Organizations continue to lack incident response proficiency, study finds
Security professionals are anticipating breaches, but organizations continue to lack the necessary incident response capabilities, a recent study found.
Conducted by the Ponemon Institute and commissioned by security firm Lancope, the study, "Cyber Security Incident Response: Are we as prepared as we think?," surveyed 674 IT and IT security professionals in the U.S. and the United Kingdom and assessed their computer security and incident response team's (CSIRT) preparedness.
According to the report, all individuals surveyed were acquainted with or are involved in activities regarding the organization's CSIRT.
Of those surveyed, 68 percent said that their organization experienced a security breach or incident in the past 24 months, while 46 percent expect another within the next six months. Even though breaches are anticipated, 34 percent of respondents shared that their organizations do not have a CSIRT in place, and of those that do, many of the team's members are not full-time staff.
“If you are in fact serious about CSIRT, you probably need some people that are fully dedicated to this,” Larry Ponemon, chairman and founder of the Ponemon Institute, said during a panel discussion on the matter at this year's RSA Conference in San Francisco.
Ponemon was joined by other industry experts in a session at the conference titled “Why cyber incident response teams get no respect.”
Christopher Pierson, chief security and compliance officer at Viewpost, said that the make-up of a CSIRT is comprised of individuals that work in public relations, marketing, accounting and finance, law, and infrastructure.
“Think about all of the constituent pieces that you have,” Pierson said. “You want to make sure that you have all of the right [people] in place so that when you have to press that red button they're ready to go.”
While many of the CSIRT members have the right amount of experience and credentials to be a part of it, the study indicates that less than half of respondents shared that those members do not undergo specialized training on an ongoing basis. Additionally, 45 percent shared that their CSIRT has no full-time staff.
A majority of respondents agreed that improving the capabilities of their incident response teams is the best way to mitigate future security incidents from taking place.
However, the report indicates that investment in incident response capabilities has remained static in the last two years, and this may be due to the lack of communication between security professionals and upstream management.
Of those surveyed, 20 percent of respondents indicated that they rarely communicate the potential threats and risks posed against organizations with C-level executives. When it comes to those same executives taking part in the incident response process, only 14 percent do so.
Speaking on the panel, Mark Weatherford, principal at the Chertoff Group, said he believes this stems from a lack of communication that continues to be a major issue among industry professionals.
“Most of the people that actually participate on the CSIRT have grown up in the technical community and they don't know how to talk to the executives, so they fall back on what they know best,” Weatherford said. “The most important thing is having someone as part of the CSIRT team that can do that translation and convince the boards to understand the important of CSIRT's and security across the spectrum.”
Of those surveyed whose organizations have a CSIRT in place, 47 percent indicated that they don't regularly check on the readiness of it, which may affect response time once incidents arise.
During the panel discussion, Thomas Cross, director of security research at Lancope, said that the best way to measure the team's effectiveness is through “operational metrics.” While it's important to keep track of the incidents as whole, if organizations also measure the impact that the CSIRT has on those incidents, and its effects on the cost the organization endured due to the incident, it's easier to gauge the return on investment of having the CSIRT in place.
“The fact is, what you're doing to investigate incidents and to understand them, feeds back into how you protect your organization,” Cross said.