Lack of Executive Understanding, Talent Gap Strain Security Teams
A lack of executive understanding and an ever-widening talent gap is placing an unsustainable burden on security teams to prevent business-ending breaches.
One of the most shocking themes from a recent Swimlane survey was the extent to which CISOs overestimated their organization’s threat detection and incident response (TDIR) capabilities.
The survey, conducted by Dimensional Research, found while 70% of executives think all alerts are being handled, the frontline roles that addressed the alerts reported just 36% are handled.
“Call it confidence, optimism or delusion, executives reported a different perspective than frontline workers in multiple areas,” said Swimlane CEO James Brear. “This disconnect stems from a few key factors, but a prevalent communication gap is at the top of the list.”
He added that the security industry at large lacks technology that provides a system of record.
“This approach to cybersecurity is essential in bridging the gap as it gives executives actionable insights to better understand the efficacy of their systems, the processes in place and their people,” Brear said. “Clearly, the solutions in place within many organizations today are not cutting it.”
The Communication Disconnect
Piyush Pandey, CEO of Pathlock, said the most disconcerting result from the report is the apparent disconnect between executives and frontline security professionals.
“This disparity could leave the door open for an improper prioritization of strategy–what matters most, and hence, what gets resources for management and remediation,” he said. “It’s possible the disconnect is coming from a true understanding of the data itself, which leads to communication gaps.”
He added that a lack of consistent KPIs or metrics can also cause a disconnect between the two camps.
“Again, this relates to how well your [threat detection and response] TD&R solution surfaces information for various audiences,” Pandey. “This gap can be closed through a consistent set of agreed upon, and easily understood metrics and KPIs—that’s a strong first step.”
He explained that aligning these metrics with business objectives would help the C-suite understand progress and risk and would better inform the security team about how they contribute to the company’s success.
Pandey added that underfunding due to an unnecessarily rosy outlook on threat detection and incident response capabilities will quickly become an issue when faced with a propagating threat.
The Widening Talent Gap
Another item that is concerning is the widening talent gap—the report revealed 82% of companies said it takes three months or longer to fill an open security position.
This has led one-third (33%) of organizations to believe they will never have a fully staffed security team with the proper skills.
Zac Warren, chief security advisor, EMEA, at Tanium said this significant disconnect between the C-suite and frontline IT security professionals is especially concerning.
“There are several factors that contribute to this,” he said. “First, there is a major lack of communication as well as misperceptions. The reporting is unclear and not realistic.”
Warren added that executives need to have a clear and realistic view of the organization’s security capabilities and the challenges faced by the security team.
“There is also a limited understanding of cybersecurity,” he added. “Some executives lack a deep understanding of cybersecurity and rely on high-level reports and metrics that may not accurately reflect the on-the-ground reality.”
This lack of understanding could lead to misinterpretation of the organization’s actual security posture.
“In order to close this divide, we must do a few things,” Warren said. “We need to improve communication channels. There must be realistic reporting. We need to focus on conducting cybersecurity education for execs. I also believe strongly in the joint development of cybersecurity strategies.”
He explained that if executive teams and the frontline IT and cybersecurity teams can be aligned, there can be more effective decision making, more timely responses to threats and retention of security talent—which he called a “huge issue”—not to mention improved cybersecurity resilience.
Eli Nussbaum, managing director at Conversant Group, pointed out that security professionals need adequate budget, staffing, information and support to evolve security programs.
“They can’t get these things without top leadership buy in—and they will continue to assume the risk of breaches as well,” he said. “They need to be able to get accurate information on existing gaps, then have the budgets to address them.”
He admitted that sometimes, this meant making some tradeoffs between user convenience and security—which also requires executive support.
“IT needs to have a stronger voice,” he said. “We find that when they have the right data on their gaps and the consequences of breach in dollars and cents—and can present that to the C-suite—the divide closes and proper budgets are attributed to the problem.”
From his perspective, it is essential for IT to have accurate information, and that often requires them to have outside experts with current data on threat actor activity to assess their gaps in their controls, configurations and orchestration.
“Organizations are too reliant on compliance or traditional penetration testing to assess their risk,” Nussbaum added. “Unfortunately, threat actors don’t care about compliance and they are not constrained to the rules of engagement that penetration testers abide by.”
