Research suggests that the total volume and high number of fake problems change priority lists in security operations.
Dealing with endpoint protection without overwhelming professionals with information overload
Chris Bell, director of product management at Secureworks, describes the difficult balance of finding useful information to security professionals without exhausting them with information overload.
According to a CriticalStart study, alarm overload changes the work focus in security centers and increases the risk of burnout among analysts.
Forty-one percent of survey respondents said the main responsibility of their job was to analyze and address security threats, a dramatic 70% drop in the 2018 survey. This is how the priority list looks like:
- Analyze and resolve security threats: 41%
- Shorten the time needed to investigate a security alarm: 25%
- Investigate as many reports as possible: 18%
- Restriction on the number of notifications sent to customers for review: 13%
The latter responsibility – limiting contact with customers – seems to be the standard approach for 57% of the respondents. Forty-three percent of managed security service providers and managed detection companies report complete transparency to customers, “they see everything we see.”
Forty-eight percent show customers parts of a survey when the company needs customer input and 9% offer no transparency at all.
CriticalStart asked more than 50 security professionals to evaluate the status of incident response within security operations. This included professionals at enterprise level, as well as with managed security service providers and managed detection and response providers.
SEE:
Welcome to 2020 with a 20% discount on your TechRepublic Premium annual subscription
Sixty-five percent of respondents investigate more than 10 security warnings daily, compared to 45% who managed the same volume last year.
On average, security analysts spend more than 10 minutes investigating each alert, and nearly half report a false-positive rate of 50% or more.
As companies outsource more security services, the alarm overload shifts to security providers and influences recruitment and operational procedures. To cope with the overload, providers turn off certain notifications and hire more analysts:
- Match specific functions or thresholds to reduce the warning volume: 57%
- Ignore certain categories of reports: 39%
- Disable warning functions for high volume: 38%
- Hire more analysts: 38%
This workload and stressful environment has an impact on the retention of employees. CritialStart asked this year for the first time about the turnover among security analysts. Employee retention does not look good:
- Turnover less than 10%: 20%
- 10 – 25% turnover: 45%
- 25 – 50% turnover: 29%
- More than 50% turnover: 6%
In 2018, LinkedIn found that software, retail and media companies had the highest revenue of 13.2%, 13% and 11.4% respectively.
The overload survey also found that 50% of respondents attended 20 or fewer hours of training each year. Only 13% of respondents reported receiving 40-80 hours of training annually and 11% said they had received more than 80 hours.
Cyber Security Insider Newsletter
Strengthen the IT security of your organization by staying up to date with the latest news, solutions and best practices for cyber security.
Delivered on Tuesday and Thursday
Register today
Also see
CriticalStart asked security professionals about their workload and career plans. The turnover is a problem.
Image: CriticalStart
