Now on Demand: Zero Trust Strategies Summit - Access All Sessions
Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Management & Strategy

Security Incident Response Teams Getting Short End of Budget Stick

Responding to a security threat is just as important as detecting it – if not more so.

Responding to a security threat is just as important as detecting it – if not more so.

Yet Computer Security Incident Response Teams are often given short thrift in security budgets – a lack of attention a new study argues may be traceable to poor communication between security teams and executives.

In a report sponsored by security vendor Lancope, Ponemon Institute found that half of the 674 IT and security professionals surveyed said that incident response represents less than 10 percent of their security budgets. For most (68 percent), the money allotted to incident response has not increased in the past two years.

Of the respondents who say their organization has a CSIRT, most of have been in place for at least three years and have several employees assigned to them. However, these employees split time between supporting CSIRT activities and other job responsibilities. In fact, 45 percent said that their CSIRT had no full-time staff at all, and only 27 percent had more than one full-time employee.

Advertisement. Scroll to continue reading.

Security Response “The findings of our research suggest that companies are not always making the right investments in incident response,” said Dr. Larry Ponemon, chairman and founder of the Ponemon Institute, in a statement. “As a result, they may not be as prepared as they should be to respond to security incidents.”

However the business side of the house is often unaware of the realities of security. Eighty percent of respondents reported they don’t frequently communicate with executive management about potential cyber-attacks against their organization, and only 14 percent said their executive management takes part in the incident response process.

“We think there are two reasons for the communications gap between security teams and executive management – the first is that some organizations may be sheltering their leadership teams from bad news,” Tom Cross, Lancope’s director of security research, told SecurityWeek. “Everyone wants to tell the boss that things are going well instead of bringing problems to their attention and having to answer difficult questions about why those problems exist. Therefore, senior management may be operating in a bubble.”

“The second reason for the communications gap is that management may not be interested in information about cyber security threats – they may view that information as technical detail that isn’t relevant to the overall business,” he added.

Further complicating the issue is the fact that many businesses do not do a good job measuring the effectiveness of their response teams. Just 47 percent said they either do not assess the readiness of their incident response teams or do not do so regularly. Only 23 percent of respondents indicated that their organization has a predefined public relations and analyst relations plan in place in the event of a breach that needs to be publicly disclosed.

To measure the effectiveness of their programs, the study recommends organizations begin measuring three key metrics: mean time to detect a security event; mean time to know the root cause of the event; and the mean time to repair or recover from the event.

“These metrics can help an organization get a sense of how long it is taking to detect breaches and address them,” Cross said. “However, there are other metrics that are also important. Organizations should obviously be keeping track of how many incidents they are experiencing. These incidents can be categorized in terms of the type of threat they posed, how they attacked the organization, as well as how successful they were before they were identified and contained.”

“Keeping track of this kind of data can help an organization better understand where its weak points are and whether improvements in incident detection and response are having an impact on the overall cost of attacks,” he concluded.

Related Reading: Preparing for the Inevitable Data Breach: Discussion

Related ReadingWhat Happens to Stolen Data After a Breach?

Related ReadingTechnical, Management Challenges Facing Incident Response

 

Related Reading: Strategic Incident Response: The Art of Choreographed Reaction

Written By

Marketing professional with a background in journalism and a focus on IT security.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join SecurityWeek and Hitachi Vantara for this this webinar to gain valuable insights and actionable steps to enhance your organization's data security and resilience.

Register

Event: ICS Cybersecurity Conference

The leading industrial cybersecurity conference for Operations, Control Systems and IT/OT Security professionals to connect on SCADA, DCS PLC and field controller cybersecurity.

Register

People on the Move

Former Darktrace CEO Poppy Gustafsson has joined the UK government as Minister for Investment.

Nupur Goyal has joined cloud identity security and management solutions provider Saviynt as VP of Product Marketing.

Threat intelligence firm Intel 471 has appointed Mark Huebeler as its COO and CFO.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.