Connect with us

Hi, what are you looking for?


Management & Strategy

Security Incident Response Teams Getting Short End of Budget Stick

Responding to a security threat is just as important as detecting it – if not more so.

Responding to a security threat is just as important as detecting it – if not more so.

Yet Computer Security Incident Response Teams are often given short thrift in security budgets – a lack of attention a new study argues may be traceable to poor communication between security teams and executives.

In a report sponsored by security vendor Lancope, Ponemon Institute found that half of the 674 IT and security professionals surveyed said that incident response represents less than 10 percent of their security budgets. For most (68 percent), the money allotted to incident response has not increased in the past two years.

Of the respondents who say their organization has a CSIRT, most of have been in place for at least three years and have several employees assigned to them. However, these employees split time between supporting CSIRT activities and other job responsibilities. In fact, 45 percent said that their CSIRT had no full-time staff at all, and only 27 percent had more than one full-time employee.

Advertisement. Scroll to continue reading.

Security Response “The findings of our research suggest that companies are not always making the right investments in incident response,” said Dr. Larry Ponemon, chairman and founder of the Ponemon Institute, in a statement. “As a result, they may not be as prepared as they should be to respond to security incidents.”

However the business side of the house is often unaware of the realities of security. Eighty percent of respondents reported they don’t frequently communicate with executive management about potential cyber-attacks against their organization, and only 14 percent said their executive management takes part in the incident response process.

“We think there are two reasons for the communications gap between security teams and executive management – the first is that some organizations may be sheltering their leadership teams from bad news,” Tom Cross, Lancope’s director of security research, told SecurityWeek. “Everyone wants to tell the boss that things are going well instead of bringing problems to their attention and having to answer difficult questions about why those problems exist. Therefore, senior management may be operating in a bubble.”

“The second reason for the communications gap is that management may not be interested in information about cyber security threats – they may view that information as technical detail that isn’t relevant to the overall business,” he added.

Further complicating the issue is the fact that many businesses do not do a good job measuring the effectiveness of their response teams. Just 47 percent said they either do not assess the readiness of their incident response teams or do not do so regularly. Only 23 percent of respondents indicated that their organization has a predefined public relations and analyst relations plan in place in the event of a breach that needs to be publicly disclosed.

To measure the effectiveness of their programs, the study recommends organizations begin measuring three key metrics: mean time to detect a security event; mean time to know the root cause of the event; and the mean time to repair or recover from the event.

“These metrics can help an organization get a sense of how long it is taking to detect breaches and address them,” Cross said. “However, there are other metrics that are also important. Organizations should obviously be keeping track of how many incidents they are experiencing. These incidents can be categorized in terms of the type of threat they posed, how they attacked the organization, as well as how successful they were before they were identified and contained.”

“Keeping track of this kind of data can help an organization better understand where its weak points are and whether improvements in incident detection and response are having an impact on the overall cost of attacks,” he concluded.

Related Reading: Preparing for the Inevitable Data Breach: Discussion

Related ReadingWhat Happens to Stolen Data After a Breach?

Related ReadingTechnical, Management Challenges Facing Incident Response


Related Reading: Strategic Incident Response: The Art of Choreographed Reaction

Written By

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join security experts as they discuss ZTNA’s untapped potential to both reduce cyber risk and empower the business.


Join Microsoft and Finite State for a webinar that will introduce a new strategy for securing the software supply chain.


Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

CISO Strategy

SecurityWeek spoke with more than 300 cybersecurity experts to see what is bubbling beneath the surface, and examine how those evolving threats will present...

CISO Conversations

Joanna Burkey, CISO at HP, and Kevin Cross, CISO at Dell, discuss how the role of a CISO is different for a multinational corporation...

CISO Conversations

In this issue of CISO Conversations we talk to two CISOs about solving the CISO/CIO conflict by combining the roles under one person.

CISO Strategy

Security professionals understand the need for resilience in their company’s security posture, but often fail to build their own psychological resilience to stress.

Management & Strategy

SecurityWeek examines how a layoff-induced influx of experienced professionals into the job seeker market is affecting or might affect, the skills gap and recruitment...

Cybersecurity Funding

2022 Cybersecurity Year in Review: Top news headlines and trends that impacted the security ecosystem

Endpoint Security

Today, on January 10, 2023, Windows 7 Extended Security Updates (ESU) and Windows 8.1 have reached their end of support dates.