At What Point Do You Need a Dedicated Cyber Security Team?

Although things are slowly changing for the better, the vast majority of organisations still lack one of the fundamentals of modern security — dedicated cybersecurity professionals. According to a 2020 report by STX Next, a software development consultancy, while cybersecurity budgets are growing and awareness of cybercrime is increasing, only a fifth of organisations have a dedicated cybersecurity team in place. And that’s a problem. 

Without dedicated security staff, minor operational changes can lead to the basics of IT security going out the window. The pandemic put this issue into sharp focus. In a large-scale study, Lynx Software found that more than half of the professionals they surveyed in the US felt their employers could have done more to improve cybersecurity during the last year and a half. Diving into the study's findings, about two-thirds of employees said they were not prohibited from using tools and apps that failed to meet high-security standards. A similar number said they were allowed to sign into personal services while on corporate devices, and three-quarters admitted to using personal devices for work purposes at least some of the time. 

Perhaps unsurprisingly, since the pandemic began, there has been a 300% increase in reported cybercrime. In the UK, 2020 is cited as having been the “busiest year on record” for attacks targeting UK firms. Unfortunately, with remote and hybrid work persisting, 2021 and beyond looks unlikely to be any better. In a recent survey by Hitachi ID and social research firm Pulse, 95% of CIOs said that their IT teams are overwhelmed by remote working inefficiencies. Preoccupied with issues like employee password lockouts and staff inability to access on-premise applications, is it really any wonder that cybercriminals are catching IT professionals off guard? 

The reality is that unless an organisation has a dedicated cybersecurity team in place, it is physically impossible to monitor threats around the clock, pandemic or no pandemic. 

When Should You Start Building Out a Cyber Security Team?

Traditionally, for businesses that might not yet be at the enterprise level, cybersecurity has been just another responsibility for the IT department. For small companies with limited IT footprints, this might still make sense. However, for growing organisations with hybrid workforces and sprawling networks of on-premise and cloud servers, expecting IT professionals to do security on top of their normal workload is not only unsustainable but may, in fact, be downright dangerous.

Between maintaining and integrating IT systems, managing data, and delivering routine tech support (up to 50% of all IT help desk tickets are from employees looking to reset their passwords), IT teams cannot reliably stay on top of threat alerts. Expecting these individuals to also be proactive when it comes to their organisation’s cyber defence strategy is a bridge too far. Many IT professionals are now operating in a hybrid or remote-first environment, which, unfortunately, entails a higher support burden, less visibility into networks, and increased cybersecurity risks. In the first quarter of 2021, UK-based organisations experienced close to 2,000 attacks a day, up from around 500 attacks a day in Q1 of 2017. 

To make matters worse, not every organisation may have someone knowledgeable about cybersecurity on their IT team — or even an IT team to begin with. Within SMEs, 6% don’t have an IT team at all, 11% outsource their IT team to someone else, and 13% have only an informal IT team with part-time IT staff. This is according to a 2020 report, “The state of SMB cybersecurity at a time of crisis,” by PwC HK and could explain why some SMEs lack basic cybersecurity tools and controls. For instance, just 53% of SMEs have an antivirus solution in place. Yet, strangely enough, most SMEs think their IT teams have everything under control  — 84% gave their IT team a rating of 7 or more out of 10. Moreover, 9 in 10 businesses believe that they could spot an attack within one day and 84% think that they would be able to recover from one within 24 hours. Unfortunately, these optimistic predictions have no basis in reality. IBM’s data security report found that in 2021, it took most organisations up to 9 months (or 287 days) to detect and contain a breach, 7 days longer than the year before. 

As a result, rather than basing their decision on whether or not to employ a security professional (or even a full-fledged cybersecurity team) on their organisation's size, the real determining factor should be their operational necessity. Any company that relies on networked computer systems and data security to stay in business should employ people to protect their systems and data. 

How Many Security Professionals Is Enough?

Looking at job ads for cybersecurity professionals, it is not uncommon to see a long list of daily duties and responsibilities. These may include:

  • Vulnerability/penetration testing.

  • Firewall management.

  • Monitoring and triaging logs for possible Indicators of Compromise.

  • Threat hunting.

  • Business impact analysis.

  • Ensuring compliance with X, Y, and Z.

  • Employee awareness training.

  • SIEM implementation and management.

  • And more.

Cybersecurity professionals may wonder if all of the above can really be performed by a single individual. Increasingly, experts are saying that it cannot. Instead, a growing school of thought says that organisations should instead split their cybersecurity teams into separate groups that each tackle major risk areas. For instance, teams specialising in architecture and policy, data loss prevention, penetration testing, incident response and forensic analysis, and so on. In smaller organisations, one individual may cover one or more of the above specialisations. 

However, while the above approach could lead to organisations having subject matter experts who may be better equipped to deal with specific threats, this strategy also runs the risk that teams will become silos. As a result, there is a strong chance that controls and tools that are not complementary will end up being used within the same business and that overall security will decline.

Another drawback of this model is that few organisations can afford to employ several cybersecurity teams. And even for companies who have no shortage of cash, finding enough security talent can still be a problem. In a recent survey by ISACA, 6 in 10 information security professionals noted that their cybersecurity teams are understaffed. More than 5 in 10 said they have cybersecurity positions that are still unfilled, and 5 in 10 admitted that applicants to vacant security roles lack appropriate expertise. Almost 7 in 10 security professionals were certain that they saw more attacks last year due to not having enough skilled defenders.

Making this situation even worse is that in lieu of employing more staff, organisations tend to overinvest in cybersecurity tools. The problem this creates is that the more security tools a business has, the more alerts they get, and the more people they need to hire to deal with them. If an organisation won’t, or can’t, hire more people, then their current staff have to deal with the ever-increasing volume of alerts. In a poll of 2,303 IT security and SOC decision-makers, Trend Micro found that 70% are overstressed with security alerts, with many wasting about a quarter of their time investigating false positives and some ignoring alerts altogether. 

The Lean Solution 

Every organisation should have a security expert on their team or, better yet, a well-staffed cybersecurity team. However, putting someone in charge of security is one thing; empowering them to excel in their role is another. Unfortunately, what some organisations, and security vendors, expect of security professionals today is not only delusional, it is often physically impossible. Equipping individuals with multiple security tools (and in the process inundating them with countless meaningless alerts) has long ago been debunked as effective. 

With mid-sized companies facing what PC mag is calling “a hacking epidemic in 2022,” organisations need to rethink their cybersecurity architecture. Namely, they need to stop letting cybercriminals enter their networks unseen. According to the Mandiant Security Awareness Report of 2020, last year, 58% of cybercriminals broke into business networks unnoticed by anyone within the victimised organisation. Furthermore, 91% of attacks did not result in a security alert, often because either vendors or security professionals turn down tool sensitivity.

Solving this problem in 2022 means not only training and employing more security professionals to spot and remediate threats but also equipping individuals on the security frontline with tool stacks that help them to do their job. Ultimately, organisations need to refocus on whether or not they get maximum “ROI” from their current security posture.  

Return on investment, through maximising what lean security can do, is exactly what SenseOn is for. Replacing EDR, NDR, IDS/IPS, UEBA, SIEM, and SOAR with one cohesive platform, SenseOn gives security analysts unparalleled visibility into an organisation’s systems. 

At the same time, thanks to a unique technology known as AI triangulation, SenseOn also enhances an organisation’s IT or cybersecurity team with a “virtual” workforce. 

Behaving like a human analyst, SenseOn’s AI triangulation automates threat detection, investigation, and response, only flagging threats that are genuinely serious. This means that IT or cybersecurity professionals can dedicate their time and efforts elsewhere without the fear of missing an alert that could prove fatal to their organisation. 

Previous
Previous

Does XDR Replace SIEM?

Next
Next

Achieving Security Tool Consolidation with SenseOn