Research examines security operations proficiency issues

Security professionals say the biggest challenges to security operations include working with IT, honing software development skills and collaborating with developers.

The list of security operations challenges is fairly well known: too many tools and manual processes, not enough staff or specialized skills. Countless research projects from TechTarget's Enterprise Strategy Group, as well as others, reinforce that these issues still plague organizations in terms of security efficacy and operational efficiency.

In Enterprise Strategy Group's research report, "SOC Modernization and the Role of XDR," we asked recipients about security operations challenges from a different angle: In which areas were security operations teams least proficient? We got answers from 376 security professionals, and the results were as follows:

• Working with IT operations. Thirty percent of security professional respondents said their security operations team was least proficient in working with IT operations teams to mitigate security risks or respond to security incidents. This is a concern, as cybersecurity risk management is a team effort where security teams identify and prioritize risks -- e.g., vulnerabilities, misconfigurations, overprivileged accounts, etc. -- and then IT operations mitigates these risks -- i.e., applies a patch, changes a configuration setting, etc. A lack of proficiency here either leaves organizations exposed or gives them a false sense that the security trains are running on time when, really, they are late or about to derail.
• Lack of programming and software development skills. Thirty percent of respondents said their security operations team was least proficient in programming and software development skills for developing security workflows. This is likely related to process automation actions where Python and scripting skills are often necessary. Since process automation is critical for scaling security operations, organizations should use the automation functionality in existing tools, such as endpoint detection and response, extended detection and response, threat intelligence platforms, SIEM and others. They can also seek low-code/no-code security orchestration, automation and response tool alternatives, such as Torq.
• Issues with software development teams on mitigating risks. Twenty-six percent of survey respondents said their security operations teams were least proficient in working with software development teams to mitigate security risks in their code. Given the explosion of Agile development, DevOps, cloud-native applications and digital transformation initiatives, this should raise red flags in the CISO's office. Historical and cultural forces are at work here. Developers want to get their code into production without any stop signs or detours, while security professionals are paid to halt traffic when they find problems. Perhaps DevSecOps can help organizations overcome this "Hatfield vs. McCoy" feud situation.
• Triaging security alerts. Twenty-four percent of respondents said their security operations teams were least proficient in triaging security alerts. This is another familiar issue, typically driven by alert storms and less-skilled tier 1 analysts. Leading organizations are addressing this issue by training staff, tuning detection rules, automating low-level response actions, using the Mitre ATT&CK framework to drive more alert context, enriching alerts with accurate threat intelligence and chaining alerts together in attack patterns.
• Maintaining and operating security analytics and operations infrastructure. Twenty-four percent of respondents said their security operations teams were least proficient in maintaining and operating security analytics and operations infrastructure. In my humble opinion, this issue is underappreciated. Security tools can require a lot of tuning and updating to maximize efficacy. When security teams are overwhelmed, they frequently neglect this upkeep to their detriment. Cloud-based SaaS or managed services can help here. Security teams should also validate security controls often to understand whether they can be counted on to prevent and detect cyber attacks as advertised.

In this time of economic uncertainty, CISOs are often motivated to look within and get more out of current staff and processes. Based on this research, it looks like these efforts should start with peace talks and treaties among security teams, software developers and IT operations. And it wouldn't hurt to send a few crackerjack security staffers to coding training.