As cyber threats intensify and the human and financial resources available to deal with them remain limited, there is a growing need for automation in cybersecurity.
The intelligent automation of key cybersecurity processes can significantly improve an organisation’s posture and at the same time support under-pressure employees by reducing reliance on manual processes. But in what is a relatively new approach, how far have organisations progressed along the cybersecurity automation maturity curve and is everyone on the same journey?
To understand just how far organisations have progressed in their bid to deploy automation, ThreatQuotient surveyed 750 cybersecurity professionals from organisations in the UK, USA, and Australia. This was a follow-up to our 2021 UK survey, which revealed businesses had a lack of trust in outcomes from automation processes. Despite this, cybersecurity automation has gained traction over the intervening year, and this year’s results show that concerns have moved to more practical deployment issues such as integrating with existing technology and a lack of skills in the workforce.
These challenges were also evident when we asked respondents to rate the current maturity of their cybersecurity operations on a scale adapted from one originally developed by Accenture. We wanted to get a sense of how cybersecurity professionals view the sophistication of their set-up and how it contributes to the wider business.
Cybersecurity operations maturity scale:
LEVEL 1 We know we need to establish a cybersecurity operations capability, but we have no budget, personnel, or technology in place to build one.
LEVEL 2 We are using some intelligence feeds but do not have a SOC or SIEM in place and cannot link threats to our strategic position. We have limited resources to support our security operations practice.
LEVEL 3 We have an established cybersecurity operations practice with dedicated personnel, we curate our feeds and can relate threats to our organisational environment and events, but our approach is reactive and means time to detection is longer than we would like.
LEVEL 4 We have an established cybersecurity operations practice that is tuned to recognize threats that are specific to our organization and prioritises them accordingly. We integrate with the wider business.
LEVEL 5 Our cybersecurity operations practice is advanced and operates a fusion centre model that goes beyond focus on IT/OT threats and integrates with other areas such as IR, patch management, risk and compliance. We are viewed as an asset to the business.
Role-based variations: CISOs are struggling with cybersecurity maturity
We surveyed a mix of CISOs, Heads of SOC, Heads of IR, Heads of Cyberthreat Intelligence and IT Security Solutions Architects from a range of industry verticals including: Defence, Retail, Financial Services, Central Government and Critical National Infrastructure. Respondents came from organisations with between 2,000 and 10,000+ employees. The responses show notable variations in how different roles view their security operations maturity, and when cross-referenced with responses to other questions, showed that existing automation adoption and greater budget allocation are linked to maturity.
Surprisingly, the 262 CISOs we surveyed were least confident in the maturity of their set-up; the average position was 2.5 out of five, and most rated their organisation at level 2 (35%) indicating that they have limited resources to support their security operations practice.
A further 27.5% selected level 3 and 15% chose level 4. Only 4% said they had an advanced practice in place and 19% said they were only at level 1 – effectively having no practice in place at all. This correlates with the fact that CISOs are less likely than respondents in other roles to say they are already automating key cybersecurity processes; only around one in five said they already automate processes such as threat intelligence management, phishing analysis, and vulnerability management. CISOs are also the most likely to say budgets have remained static and the least likely to have received a net new budget compared to other roles (26% vs an average of 34%).
Heads of SOC (n=209) rate their maturity higher than their CISO counterparts, with just 10% selecting level 1 and an overall rating of 2.74 out of 5. They are slightly more likely on average than CISOs to be already automating key use cases, and more of them (32.5%) have received a net new budget.
Heads of IT Security Solutions Architecture (n=54) and Heads of Cyber Threat Intelligence (CTI) (n=114) also rate maturity higher than CISOs (at level 3 and 2.98 respectively). Additionally, Heads of CTI are more likely than most other roles to be getting a net new budget (44% compared to an average of 34%) and 29% are already automating key use cases.
Based on their responses, CISOs see their organisation as less mature in cybersecurity and have fewer resources to devote to improving cybersecurity automation compared to those in other roles. This is potentially concerning, as CISOs sit in a more strategic position and have broader influence over the organisation’s approach. It may be that they are more realistic about their performance, or it could be that they don’t have visibility over the extent to which their reports are already using automation.
This analysis also shows that the more processes that are already automated, and the more net new budget received, the higher the respondent rates the maturity of their organisation.
Most organisations are early on their journey to cybersecurity automation maturity
Overall, most respondents rated their set-up at level 2 or 3 on the maturity scale. Just one in five said that they have an established cybersecurity operations practice that is tuned to recognise threats that are specific to their organisation and prioritises them accordingly, and that they integrate with the wider business (level 4). Still fewer, just 38 out of the 750 surveyed, said they were operating a model so effective that it was seen as an asset to the business.
There is clearly some way to travel to reach the desired level of maturity, but that is not surprising. Automation may be the Holy Grail of efficient cyber defence, but it is still a relatively new discipline and there are undoubtedly challenges involved in implementation and achieving ROI, as our full research report reveals.
Perhaps most tellingly, however, are the variations in perception of cybersecurity operations maturity between the different roles. CISOs are undoubtedly feeling less confident and need more support to realise a roadmap for maturity than some of their counterparts in the SOC, IR and cyber threat intelligence divisions.
This disconnect between CISOs and other roles was notable across several of the survey responses and perhaps indicates the more strategic position occupied by CISOs, as they face budget constraints and skills shortages. By working more closely with professionals in other roles, they may be able to gain a better understanding of the value and application of cybersecurity automation and how to demonstrate ROI so they can unlock more budget and move along the maturity curve.