83% of companies would suffer business damage during the first 24 hours of an outage and thereafter, which comes as no surprise with recent surges in ransomware and other attacks wreaking havoc across IT infrastructures, a Dimensional Research survey reveals.
Security teams doing reactive security tasks instead of being proactive
The survey also revealed interesting findings and contradictions when it comes to scaling security operations:
– When looking to upgrade their security posture, 67% focused on tool upgrades yet organizations found that tool integrations (55%), lack of tool expertise (52%) and tool sprawl (41%) were their biggest pain points.
– While security teams aspire to do more proactive and risk-driven operations, like risk management (37%), incident analysis (34%), threat modeling (29%), they spend most of their time doing foundational and reactive security tasks, like updating patches (43%), researching and analyzing critical incidents (41%) and removing false positives (40%).
Security teams are trapped doing the same thing they have been doing for years – reactive security. They’re adding more tools, needing more resources and chasing thousands of alerts while lacking the contextual data and prioritization that’s highly needed.
Companies want to do more threat modeling
The survey finds that companies want to do more threat modeling, incident analysis and risk management, however, very few employ it or even know how:
– Less than 40% perform threat modeling.
– Less than half conduct threat modeling on a daily (16%) or weekly basis (31%).
– Only 30% practice external attack surface management.
“Our industry has taken an IT internal view to security rather than an attack external view of security,” adds Bambenek. “Organizations need to shift mindsets, adopt a managed risk, not an IT-based approach. Security operations needs to be data-driven and predictive where continuous threat modeling runs at its core.”
A total of 333 qualified global IT and security professionals participated in the survey and carried enterprise security responsibilities at medium to enterprise-sized companies.
Other key findings
– 80% of companies have 30% or less of their IT budget dedicated to security.
– Companies experienced minimal security budget increases despite growing IT demands as a result of remote work shifts and COVID-19 impact: 19% reported no increases to security budgets, 29% received less than 10% budget and 8% received 50% or more budget increase.
– Companies looked to MSPs to augment their security operations: 47% rely on managed services to run their ops entirely or in hybrid arrangements.
– MSPs have an opportunity to expand their services by offering advanced, risk-based security and threat modeling services: only 17% of MSPs are offering threat modeling.
Security teams, risk-driven
- ISO 27001 Lead Implementer
- ISO 27001 Foundation
- ISO 27001 Lead Auditor
- CCISO – Certified Chief Information Security Officer
- Cybersecurity Professional
- Cybersecurity Lead Implementer
- Cybersecurity Lead Auditor
- CEH – Certified Ethical Hacker
- CHFI – Computer Hacking Forensic Investigator
(2021) Security teams need to become more proactive and risk-driven. Recovered on 11 November 2021 https://www.helpnetsecurity.com/2021/11/08/security-teams-proactive/