A renewed interest in implementing, maturing or outsourcing security operations centers made the list of Gartner’s top security and risk management trends for 2019 to 2020.
There are two driving forces behind the trend of expanding SOC capabilities, according to Gartner research vice president Peter Firstbrook. First, with cyberattacks becoming more sophisticated, organizations are starting to realize that they need to be able to respond in the event of an emergency. Second, security teams are realizing the job of security is not to prevent every single incident, Firstbrook said.
“Their job is to find incidents and to respond to them quickly, and to do that you need to focus; you need somebody who does that organizationally,” he said.
Other key security and risk management trends include, developing risk appetite statements linked to business outcomes, passwordless authentication gaining traction, and security vendors fusing products with services. Leading security and risk management organizations are also utilizing a data security governance framework to prioritize data security investments and investing in both cloud security and inside-the-perimeter security, the report titled “Top Security and Risk Management Trends” stated.
“We consider these to be positive trends that companies smart at [security and risk management] are already doing,” Firstbrook said. “Based on their risk appetite, [security and risk management leaders should evaluate] if they are leveraging advanced technology and new trends in security to make sure that they’re secure and if they are not, these could probably be good projects for 2019 or 2020.”
Dawn of the modern SOC
Gartner forecasts 50% of all SOCs will transform into modern SOCs — with integrated incident response, threat intelligence and threat hunting capabilities — by 2022.
“While this is probably accurate for Fortune 1000 companies, those below the Fortune 1000 are more likely to outsource SOC capabilities,” TCE Strategy CEO Bryce Austin said in an email interview. “However, the contracts around those outsourcing agreements are often heavily skewed in favor of the SOC provider, rather than the recipient of SOC services.”
While companies with limited budgets can outsource the SOC capabilities, Firtbrook said, they cannot outsource the business response.
“If you have a huge ransomware incident somebody is going to be responsible for recovering that code, or resuming business operations, or if there’s a breach then you need PR and legal involved,” Firstbrook said. “You still have to plan your playbooks for business response, but you may not have to plan as much around technical response. You’re more likely going to pull those off the shelf and say, ‘OK, we’ve got a couple of different playbooks for different types of threats to the organization.'”
As companies realize they need to adopt a more balanced approach to security — that covers prevention and detection, with a renewed effort to improve response and prediction capabilities — they should focus on expanding SOC capabilities beyond just SIEM systems, experts said.
“A SIEM is a very good start, but it’s just a start,” Austin said. “A SIEM is only as good as the data it is fed, and the knowledge of the operators that are analyzing the data is more important than the SIEM tool itself. SIEM tools are very useful, but they are a tool, just like a good set of Snap-On mechanic’s tools. They are no substitute for a good mechanic to use the tool properly.”
Incorporating EDR and user and entity behavior analytics tools are helpful in detecting under-the-radar threats that evade perimeter and traditional defenses, Firstbook said. Complementing it with security orchestration and automation response (SOAR) tools helps with orchestrating and automating response playbooks and accelerates the response process, he added.
Drafting an effective risk appetite statement
An ongoing challenge faced by security and risk management leaders is their inability to communicate effectively with senior executives and business decision-makers, Firstbrook said. As a result, CISOs often miss a clear opportunity to advocate for security.
“Security and risk management professionals tend to come from the technology department and the business doesn’t understand technology, so we’re always looking for new ways to communicate with the business and to agreeing on things like levels of risk that are acceptable,” he said.
Peter Firstbrookanalyst, Gartner
As a result, security and risk management leaders are beginning to create risk appetite statements that are clear, simple and pragmatic and are linked to business goals, Firstbrook said.
“Think of your risk appetite statement as your mission statement for security,” Firstbrook said. “They are what should you be focusing on, what’s the most important thing to the business, and you’re just going through the project of negotiating these things … a way of communicating with the business and getting some agreement and buy-in from the business people.”
Conducting workshops to agree with the business on a risk appetite statement is an effective measure that CISOs can implement, he suggested.
“If they’re wasting their time and priorities on things that [don’t] matter to the business, then this will help reveal that,” Firstbrook said.
Passwordless authentication is gaining traction
The passwordless authentication trend is being driven by user demands for fewer roadblocks in the way of them doing their job, Firstbrook said. Passwordless authentication when combined with biometrics can be much harder to crack than other forms of multifactor authentication, he added.
“It achieves two goals: It helps the customers because they’re happy they don’t have to use passwords all the time and it actually improves the security of the applications,” he said.
But passwordless authentication will require “both the ‘something-you-have’ and ‘something-you-are’ authentication to reach a level of maturity that they are not yet at,” Austin said.
“‘Something-you-are’ authentication is making huge strides thanks to high-end smartphones and laptops, but it still hasn’t reached mainstream,” he said. “‘Something-you-have’ is farther along — the new line of YubiKey is a good example — but neither are ready to completely replace the password. I think we are five years away from passwordless authentication becoming mainstream.”
Findings from the report will be presented during Gartner’s Security & Risk Management Summit in June.