It’s no secret: cybercrime is skyrocketing. Security breaches in the last five years grew by 67 percent for public and private sector organizations, according to Accenture and Ponemon Institute’s 2019 “Cost of Cybercrime Study,” with the average cost of cybercrime for an organization increasing from $11.7 million in 2017 to $13 million in 2018—an increase of 12 percent in one year.
Compounding the problem is a global cybersecurity talent shortage, with roughly two million open positions, reports ISACA as part of their State of Cybersecurity 2019 Survey. Organizations find it increasingly difficult to retain qualified cybersecurity professionals, with nearly70 percent reporting their cybersecurity teams are understaffed. Additional insights from the ISACA survey revealed that:
- 87% of respondents say they need up to 50% more cybersecurity budget
- 53% of organizations experience delays up to 6 months to find qualified security candidates
- 89% say their cybersecurity function does not fully meet their organization’s needs
- 84% of organizations believe half or fewer security job applicants are qualified
- 12% feel it is very likely they would detect a sophisticated cyber attack
What’s Changed?
Surprisingly, attacker tactics haven’t changed much in the past 10 years – phishing, malicious files, unpatched vulnerabilities, and privilege escalation are still alive and well. What has changed is the reduction in time from finding a vulnerability to being able to launch an attack using that vulnerability. A robust cybercriminal marketplace allows unsophisticated attackers to quickly launch attacks against organizations. Additionally, the size of the attack surface has exploded, with targets that now include cloud and hybrid infrastructures, IoT and Internet-connected everything, increased connections to Industrial Control Systems (ICS/OT), use of mobile devices, and a higher number of employees working remotely. As a defender, you not only have to protect this larger attack surface but do so with the same IT security budget and smaller cybersecurity talent pool.
The good news is cybersecurity is evolving. Twenty years ago, incident response teams did not have a centralized method for managing security alerts. Then Security Information and Event Management (SIEM) came along, allowing security teams to centralize and prioritize security alerts. Incident orchestration was then bolted on top of a SIEM to reduce investigation time, but that is still a drop in the bucket when most organizations receive over 5,000 security alerts per day.
Whether or not an organization has a Security Operations Center (SOC), it’s critical to ensure proper triage of security alerts and swift response to threats. This takes time and money. Ideally, organizations would have an overarching security strategy driven by a risk-based decision-making process. This approach would fund the resources required to investigate and respond to all security alerts based on risk versus limited headcount.
Instead, most companies are raising alert thresholds, ignoring entire categories of security alerts, and creating artificial incident categories to reduce alert volume. This is not a risk-based decision but an arbitrary headcount decision, in many cases driven by lack of budget.
Organizations need to optimize their approach to security with one that doesn’t require additional budget or ignoring security alerts, regardless of the alert category. The inability to resolve massive amounts of false positives from security tools is drowning security practitioners.
Security Automation is Key
Security automation can help combat the rising cost of attack discovery, with savings of approximately $2.09 million, according to Accenture/Ponemon, factoring in investment costs. Yet adoption is still relatively low, with just 38 percent of the Accenture/Ponemon respondent sample saying they leverage automation. Automation could begin to address the shortage of skilled security staff by supplementing existing skills and capabilities. Automation that triages generic security alerts frees up time for cybersecurity professionals to invest in the business and focus on the smaller percentage of security alerts that require cybersecurity expertise.
While cybersecurity is slowly moving out of the IT basement into a cross-functional role within the organization, there is still a long way to go. As more organizations invest in security, business leaders need to improve the economic value of their cybersecurity strategies. Discovery costs will continue to escalate as cyberattacks increase. Organizations that take advantage of automation and advanced analytics to supplement the work of security experts, whether in-house or as a service, will help reduce these costs to drive positive bottom-line results.
About the author: Rob Davis is founder and CEO of Critical Start, a MDR service provider for organizations that have something to lose if a breach occurs and prioritize effectiveness over price.