Security Experts:

Connect with us

Hi, what are you looking for?


Incident Response

Security Pros Know What They Need to Do, But Constrained by Lack of Resources

A new survey report describes security teams as trapped by a lack of resources into continuing what they have been doing (which, from empirical evidence, clearly is not working) rather than migrating their efforts to what they believe they should be doing (risk analysis and threat modeling).

A new survey report describes security teams as trapped by a lack of resources into continuing what they have been doing (which, from empirical evidence, clearly is not working) rather than migrating their efforts to what they believe they should be doing (risk analysis and threat modeling).

The survey, by Dimensional Research for Netenrich, questioned 333 IT professionals and executives from medium to large companies and asked about current security practices and planned improvements. While the general sweep of the report is clear, there are nevertheless a few problems in the details.

For example, the report suggests that security resources remain modest at around 30% of IT budgets. Yet Deloitte reported in 2020 that financial services allocated an average of less than 11% of the IT budget, while AT&T also reported in 2020 (following an informal survey), “Most [security budgets] seem to be a subset amount carved out of total IT budget. Typically, around 3-5%.” On that basis, a figure of around 30% would appear to be a substantial increase over the last couple of years – more worthy of praise than complaint.

This apparent anomaly may be indicative of the primary problem with all surveys – they tend to include too much subjectivity. Survey conductors attempt to limit subjectivity as far as possible, but with only variable success. For example, one question asked of the respondents was, “How long can your company be down (outage) from an attack before experiencing major damage to your business?”

Eighty-three percent said 24 hours or less. But what would constitute ‘major damage’ is not defined, and might mean different things to different respondents. This is further aggravated by the ‘executive briefing’ defining this as, “83% of companies suffer crippling business damage if they are down for 24 hours or more.” There is no attempt to define ‘crippling business damage’. However, despite this lack of clarity, the general drift is clear: suffering an outage (such as a ransomware attack, which is the respondents’ most concerning attack vector) is very bad for business.

All surveys need to be read with a pinch of analytical salt by the reader. That said, the report highlights a disconnect between what security professionals are actually doing to improve their security posture, and what they would like to do. 

Unsurprisingly, 99% of respondents wish to improve their security posture. Sixty-seven percent of respondents intend to upgrade tools – something they say is being thwarted by integration issues, lack of expertise, and too many tools. Only 35% intend to grow their team numbers (the report does not explain the reason for this, but it may partly be due to the skills gap and cost of expertise rather than preference).

However, the top response for what the respondents would like to do is risk management, followed by incident analysis and threat modeling. This suggests a philosophical shift from reactive to proactive security held back by a lack of resources and existing product investments. The research suggests less than 40% of companies perform threat modeling today and only 30% practice external attack surface management.

The three most time-consuming security tasks are patching and reconfigurations (43%), triaging incidents (41%), and noise reduction by removing false positives (40%).

Forty-seven percent of the respondents employ an MSP, which is a growing response to lack of local resources. However, only 17% of the MSPs are conducting the threat modeling that the respondents would like to see.

Virtual EventSecurity Operations Summit | Dec. 8, 2021 ]

“Being able to prioritize threats according to their potential impact on the business goes a long way toward managing risk. Among the impacts they fear, most respondents cited loss of data and weakening customer relationships. This, combined with the findings about outages leading to significant damage very quickly makes a strong case for improving resilience with a focus on high-value assets,” said John Bambenek, principal threat hunter at Netenrich. 

“Developing a rich, continuous threat modeling practice marks a powerful juncture in pivoting from event- or alert- to risk-driven cybersecurity. When those surveyed were asked to elaborate on the value of threat modeling, respondents expressed a clear desire to become more proactive and to determine the likelihood and cost of an attack succeeding,” he said.

San Jose, Calif-based Netenrich was founded in 2003 by Raju Chekuri. It offers an AI-backed SaaS platform known as Resolution Intelligence to improve tools and incident response effectiveness.

Related: SOCs Suffer Under Volume of Data, Alerts: Report

Related: CISA Reminds of Risks Connected to Managed Service Providers

Related: GreyNoise Raises $4.8 Million in Seed Funding to Combat Alert Fatigue

Related: Are Overlapping Security Tools Adversely Impacting Your Security Posture?

Written By

Kevin Townsend is a Senior Contributor at SecurityWeek. He has been writing about high tech issues since before the birth of Microsoft. For the last 15 years he has specialized in information security; and has had many thousands of articles published in dozens of different magazines – from The Times and the Financial Times to current and long-gone computer magazines.

Click to comment

Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Data Breaches

GoTo said an unidentified threat actor stole encrypted backups and an encryption key for a portion of that data during a 2022 breach.

CISO Strategy

Cybersecurity-related risk is a top concern, so boards need to know they have the proper oversight in place. Even as first-timers, successful CISOs make...

Management & Strategy

Industry professionals comment on the recent disruption of the Hive ransomware operation and its hacking by law enforcement.

Management & Strategy

Tens of cybersecurity companies have announced cutting staff over the past year, in some cases significant portions of their global workforce.

Management & Strategy

SecurityWeek examines how a layoff-induced influx of experienced professionals into the job seeker market is affecting or might affect, the skills gap and recruitment...


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...


Twenty-one cybersecurity-related M&A deals were announced in December 2022.