There is no question that organizations of all sizes face a significant threat from information security breaches.
Cyber-attacks have become more commonplace and more sophisticated with each passing year.
There are a variety of challenges that today’s security organizations have to deal with, including:
- Malware campaigns launched by organized criminal groups who look to steal information that can be sold on the black market
- Increasingly powerful distributed denial-of-service (DDoS) attacks that can take out large websites
- State-sponsored espionage that can penetrate even well-defended networks.
Organizations need to be prepared to respond when these incidents happen. A Computer Security Incident Response Team (CSIRT) is a team of security experts within an organization whose main focus is to respond to computer security incidents, provide the necessary services to handle them and support the organization to quickly recover from security breaches.
In this study, 674 IT and IT security professionals were surveyed in the United States (n=357) and the United Kingdom (n=317) in order to determine the level of preparedness of their Computer Security Incident Response Teams. To ensure knowledgeable responses, all participants in this research have some level of familiarity and involvement with their organization’s CSIRT activities.
57% of respondents expect to experience a security breach within the next year.
20% of respondents regularly communicate with management about threats.
In the past 24 months, most organizations represented in this study had at least one security incident and expect that another incident will occur in the near future. Most respondents agreed that the best thing that their organizations could do to mitigate future breaches is to improve their incident response capabilities. This recommendation was more popular than preventative security measures such as vulnerability audits and end-user education efforts.
In spite of these facts, most survey respondents indicate that investment in incident response capabilities in their organization has remained static over the past 24 months relative to other IT security expenditures. In fact, 34% indicated that their organizations do not have a fully functional CSIRT at all, and many CSIRTS that do exist lack full-time staff. This is particularly alarming considering that nearly half of the respondents anticipate another breach within the next six months, and that it takes an average of at least one month to resolve each incident.
Another key observation is that C-Suite executives are often not informed about CSIRT activities. Only 20 percent of respondents say they very frequently or frequently communicate with executive management about potential cyber- attacks or threats against the organization.
1 Incident = a violation or imminent threat of violation of computer security policies, acceptable use policies or standard security practices.
Further, only 14 percent say executive management takes part in the incident response process. As a consequence of this lack of involvement and awareness, CSIRTs may find it difficult to obtain the resources from leadership to invest in the expertise and technologies necessary to deal with future security incidents.
Today’s IT security teams must be squarely focused on business continuity, not just on catching crooks. In the information age, security incident response should be a regular and prominent part of doing business, versus just a siloed effort relegated to the IT team.