the era, personal computers and access to the Internet were taking off. Towards the end, mobile devices and smart phones were emerging. Millennials have been bombarded with information for their entire lives and now decision fatigue is setting in. They feel stressed and overwhelmed as they grapple with the pressure to succeed and worry that they aren’t making the right choices.

Sound familiar? Millennials aren’t the only ones who suffer from decision fatigue. As I’ve written before, security analysts struggle to make sense of too much data. Most organizations have more internal system data than they know what to do with from sources including the security information and event management (SIEM) system, log management repository, case management systems and security infrastructure. On top of that, threat intelligence must be considered. They are bombarded with millions of threat-focused data points from multiple data feeds, some from commercial sources, some open source, some industry and some from their existing security vendors.

Ignore some of the data and you worry you’ve missed something important. Try to use all the data available and you become exhausted and still worry that you aren’t making the right decisions. You need to pare down the massive volume of data by eliminating the noise so that you can understand where to focus and what needs to be done. To do this, start by correlating events and associated indicators from inside the environment with external data indicators, adversaries and their methods, to gain the context to understand the who, what, where, when, why and how of an attack.

With context you can now prioritize based on relevance to your environment. But what is relevant to one company may not be to another. It is important to be able to assess and change risk scores automatically based on parameters you set instead of relying on the global risk scores some vendors provide. This allows you to focus on what really matters to your organization rather than wasting time and resources chasing ghosts.

The right data, and confidence in that data, leads to better decisions and actions. With fewer distractions from noise and false positives, you can spend more time analyzing and understanding what’s important and make better decisions. Now you can work more efficiently and effectively. As confidence in your decisions and the actions you are taking grows, you can move faster and accelerate security operations by incorporating automation

Much has been written about security orchestration, automation and response (SOAR) tools to automate certain processes within security operations. A sign that the category is maturing and expanding, Gartner recently issued its first SOAR Market Guide, including vendors that approach SOAR from different perspectives. A process-driven approach, for example using playbooks to automate response, works well when you have high confidence in the data being used and the decisions that need to be made. However, the reality is that the confidence level for full automation is not there most of the time. If you start automating noise, the result will be amplified noise. A data-driven approach gives you greater confidence that you’re automating the right things. Fatigue fades and security operations becomes more efficient and effective when you know that decisions and actions are based on the right data.

Information overload is real and can have ripple effects. For millennials it can translate into not knowing which career path to take, where to live, how to manage money, even who to marry. For security professionals and the organizations they work for, it can mean missing damaging threats, burnout and turnover. Fortunately, if you start by paring down the amount of data to focus on what is relevant, you can overcome decision fatigue and move forward with confidence. 

view counter
Marc Solomon is Chief Marketing Officer at ThreatQuotient. He has a strong track record driving growth and building teams for fast growing security companies, resulting in several successful liquidity events. Prior to ThreatQuotient he served as VP of Security Marketing for Cisco following its $2.7 billion acquisition of Sourcefire. While at Sourcefire, Marc served as CMO and SVP of Products. He has also held leadership positions at Fiberlink MaaS360 (acquired by IBM), McAfee (acquired by Intel), Everdream (acquired by Dell), Deloitte Consulting and HP. Marc also serves as an Advisor to a number of technology companies, including Phantom Cyber.