The majority of companies — 77% of respondents — don’t have a cybersecurity incident response plan applied across the enterprise, according to a study conducted by the Ponemon Institute and paid for by IBM.
One of the primary reasons for this is the well-documented security skills shortage. “It’s a major, major problem for security generally but it’s particularly acute in incident response because it’s a newer discipline,” said Ted Julian, vice president of product management and co-founder of IBM Resilient.
IBM bought Resilient, an incident response company, in 2016. The 2019 Cyber Resilient Organization is the vendor’s fourth annual benchmark study on cyber resilience — how an enterprise aligns its prevention, detection, and response capabilities to manage and mitigate threats against its data and IT infrastructure. For the report, Ponemon surveyed more than 3,600 security and IT professionals globally.
Survey respondents said they lack the headcount to maintain and test their incident response plans and are facing between 10 and 20 open seats on cybersecurity teams. Only 30% of respondents reported that staffing for security is sufficient to achieve a high level of cyber resilience. And 75% of respondents rate their difficulty in hiring and retaining skilled security personnel as moderately high to high.
“Network security has been around 20 years, and malware, virus analysis, things of that nature are well-established skill sets,” Julian said. “But incident response, in terms of enterprises having dedicated people to this function, is relatively modern and a pretty tall order. You need to know about networks, security, a little about malware. You need to have business skills to have expertise with the potential business impact of attacks. The skill shortage is particularly acute when it comes to incident responders.”
Adding to the skills gap, 48% said their organization deploys too many separate security tools, ultimately increasing operational complexity and reducing visibility into overall security posture.
Automation Is Key
This is the first year the study looked at automation and if it’s useful for cyber resilience. When asked to rate the value of automation and cyber resilience to their security posture on a scale of one (being the lowest value) to 10 (highest value), 62% rated the value of cyber resilience as very high, and 76% said they find automation very valuable.
Still, only 23% said they were significant users of automation technologies such as identity management and authentication, incident response platforms, and security information and event management (SIEM) tools. And 77% reported their organizations only use automation moderately, insignificantly, or not at all.
Julian says the primary take away for enterprises should be to put a cyber response plan in place — stat. “You’re not building on a sound foundation unless you’ve done that,” he said. And it doesn’t have to be super complex.”
Make a Plan
“It could be as simple as dusting off the plan you do have and getting a cross-functional team to update it as necessary,” Julian explained. “It’s about getting the right people around the table.”
It’s important to have non-IT-security people on this team because an attack will affect multiple business groups, he said. “You should include colleagues in IT more broadly but also HR, because, let’s face it, insider threats are a big deal. Marketing should be involved because if you a crisis communication plan in place you might need to execute that. And there should be some executive sponsorship because at the end of the day if it’s a really bad breach there is going to be some executive called upon to comment.”
This response plan will help “minimize the fog of war,” Julian added. “When an incident happens, if you have documented your procedures and your response time, and if you’ve practiced, you have more of a fighting chance.”
Chart courtesy of IBM