A new survey out this week offers good evidence as to why so many businesses today bungle their response to security compromises and breach discoveries.
The study of 170 businesses conducted by the Security for Business Innovation Council (SBIC) and RSA, The Security Division of EMC (EMC), shows the majority of businesses lack incident response plans and have no capabilities to correlate security-related data from IT infrastructure, can't properly analyze live network forensic and have no way to take advantage of industry-wide threat intelligence.
"Organizations are struggling to gain visibility into operational risk across the business," said Dave Martin, chief trust officer for RSA. "While many organizations may feel they have a good handle on their security, it is still rarely tied in to a larger operational risk strategy, which limits their visibility into their actual risk profile"
Incident response plans infrequently reviewed or updated
The survey looked at these organizations' practices as compared to the percentage of SBIC members who engage in similar practices. The survey reported that just 30 percent of organizations at large said they have formal incident response plans and among those 57 percent infrequently or never review or update those plans.
Best practices vs. reality
This is a standard best practice that 100 percent of SBIC members engage in. Similarly, 100 percent of SBIC members have a security focused log aggregation and correlation solution in place to provide centralized alerting of suspicious activity, while just 45 percent of organizations at large do so. And only 42 percent of organizations at large have live network forensics capabilities such as full-packet capture and analysis, while 83 percent of SBIC members do so.
Being your customers' "best practices" provider
All of these best practices involve considerable investment in daily workflows and processes that require skilled intervention from security professionals. It's a a prime opportunity for managed security service providers who can scale incident response more effectively and affordably for smaller organizations that may not have the resources to build out their security operations.
"People and process are more critical than the technology as it pertains to incident response. First, a security operations team must have clearly defined roles and responsibilities to avoid confusion at the crucial hour," says Ben Doyle, chief information security officer for Thales Australia and New Zealand. "But it is just as important to have visibility and consistent workflows during any major security crisis to assure accountability and consistency and help organizations improve response procedures over time."