Security Experts:

Security Pros Know What They Need to Do, But Constrained by Lack of Resources

A new survey report describes security teams as trapped by a lack of resources into continuing what they have been doing (which, from empirical evidence, clearly is not working) rather than migrating their efforts to what they believe they should be doing (risk analysis and threat modeling).

The survey, by Dimensional Research for Netenrich, questioned 333 IT professionals and executives from medium to large companies and asked about current security practices and planned improvements. While the general sweep of the report is clear, there are nevertheless a few problems in the details.

For example, the report suggests that security resources remain modest at around 30% of IT budgets. Yet Deloitte reported in 2020 that financial services allocated an average of less than 11% of the IT budget, while AT&T also reported in 2020 (following an informal survey), “Most [security budgets] seem to be a subset amount carved out of total IT budget. Typically, around 3-5%." On that basis, a figure of around 30% would appear to be a substantial increase over the last couple of years – more worthy of praise than complaint.

This apparent anomaly may be indicative of the primary problem with all surveys – they tend to include too much subjectivity. Survey conductors attempt to limit subjectivity as far as possible, but with only variable success. For example, one question asked of the respondents was, "How long can your company be down (outage) from an attack before experiencing major damage to your business?"

Eighty-three percent said 24 hours or less. But what would constitute 'major damage' is not defined, and might mean different things to different respondents. This is further aggravated by the ‘executive briefing’ defining this as, "83% of companies suffer crippling business damage if they are down for 24 hours or more." There is no attempt to define 'crippling business damage'. However, despite this lack of clarity, the general drift is clear: suffering an outage (such as a ransomware attack, which is the respondents’ most concerning attack vector) is very bad for business.

All surveys need to be read with a pinch of analytical salt by the reader. That said, the report highlights a disconnect between what security professionals are actually doing to improve their security posture, and what they would like to do. 

Unsurprisingly, 99% of respondents wish to improve their security posture. Sixty-seven percent of respondents intend to upgrade tools – something they say is being thwarted by integration issues, lack of expertise, and too many tools. Only 35% intend to grow their team numbers (the report does not explain the reason for this, but it may partly be due to the skills gap and cost of expertise rather than preference).

However, the top response for what the respondents would like to do is risk management, followed by incident analysis and threat modeling. This suggests a philosophical shift from reactive to proactive security held back by a lack of resources and existing product investments. The research suggests less than 40% of companies perform threat modeling today and only 30% practice external attack surface management.

The three most time-consuming security tasks are patching and reconfigurations (43%), triaging incidents (41%), and noise reduction by removing false positives (40%).

Forty-seven percent of the respondents employ an MSP, which is a growing response to lack of local resources. However, only 17% of the MSPs are conducting the threat modeling that the respondents would like to see.

Virtual EventSecurity Operations Summit | Dec. 8, 2021 ]

“Being able to prioritize threats according to their potential impact on the business goes a long way toward managing risk. Among the impacts they fear, most respondents cited loss of data and weakening customer relationships. This, combined with the findings about outages leading to significant damage very quickly makes a strong case for improving resilience with a focus on high-value assets,” said John Bambenek, principal threat hunter at Netenrich. 

“Developing a rich, continuous threat modeling practice marks a powerful juncture in pivoting from event- or alert- to risk-driven cybersecurity. When those surveyed were asked to elaborate on the value of threat modeling, respondents expressed a clear desire to become more proactive and to determine the likelihood and cost of an attack succeeding,” he said.

San Jose, Calif-based Netenrich was founded in 2003 by Raju Chekuri. It offers an AI-backed SaaS platform known as Resolution Intelligence to improve tools and incident response effectiveness.

Related: SOCs Suffer Under Volume of Data, Alerts: Report

Related: CISA Reminds of Risks Connected to Managed Service Providers

Related: GreyNoise Raises $4.8 Million in Seed Funding to Combat Alert Fatigue

Related: Are Overlapping Security Tools Adversely Impacting Your Security Posture?

view counter
Kevin Townsend is a Senior Contributor at SecurityWeek. He has been writing about high tech issues since before the birth of Microsoft. For the last 15 years he has specialized in information security; and has had many thousands of articles published in dozens of different magazines – from The Times and the Financial Times to current and long-gone computer magazines.