Cybersecurity job loss after a major incident is becoming less likely as organizations drop the “blame” game for more practical approaches to breach prevention, a survey of 500 CISOs shows.
More than 95% of CISOs reported their teams received greater support from their organization after a breach. Meanwhile, a majority of businesses chose to switch cybersecurity vendors in the aftermath of a breach, with many turning to solutions incorporating greater automation and integration.
Extended detection and response (XDR) security company Trellix published its “Mind of the CISO: Behind the Breach” report on Nov. 28. The publication presents data on CISOs’ experiences before, during and after a major cybersecurity incident, as well as insights from more in-depth interviews with more than a dozen CISOs from the United States, United Kingdom and Australia. All the survey participants and interviewees managed at least one major incident within the last five years, with 63% reporting that they managed more than one major breach.
Data shows cyber teams need more people, better training
While more than a fifth of respondents (22%) reported job loss or redundancy as one of their organization’s responses to a breach, the report notes that the percentage has decreased over the years. Firings and layoffs occurred nearly a third of the time (31%) in the aftermath of breaches that occurred three or more years ago, while only 13% of breaches in the last year prompted organizations to separate with cybersecurity staff members. Additionally, more than a third (38%) of organizations created new jobs or responsibilities after a breach.
“As breaches not only continue but many organizations find themselves experiencing repeat attacks, there is an evolving realization that any one person or team cannot be ‘blamed,’” Trellix CISO Harold Rivas told SC Media. “Ridding the company of individuals will not help the business recover from an attack or better prepare them for a potential next attack.”
While 34% of CISOs said they believed their people needed a “complete overhaul” after a major cyber incident, dismissing and replacing team members is not necessarily the right solution. Of the “people gaps” reported by CISOs in the survey, the most common were threats missed off-shift or by outsourced staff, followed by lack of security operation center (SOC) analysts, threat hunters or responders, and gaps in IT skills and knowledge needed to handle an incident.
“The most important asset or factor in IT or security is not the technology, not the policy or process, not the tools, it’s the people,” said one CISO interviewed and quoted in the report. “Get the people on board, get the people adopted, get the people understanding and contributing, the other stuff falls into place.”
Businesses apt to switch technologies after a cyberattack
While job security after a breach appears to be increasing, cybersecurity vendor loyalty after a cyberattack is relatively low, the survey found. About two-thirds (66%) of respondents said they switched or planned to switch their primary security vendor as the result of a major cyber incident.
“It is fair to surmise that organizations don’t want to simultaneously throw an entire team out the door and promptly wipe all existing processes in tandem with all the other implications,” said Rivas. “Replacing a vendor likely feels like the quickest turn change to implement, especially with 46% of CISOs receiving increased budget for additional technology following an attack.”
Of those who chose to stick with their existing vendor, 51% said this was due to the vendor’s good pricing; 51% also said the vendor’s expertise was a reason to stay. Responsiveness to the incident was also a factor, with 45% of respondents citing this as a reason not to switch; 46% said the cost and effort of transitioning to a new vendor would be too great.
CISOs cite technology gaps, seek automation
Along with people and process gaps, technology gaps play a major role in the failures that allow major breaches to occur.
CISOs surveyed said incorrectly configured technology (45%), gaps in the security capability of technology (42%) and siloed technologies (42%) played a role in major cybersecurity incidents. Additionally, 53% said technology limitations prevented the processes intended to protect their organization from being fully executed. Half of survey respondents said an excess of manual processes delayed detection or mitigation of cyber threats.
Many CISOs are shifting their overall approach to cybersecurity and seeking automated solutions in the aftermath of a cyberattack.
Rethinking of an organization’s overall security strategy was reported by 42% of respondents, and 37% said more automation and orchestration was added to improve their security posture. Of the types of security solutions implemented after a breach, managed detection and response (MDR) was most popular (45%) followed closely by data loss prevention (DLP) (44%) and XDR (43%).
The survey results also showed CISOs looked for benefits including better visibility of threat landscapes, reduced manual strain on SOC teams and real-time automation when shopping for XDR solutions.
“XDR actually aggregates and correlates data from multiple sources and, therefore, false positives are actually reduced,” one interviewee stated. “Alert fatigue […] is less in the security teams, and XDR also can be proactive in nature rather than defensive […] which is probably another big difference.”
