Security Groups Struggle for Budget, Skilled Workers

A shortage of knowledgeable security pros and a greater variety of information technology have set companies back in their fight to secure their infrastructure, according to an annual study by Hewlett Packard Enterprise.

security professionals

Companies have lost ground in the fight to secure their infrastructure, as the managers of security operations centers (SOCs) have to deal with a greater variety of information technology and a shortage in knowledgeable security workers, Hewlett Packard Enterprise stated in a report released on Jan. 20.

The State of Security Operations 2016 report found that the average maturity rating of SOCs fell over the past year, with 25 percent of companies failing to even score a level 1 on the 6-point scale of maturity. A lack of knowledgeable security professionals, a greater variety of information technology and budget pressures all contributed to the decline, Kerry Matre, senior product marketing manager of services for HPE Security, told eWEEK.

"When we talk to CISOs [chief information security officers] and do surveys, the lack of skilled resources is the No. 1 issue they are facing," she said. "The organizations that are doing well are finding a workaround for this issue."

With businesses concerned over regular reports of breaches, an increasing number are creating a central group to handle security, Matre said. From two- or three-person groups to large centers with dozens of employees, security operations centers allow companies to focus on creating the infrastructure and processes needed to lock down their networks and data.

"We are seeing a lot more SOCs being created, although it might not be that name that they use," she said. "There is a stigma in that 'SOC' means expensive, so they might call it something else."

The HPE report rated the maturity level of a company's security capability on a scale of 0 to 5, advancing from "Incomplete" (Level 0) to "Initial" (Level 1) up to "Optimizing" (Level 5). Typically, the few companies with a mature security capability score between a 3 ("Defined") and 4 ("Measured") on the scale, but the average company typically scores between a 1 and 2 ("Managed").

While the HPE report described a drop in the maturity level, it did not specify by how much. However, it did note regional differences, with South American SOCs scoring the highest at 1.92 and SOCs in the Middle East and North Africa scoring the lowest at 0.74.

Over the last five years, technology companies have scored the highest at 1.82, while telecommunications firms have scored the lowest at 0.95.

More companies are moving to a hybrid infrastructure model encompassing both on-premises technology and cloud services. In addition, companies are moving away from a focus on just monitoring and instead using hunt teams to sift through collected data for signs of an attack.

The lack of security expertise has forced businesses to adopt a hybrid staffing model, using managed-security services to handle the triaging of incidents and initial monitoring and using in-house security teams for incident response. Organizations are also looking to automation to help ease incident response, so as to free up security resources to conduct hunting and breach investigations.

The companies that succeed in advancing the maturity of their security operations centers are those that focus on establishing processes and training workers year after year, said HPE's Matre.

"A simple thing that leads to better maturity is documenting processes," she said. "That makes incident response repeatable, but also, once they are documented, they are more in control. Just defining your processes will make you more capable and make your people happier."

Robert Lemos

Robert Lemos

Robert Lemos is an award-winning freelance journalist who has covered information security, cybercrime and technology's impact on society for almost two decades. A former research engineer, he's...