SecOps Modernization: Time to Unpin the Complex Matrix

In the post-pandemic “new normal”, companies continue to embrace new working models fueled by digital transformation, especially cloud technologies.

Eight in ten employees said they support hybrid work models as the future norm, while 86% of companies plan to accelerate cloud adoption post-pandemic.

As urgent solutions to support the remote and distributed workforce have fueled transformation in the business world, hackers have also boosted their capabilities. Today’s hacker bag of tricks is increasingly targeted and complex, which means awareness, vigilance and education are vital weapons and our most critical line of defense. Every day 450,000 new malware is detected, and 3.4 billion phishing emails arrive in inboxes. Nearly half of the organizations responding to our last survey listed malware such as ransomware as a top concern. Faced with an ever-changing and increasingly sophisticated threat landscape, companies are facing cybersecurity labor shortages and stringent industry compliance regulations, while trying to make evolve technology to meet the challenge.

Just as organizations embrace modern, next-generation workplace technologies, security operations must modernize, moving beyond reactive defense to build resilience through proactive protection. Modern SecOps leverages people, processes, and tools to promote measurable results in securing infrastructure and business processes.

Our latest research details the main priorities of the current SecOps modernization. In a world where cybercriminals are taking advantage of growing businesses and ever-changing business models, it’s time to stop hackers in their tracks by benchmarking SecOps status and taking proactive steps to transform it. Covering the fundamentals of people, process and technology, a new approach that tackles roadblocks and builds a shared framework for ensuring business resilience is mission critical.

The eternal problem of people

61% of companies say staffing and labor are their top concern when it comes to SecOps. The human factor is an ongoing challenge for SecOps, but there is a duality. On the one hand, people have become the primary attack vector for cyber attackers; humans rather than technology now pose the most significant risk to organizations.

To effectively manage human risk, people are also the solution. For example, security awareness professionals are essential in managing workforce education – the most mature security awareness programs have the largest number of people dedicated to managing and supporting them.

However, the equally well-recognized cybersecurity skills crisis still rages. 62% of organizations struggle to staff cyber roles. There are myriad reasons why this challenge persists. Data growth, technological changes and compliance requirements make it difficult to maintain adequate cyber talent and resources due to the complexity and cost of maintaining these capabilities.

Retention complicates this dynamic. where talent exists, 64% report The SecOps staff consists of professionals with five years or less of experience. Cyber ​​professionals will often feel the pressure of SecOps work early in their career, but most don’t want it to define their long-term career.

In response, many organizations are increasingly outsourcing cyber functions to global, distributed, managed security service providers. However, Security Orchestration, Automation, and Response (SOAR) tools have also become the norm, deployed in many security operations centers to increase the efficiency of existing staff.

Automation meets the human factor.

A SecOps analyst must detect and respond to a high-severity incident in less than an hour.

Staffing shortages are impacting response times, but expectations for organizations to remedy issues remain high. We asked the organizations what were the average average downtime they would be willing to accept in a high-severity incident, such as a ransomware attack. Almost a quarter said they would tolerate six hours, 20% said 24 hours and 13% said one hour. Stakeholder expectations for downtime do not match resource commitments.

With this in mind, security orchestration, automation, and response (SOAR) tools that accelerate response times and ensure greater accuracy can be considered part of any SecOps modernization strategy.

The rapid evolution of technology is producing more signals for a cyber analyst to evaluate, resulting in automation requirements. SOAR tools help human analysts perform vital SecOps work quickly and efficiently by automating routine actions, reducing errors, while orchestrating across many systems ensures efficiency. Such tools allow SecOps professionals to make decisions with confidence while allowing the organization to put limits on what any individual can do. This maintains separation of duties within compliance, policy, and legal constraints to minimize the likelihood of system damage and legal liability.

However, while SOAR is complementary to SecOps functions, it is not a silver bullet for staffing shortages. Organizations told us that incident response (34%) and automation (15%) are listed as SecOps’ greatest strengths, although 30% of respondents also rated automation as one of most significant weaknesses of their SecOps program. These results indicate that SOAR can increase the efficiency of existing staff, but cannot entirely replace staff.

Artificial intelligence and machine learning can boost analytical procedures and help humans evolve their analytical functions, but cannot replace human talent. A modern SecOps strategy will appreciate this delicate balance and weigh investment in recruitment and retention alongside essential tools and technology.

A matrix of modernization technologies

While talent is a constant challenge for SecOps, for those looking to mature their operations, cybersecurity tools, such as SOAR technologies, are arguably the next most critical element. According PwC, nearly two-thirds of UK organizations increased their cybersecurity budgets in 2022, up from 56% in 2021.

Our discoveries indicate an increased migration from traditional tool suites to more integrated, cloud-based tool suites. Budget shortages, digital transformation to the cloud, cultural shifts related to remote working, and the need to mature programs are major driving factors for technology adoption across various product types.

Currently, Endpoint Detection and Response (EDR), Security Information Event Management (SIEM), Vulnerability Management, and Network Detection and Response (NDR) are considered core . Respondents to our investigation reported EDR and SIEM as the most powerful tools in their current arsenal. Forensics and Emerging Cloud Workload Protection Platforms CWWPs are currently the weakest.

Interestingly, however, it seems that despite some concerns, modernization is migrating to emerging capabilities such as NDR and CWWP.

NDR tools monitor and analyze network traffic in the cloud and on-premises, detect threats using AI/ML, and provide investigation and response capabilities. CWWPs provide visibility, hardening, and vulnerability management for cloud-based workloads, which is essential for today’s cloud-based workforce. Three years from now, the future looks set to be cloud security, threat intelligence, and security application development as the dominant trends.

Achieving SecOps modernity

The pandemic has created a technological revolution to support the globally distributed and remote workforce, opening up opportunities for threat actors to scale up.

There is a desperate need to mature SecOps programs. Cyber ​​workforce shortages are the overriding challenge – the SecOps industry cannot secure data with the available workforce, and SOAR is not a panacea. SecOps modernization is migrating to emerging capabilities such as NDR and CWWP, and technology integration is key to these strategies, but people will support all aspects of technology modernization.

However, there is a mismatch between stakeholder understanding and resources. This is especially prevalent in the people problem. This issue covers recruitment and retention, but also mitigation for the most vulnerable area of ​​SecOps – the human factor. Modernization through technology is an essential part of the modernization matrix. Yet, it is clear that much more needs to be done to close knowledge, skills, awareness and compliance gaps – this can be seen as the foundation of the cybersecurity process. As such, knowledge is the foundation of any modernization effort. It’s only when people, process and technology are matched that modernization will happen.


About the Author

John Davis is UK and Ireland Director at SANS Institute. SANS is the most trusted and by far the largest source of cybersecurity information and training and certification in the world. It also develops, maintains and makes freely available the largest collection of research materials on various aspects of information security, and it operates the Internet’s early warning system – Internet Storm Center.


About Florence L. Silvia

Check Also

NICE Named Technology Leader in SPARK Matrix 2022 for VoC

NICE was named a technology leader in the 2022 SPARK Matrix for Voice of the …