Report: Organisations must be proactive, not reactive when it comes to security
The majority of companies experience significant damage to operations during the first day of an IT outage, according to new research from Netenrich.
The global survey of IT and security professionals, titled ‘Pivoting to Risk-Driven Security Operations’, found that 83% of companies would suffer business damage during the first 24 hours of an outage and thereafter.
The researchers state, this isn't surprising as recent surges in ransomware and other attacks have wreaked havoc across IT infrastructures.
The findings also reveal interesting insights and contradictions when it comes to scaling security operations.
When looking to upgrade their security posture, 67% of respondents stated they focused on tool upgrades, yet organisations found that tool integrations (55%), lack of tool expertise (52%) and tool sprawl (41%) were their biggest pain points.
While security teams aspire to do more proactive and risk-driven operations, such as risk management (37%), incident analysis (34%) and threat modelling (29%), they spend most of their time doing foundational and reactive security tasks, such as updating patches (43%), researching and analysing critical incidents (41%) and removing false positives (40%).
The researchers state that this is because security teams are continuing to participate in reactive security. They are adding more tools, needing more resources and chasing thousands of alerts, while lacking the contextual data and prioritisation that's needed.
The survey finds that companies want to do more threat modelling, incident analysis and risk management, however, very few employ it or even know how to do so.
Less than 40% perform threat modelling, less than half conduct threat modelling on a daily (16%) or weekly basis (31%), and only 30% practice external attack surface management.
Netenrich primary threat researcher John Bambenek says, "Organisations fail to shift to a proactive approach that prioritises security defences around the most likely, highest business-impacting attack vectors.
"Security teams need to start evaluating business risk based on the likelihood of attack success and mapping that attack success to what it would actually cost the business. Focus on the critical issues that matter most to reduce the attack and outage impact."
Bambenek adds, "Our industry has taken an IT internal view to security rather than an attack external view of security.
"Organisations need to shift mindsets, adopt a managed risk, not an IT-based approach. Security operations needs to be data-driven and predictive where continuous threat modelling runs at its core."
The report also found that 80% of companies have 30% or less of their IT budget dedicated to security.
On this, companies experienced minimal security budget increases despite growing IT demands as a result of remote work shifts and COVID-19 impact.
In fact, 19% reported no increases to security budgets, 29% received less than 10% budget and 8% received 50% or more budget increase.
As a result, more companies are looking to MSPs to augment their security operations. The report finds that at present, 47% rely on managed services to run their ops entirely or in hybrid arrangements.
Finally, the research highlights that MSPs have an opportunity to expand their services by offering advanced, risk-based security and threat modelling services. At present only 17% of MSPs are offering threat modelling.