Technical, Management Challenges Facing Incident Response

Incident response is the part of security that organizations may wish they never had to think about, as it only comes in to play after an incident has happened.

However, a survey of CISOs and security technicians showed that the problem may be technical and not just managerial.

In a survey of 1,083 professionals in the U.S. and the EMEA, researchers at the Ponemon Institute found that 85 percent said incident response is hurt by the inability of point solutions to prioritize alerts as they come in. In addition, 74 percent said poor to no integration between security products negatively impacts response capabilities.

This study, sponsored by AccessData, comes on the heels of another study from Ponemon Institue released earlier this year that found that incident response represents less than 10 percent of the security budgets of half of those surveyed. Additionally, 80 percent said they don’t frequently communicate with executive management about potential cyber-attacks against their organizations.

“One reason is the difficulty in communicating technical information about security threats to executive management,” Larry Ponemon, founder of the institute, told SecurityWeek back in January. “Based on my experience with CEOs and boards, they want to be able to have information communicated succinctly and quickly. That is not easy when it comes to presenting technical security issues affecting the company. So they may not be invited to many executive meetings to conduct briefings. That is why the IT security function needs to work on how it informs management about what the risks are and what they are doing and need to do to mitigate security breaches.”

This lack of communication may exacerbate a lack of trust. In the most recent survey, 65 percent of respondents said that when a CEO and board of director asks a security team for a briefing immediately following an incident the briefing would be purposefully modified or watered down. Seventy-eight percent believe most CISOs would make a “best effort guess” based on limited information and would take action prematurely and report the problem resolved when that was actually not the case.

Sixty-one percent said an overwhelming numbers of alerts paralyzing efforts, and 86 percent said detection of cyber attacks takes too long. While 66 percent believe finding the root cause of prior incidents helps strengthen defenses, 38 percent say it could take a year and 41 percent say they would never be able to identify the root cause with certainty.

“CISOs are clearly saying their disparate tool sets are not keeping up with the threats they face,” said Craig Carpenter, chief cybersecurity strategist at AccessData, in a statement. “What they need is an incident resolution platform that doesn’t just integrate alerts from myriad point solutions, but makes intelligence actionable and automates significant portions of the IR process, allowing them to focus on the most pressing incidents.”