Responding to a security threat is just as important as detecting it – if not more so.
Yet Computer Security Incident Response Teams are often given short thrift in security budgets – a lack of attention a new study argues may be traceable to poor communication between security teams and executives.
In a report sponsored by security vendor Lancope, Ponemon Institute found that half of the 674 IT and security professionals surveyed said that incident response represents less than 10 percent of their security budgets. For most (68 percent), the money allotted to incident response has not increased in the past two years.
Of the respondents who say their organization has a CSIRT, most of have been in place for at least three years and have several employees assigned to them. However, these employees split time between supporting CSIRT activities and other job responsibilities. In fact, 45 percent said that their CSIRT had no full-time staff at all, and only 27 percent had more than one full-time employee.
Security Response “The findings of our research suggest that companies are not always making the right investments in incident response,” said Dr. Larry Ponemon, chairman and founder of the Ponemon Institute, in a statement. “As a result, they may not be as prepared as they should be to respond to security incidents.”
However the business side of the house is often unaware of the realities of security. Eighty percent of respondents reported they don’t frequently communicate with executive management about potential cyber-attacks against their organization, and only 14 percent said their executive management takes part in the incident response process.
“We think there are two reasons for the communications gap between security teams and executive management – the first is that some organizations may be sheltering their leadership teams from bad news,” Tom Cross, Lancope’s director of security research, told SecurityWeek. “Everyone wants to tell the boss that things are going well instead of bringing problems to their attention and having to answer difficult questions about why those problems exist. Therefore, senior management may be operating in a bubble.”
“The second reason for the communications gap is that management may not be interested in information about cyber security threats – they may view that information as technical detail that isn’t relevant to the overall business,” he added.
Further complicating the issue is the fact that many businesses do not do a good job measuring the effectiveness of their response teams. Just 47 percent said they either do not assess the readiness of their incident response teams or do not do so regularly. Only 23 percent of respondents indicated that their organization has a predefined public relations and analyst relations plan in place in the event of a breach that needs to be publicly disclosed.
To measure the effectiveness of their programs, the study recommends organizations begin measuring three key metrics: mean time to detect a security event; mean time to know the root cause of the event; and the mean time to repair or recover from the event.
“These metrics can help an organization get a sense of how long it is taking to detect breaches and address them,” Cross said. “However, there are other metrics that are also important. Organizations should obviously be keeping track of how many incidents they are experiencing. These incidents can be categorized in terms of the type of threat they posed, how they attacked the organization, as well as how successful they were before they were identified and contained.”
“Keeping track of this kind of data can help an organization better understand where its weak points are and whether improvements in incident detection and response are having an impact on the overall cost of attacks,” he concluded.