15 companies from around the globe share their Cybersecurity insights at this year’s Gartner Security and Risk Summit
Attendees from a variety of industries sat with us for a 45-minute “CISO Roundtable Chat” at the 2017 Gartner Security & Risk Management Summit.
You’d think with a broad a cross section of companies from around the world that the cybersecurity issues would also vary greatly? While there were differences, four common threads were easy to find – talent acquisition and retention; budget dollars for prevention vs. monitoring/detection/response; cybersecurity processes require consistent and repeatable processes; and more than 50% of the CISOs outsource, but “feel” it’s not effective.
Below we take a closer look and dive deeper into each of these four topics, sharing some specific insights from the CISO’s themselves.
1. Talent acquisition and retention – universally the CISO’s and directors in the room echoed the need for more talent in the cybersecurity market and for that talent to be “better utilized.” It seems that cyber analysts depending on the size of the team are required to do some percentage of “network operations work,” such as noise reduction by reviewing alerts and analyzing and closing tickets. The frequency and level of their participation appears to be a big factor in their job satisfaction and is a key factor in an employee’s decision to move on.
"You need to give your team a license to remove administrative overhead tasks and to automate those that remain.” ―Venture Capital Firm CISO
Further, tier 1 analysts that like doing this level of work may not evolve to become tier 2 and 3 level analysts. Tier 1 analysts that are promising and have a future as tier 2 and 3 analysts almost always grow to dislike noisy alert reviews and ticket closing activities and often move on before they are promoted by management. This creates a talent churn and vacuum at the bottom of the cybersecurity team and makes it hard to grow promising talent from within.
The answer? Reduce noise by automating this task or outsourcing it, before it becomes a drag on the team.
2. Budget – CISO’s in the room agreed that a base level of prevention is required and that managing a cyber budget by managing risk levels does not equal cybersecurity. Too little budget creates an intolerably high risk for the organization and too much budget, for example, 100% of the budget spent on prevention, creates an enormous gap in the security team’s ability to absorb technology and promotes shelf-ware.
"100% of the budget was spent on prevention and produced 100% failure as we were breached anyway.” ―Fortune 500 Aerospace & Defense Manufacturer CISO
The lesson? A cyber security maturity level is built on a balance of prevention, detection, and response. The new leader’s recipe for success is to outsource the tier 1 and 2 functions and mature the tier 3 function.
Other views were mixed. Some in the group believe their outsourced SOC supplier is performing the balancing act on their behalf. Those who outsource lower level MSSP commodity functions don’t expect a balance. Those who outsource almost all of their cybersecurity believe it should be balanced by their supplier. But the room became quiet when asked if they have a mechanism to measure if their cybersecurity is in balance.
3. Processes – It was no surprise that every cybersecurity professional in the room agreed that consistent and repeatable processes are required for success, but what was interesting was whether they felt their organizations or the outsourced suppliers they employ were following a set of processes. They believed that a security architecture was needed before you can drive a set of repeatable processes.
The CISO’s with a more mature cyber security team and posture (balanced spend and talent that has longevity) were in favor of processes like the Cyber Kill Chain* and the Diamond Model. While companies that outsourced their SOC and security team believed processes are the domain of the outsourcer, relinquishing control to their cybersecurity supplier.
“We outsource (security) to two different companies, but closely aligned their goals to our business requirements for availability and uptime, and staff vendor management on our team.” ―Director of Security for a National Air Traffic Control System
All participants believe that the true measure of cybersecurity effectiveness are; the direct results achieved (reduced risk to business operations), and the tangible value brought by effectively allowing the business to run unimpeded over time.
4. Outsourcing and new business models – more than 50% of the participants in the CISO chat outsourced some or all of their cyber security function. Those who did outsource most of the function felt that a strong security architect needed to be on the team, and they shared various models for what they outsourced (commodity functions through to everything), how (controlled by their own internal team or via Service Level Agreement), and why they outsource (mostly easier access to budget via operational expense (Opex) as opposed to capital expenditures (Capex)).
“We outsource everything. It’s easier to run an Opex model vs. a pure Capex driven model to fund security efforts. Key to our success is a constantly updated security architecture model that evolves with our business needs. That security architect lives in our team.” ―International Banking Firm CISO
Equally strong was the position that commodity functions like alerting, ticket management, and basic perimeter security should be outsourced. This allows an internal security team to be lean and focused on detection and prevention.
The discussion turned to newer business models. Like how much security risk can be pushed on to an outsourced supplier. Some of the participants have already formulated contracts to transfer risk to the outsourcer and change their financial relationship accordingly, in the form of a Service Level Agreement.
While this underscores the participant companies’ complete reliance on the outsourced vendor to have the necessary talent, visibility, and responsiveness required to meet the challenge of early threat detection and rapid response, it does not in any way assure success.
Given the trends exposed here, it’s clear that the time is right for an outsourced Managed Detection and Response service to appear on the market.
Leidos Managed Detection and Response (MDR) service is a new breed of solution that delivers advanced monitoring, detection, and response capabilities. Leidos MDR goes beyond traditional MSSP or IR services to provide a continuous end-to-end approach that detects malicious threats earlier, provides comprehensive analysis of the intrusion, and delivers actionable guidance for future prevention based on intelligence gained.
Turn incident response into incident prevention. Find out how our advanced managed detection and response capabilities can transform your network defense strategy. Request a meeting with one of our cybersecurity experts today!