Brian Jackson - Fotolia

The drivers and inhibitors of cyber security evolution

A study shows a shift in IT security spending to detection and response – but why are most organisations falling way behind the more enlightened front runners?

This article can also be found in the Premium Editorial Download: Computer Weekly: The file-sharing face-off: Box or Dropbox

A study shows European organisations are shifting their cyber security investment from traditional prevention and protection to detection and response capabilities – but the pace of change is much greater in some organisations than others.

The study, conducted by Pierre Audoin Consultants (PAC), shows many realise cyber attacks are inevitable – but why are most organisations falling way behind the more enlightened front runners?

While most organisations acknowledge that traditional security approaches fail to deal with the latest threats – with many acknowledging that antivirus systems catch only 30% to 50% of malware – they are still spending, on average, 77% of their security budgets on a traditional prevent and protect approach, using endpoint systems and firewalls.

“Coupled with the coming regulations that will require mandatory breach notification, it is surprising that many are still prioritising the same things they have always done, rather than evolving to ensure they can respond to threats that get through their current defences,” says FireEye European vice-president and chief technology officer (CTO) Greg Day.

“Many organisations talk the talk, but want to walk the walk at a very slow and steady pace, while the most enlightened organisations are already spending more than 50% of their security budgets on progressive detection and response capabilities,” he says.

The study found organisations are, on average, spending only 23% of their IT security budgets on detection and response, although this expected to increase to 39% in the next two years.

Cultural change to detection and response

Research director at PAC and lead author of the study, Duncan Brown, ascribes the inertia in most organisations to the fact that switching to a focus on detection and response capabilities represents a fundamental change in the way IT security has been done for more than 25 years.

“There is a growing, but reluctant acceptance of the inevitability of a breach because, in the past, IT security people have been paid to keep the bad guys out – so there is a resistance to accept that they are unable to do that 100% of the time, purely because of professional pride,” Brown says.

Day agrees there is typically a mental barrier among information security professionals to accept what they perceive to be failure.

“Their job has been about defence for so long, it is difficult for many to acknowledge that they cannot defend everything and admit that some attacks can and will get through, especially in a culture that has tended to blame the head of IT security when things go wrong,” Day says.

The lack of IT security budget is often blamed for a failure to evolve defence capabilities, but Brown says the study found that cost is not really an inhibitor in moving to a detection and response approach. He says the organisations that are doing it are simply rebalancing their investments, without necessarily requiring increased budgets.

“Security budgets are growing, but they are not increasing in proportion to the threats, so progressive organisations are evolving their security strategies by shifting some of their prevention and protection spending to detection and response.”

According to FireEye’s Greg Day, there is a trend towards information security officers reporting to the chief operating officer or chief finance officer, as organisations shift information security budgets away from IT to areas of the business that deal with overall risk.

Outsourcing security incident response

But the shortage of cyber security skills is a real inhibitor, says Brown. “Organisations just cannot get the staff they need to build an incident response capability.”

As a result, the study found 69% of firms use external resources to respond to a cyber incident, despite a general reluctance to outsource security.

“Outsourcing security tends to be done on a very selective and cautious basis, because they worry about the loss of visibility and control – but that seems not to be the case for incident response,” says Brown. Besides skills shortages, he believes companies are outsourcing incident response because it is impossible to predict when it will be required; and when it does happen, it requires the instant availability of a lot of resources.

“Most companies use external staff for incident response – either exclusively or in combination with internal staff – as a long-term strategy,” says Brown.

Number crunching to find out what is going on does not require specific business knowledge, says FireEye’s Greg Day. “This is another reason a growing number of companies are moving this to a managed service, to enable their limited number of security team members to focus on things that require local knowledge; and, once malicious activity has been pinpointed, things like deep forensics to go to analysis is a very specialised and expensive skill to have in-house,” he says.

Retaining responsibility for risk assessment

However, Day says organisations still need someone on the inside of the business looking at the technical, commercial and reputational impact of information security incidents when they occur.

“The approach should be to outsource things that require heavy data analysis and specific knowledge skills, but also recognising that the whole process has got to be a partnership,” he says.

According to Brown, the study found that most organisations are using a combination of internal and external staff for incident response. “Most organisations that use outsourcing for incident response understand they cannot outsource the risk; that the organisation itself retains that responsibility and must have staff and processes for dealing with it,” he says.

In these organisations, Brown says outsourcing tends to sit in an overall risk-based cyber incident response plan. But the study shows nearly 40% of respondents admit their organisation does not have an incident response plan at all – and only 30% of those with a plan test and update it regularly.

“The incident response plan needs to come first, then organisations can choose to outsource as part of that plan – but it should be in the context of an overall plan,” says Brown.

Read more about security incident response

European regulatory drivers

The planned European General Data Protection Regulation (GDPR) and network and information security (NIS) directive are likely to push organisations to invest more in detection and response, particularly because of the planned mandatory data breach notification requirements.

According to Brown, all the organisations polled are aware of the regulations and are concerned about their impact on business. “As greater clarity emerges on the exact provisions and timescale of the GDPR and NIS, that concern is likely to translate into action, accelerating the move to detection and response capabilities,” he says.

The study found that companies are still struggling to identify cyber breaches, with 69% taking between one and six months to discover an attack. FireEye’s Greg Day says this must change because the GDPR looks set to require organisations to notify data protection authorities and subjects in days – which is also likely to accelerate a move to boosting incident response capabilities.

Brown predicts a flurry of activity in the two years after the GDPR is finalised, as European organisations scramble to comply before it becomes enforced.

“The lack of clarity is acting as an inhibitor now, but that will all change when the GDPR is finalised and organisations know exactly what they will have to do to comply,” says Brown.  

Prospects for cyber risk insurance

The study shows that, despite the growing focus on cyber risk, only 13% of organisations polled have cyber risk insurance, 43% said they were considering it, and 44% said they had no plans to take out cyber risk insurance.

While this may be surprising on the surface of it, FireEye’s Greg Day says that, although organisations are keen to do what they can to manage risk, most are still concerned about the maturity of the cyber risk insurance policies currently available.

“Many feel there is still not enough clarity about what they are and are not covered for; what regulation they cannot be covered for; and even things like first- and third-party liability or recovery costs, and what coverage they will get if an employee does the wrong thing,” says Day.

According to Day, cyber risk insurance has great potential, but it will require organisations to have greater confidence and experience in using it to become more widely adopted.

Brown believes that, as organisations get greater clarity on the coming European regulations, there will be greater adoption of cyber risk insurance. “With mandatory data breach notification, organisations will need to be able to identify and deal with breaches faster. We are likely to see cyber risk insurance becoming a key part of their remediation strategies,” he says.

If nothing else, the coming European data protection legislation could force all information security professionals to finally face and admit the limitations of the strategies many have pursued for years. Once they are over that psychological barrier, we may finally see a shift to the detection and response approach that some in the security industry have called for in the past few years.

Read more on Data breach incident management and recovery