As cyber threats intensify and the human and financial resources available to deal with them remain limited, there is a growing need for automation in cybersecurity. The intelligent automation of key cybersecurity processes can significantly improve an organisation’s posture. At the same time, it will support under-pressure employees by reducing reliance on manual processes. But in what is a relatively new approach, how far have organisations progressed along the cybersecurity automation maturity curve and is everyone on the same journey?
To understand just how far organisations have progressed in their bid to deploy automation, ThreatQuotient surveyed 750 cybersecurity professionals from organisations in the UK, USA, and Australia. This was a follow-up to our 2021 UK survey, that revealed businesses had a lack of trust in outcomes from automation processes. Despite this, cybersecurity automation has gained traction over the intervening year. This year’s results show concerns have moved to more practical deployment issues, such as integrating with existing technology and a lack of skills in the workforce.
These challenges were also evident when we asked respondents to rate the current maturity of their cybersecurity operations on a scale adapted from one originally developed by Accenture. We wanted to get a sense of how cybersecurity professionals view the sophistication of their set-up and how it contributes to the wider business.
Cybersecurity operations maturity scale:
| LEVEL 1 | We know we need to establish a cybersecurity operations capability, but we have no budget, personnel, or technology in place to build one. |
| LEVEL 2 | We are using some intelligence feeds but do not have a SOC or SIEM in place and cannot link threats to our strategic position. We have limited resources to support our security operations practice. |
| LEVEL 3 | We have an established cybersecurity operations practice with dedicated personnel. We curate our feeds and can relate threats to our organisational environment and events. However, our approach is reactive, so the time to detection is longer than we would like. |
| LEVEL 4 | We have an established cybersecurity operations practice that is tuned to recognize threats specific to our organisation and prioritises them accordingly. We integrate with the wider business. |
| LEVEL 5 | Our cybersecurity operations practice is advanced and operates a fusion centre model that goes beyond a focus on IT/OT threats and integrates with other areas such as IR, patch management, risk and compliance. We are viewed as an asset to the business. |
Role-based variations: CISOs are struggling with cybersecurity maturity
We surveyed a mix of CISOs, Heads of SOC, Heads of IR, Heads of Cyberthreat Intelligence and IT Security Solutions Architects from a range of industry verticals. Respondents came from organisations with between 2,000 and 10,000+ employees. The responses show notable variations in how different roles view their security operations maturity. In addition, when cross-referenced with responses to other questions, it showed that existing automation adoption and greater budget allocation are linked to maturity.
Surprisingly, the 262 CISOs we surveyed were least confident in the maturity of their set-up. The average position was 2.5 out of 5, and most rated their organisation at level 2 (35%). This indicated that they have limited resources to support their security operations practice. A further 27.5% selected level 3 and 15% chose level 4. Only 4% said they had an advanced practice in place. 19% said they were only at level 1 – effectively having no practice in place at all.
Interestingly, Heads of SOC (n=209) rate their maturity higher than their CISO counterparts. Only 10% selected level 1 and an overall rating of 2.74 out of 5. On average, they are slightly more likely than CISOs to be already automating key use cases, and more of them (32.5%) have received a net new budget.
Heads of IT Security Solutions Architecture (n=54) and Heads of Cyber Threat Intelligence (CTI) (n=114) also rate maturity higher than CISOs (at level 3 and 2.98 respectively).
Based on their responses, CISOs see their organisation as less mature in cybersecurity. They are also less likely to have net new budget to devote to improving automation (26% vs a survey average of 34%) compared to those in other roles. This is potentially concerning, as CISOs sit in a more strategic position and have broader influence over the organisation’s approach. It may be that they are more realistic about their performance. Or, it could be that they don’t have visibility over the extent to which their reports are already using automation.
This analysis also shows that the more processes that are already automated, and the more net new budget received, the higher the respondent rates the maturity of their organisation.
Most organisations are early on their journey to cybersecurity automation maturity
Most respondents rated their set-up at level 2 or 3 on the maturity scale. One in five said that they have an established cybersecurity operations practice that is tuned to recognise threats specific to their organisation and prioritises them accordingly and that they integrate with the wider business (level 4). Still fewer, just 38 out of the 750 surveyed, said they were operating a model so effective that it was seen as an asset to the business.
There is clearly some way to travel to reach the desired level of maturity, but that is not surprising. Automation may be the Holy Grail of efficient cyber defence, but it is still a relatively new discipline. There are undoubtedly challenges involved in implementing automation and achieving demonstrable return on investment, as our full research report reveals.
Perhaps most telling, however, are the variations in perception of cybersecurity operations maturity between the different roles. CISOs are undoubtedly feeling less confident and need more support to realise a roadmap for maturity than some of their counterparts in the SOC, IR and cyber threat intelligence divisions.
This disconnect between CISOs and other roles was notable across several survey responses. It perhaps indicates the more strategic position occupied by CISOs; they are likely to be facing budget constraints and skills shortages that may be limiting their appetite for undertaking challenging automation projects. However, by working more closely with their cybersecurity counterparts in other roles, who appear more confident about automation, they may be able to gain a better understanding of its value and application. They should also seek support from cybersecurity automation solution vendors to build a business case demonstrating clear ROI, allowing them to unlock more budget so they can move their organisation along the maturity curve.
ThreatQuotient’s mission is to improve the efficiency and effectiveness of security operations through a threat-centric platform. By integrating an organization’s existing processes and technologies into a single security architecture, ThreatQuotient accelerates and simplifies investigations and collaboration within and across teams and tools. Through automation, prioritization and visualization, ThreatQuotient’s solutions reduce noise and highlight top priority threats to provide greater focus and decision support for limited resources.
