ThreatQuotient has published its 2023 State of Cybersecurity Automation Adoption Research Report. The report has thrown up some expected results, such as the growing importance of automation in cybersecurity. It also threw up a number of unexpected results, the most interesting of which is how more than 60% calculate their ROI.
Leon Ward, Vice President, Product Management, ThreatQuotient, said, “Implementing cybersecurity automation is a complex and multifaceted undertaking, as borne out by the last three years of our research.
“While most surveyed organisations say cybersecurity automation is important to their business, there are signs of dissatisfaction, with all but one respondent saying they have encountered problems. That said, there are proven use cases for automation, and we believe the main barriers encountered are due to early adoption of solutions that didn’t deliver on their potential and had a lack of integration capabilities.”
The report is relatively short at 22 pages but covers a lot of ground and is likely to be of great interest to the C-Suite.
As might be expected, the report is full of statistics and picking the key takeaways depends on your view of the market. Among those that stand out from reading the report are:
- Automation of cybersecurity is hard, but 100% admit to problems.
- 32% say automation is very important, while a further 43% say it is important. However, the level of problems experienced has impacted how important respondents in different industries and countries view automation.
- Trust is a major challenge when implementing cybersecurity automation for 31% of respondents. This is impacting user adoption of the technology.
- While 99.9% have increased budgets for automation, only 18.5% say it is net new money. In 2022, that figure was 34%. Money is being drawn from other projects and from teams outside of cybersecurity.
- Budget issues (24%) is the joint top challenge for teams. It is matched by concerns over growing regulatory requirements, including draft legislation and regulations. Just behind is employee churn, which means skills are lost and projects are delayed.
- 41% see cybersecurity automation as increasing efficiency. This is about removing the mundane and allowing employees to focus on more interesting work.
- 60% say that employee satisfaction and retention is the main metric for assessing cybersecurity automation ROI.
There are many other interesting statistics from the report. However, this is a quantitative report, not a qualitative report. Many of the numbers that are here would have benefitted from a deeper understanding of what people meant.
No single use case as the key reason for automation
The report looked at five key sectors (Central Government, Defence, CNI, Retail, and Financial Services) across three countries (Australia, UK, USA). What is interesting is that the top three challenges vary across verticals and across regions.
For example, employee churn was a top issue in Central Government and CNI but wasn’t in the top three for the other sectors. The growth of regulatory/compliance requirements was a top factor for Retail and Financial Services and ranked third for Defence. This is despite every country putting it in its top three challenges.
When looked at from a regional perspective, there are other differences. Respondents in Australia and the US say cybersecurity automation is more important than a year ago. In the UK, that number has gone down from last year. An underlying cause in the UK is bad decisions caused by automation. It culminates in 21% of UK companies saying that cybersecurity automation is not important at all.
ThreatQuotient believes that the variations across sectors show where each is on its cybersecurity automation maturity journey. While it talks about the need to conduct a maturity assessment, it doesn’t provide a maturity roadmap.
A wholly unexpected ROI
The report has thrown up a wholly unexpected measure of ROI. For most organisations, ROI is something tangible that can be readily measured. The report, however, looks at what would be termed a soft measure as a key ROI, employee wellbeing.
How respondents are measuring this is not part of the report. It is a response that demands a qualitative follow-up. Are employees asked directly about whether cybersecurity automation makes them happier? Are employers taking reduced employee churn as an indicator of increased wellbeing? If so, it is a dangerous assumption with no clear outcome.
ThreatQuotient has its own view on that. The report states, “…our respondents are now clear on how they measure ROI, with 61.5% saying it comes down to how well they are managing the team in terms of employee satisfaction and retention. Knowing that many cybersecurity leaders are struggling with employee wellbeing and burnout, we wanted to learn what they felt would have the biggest impact on wellbeing and employee retention.
“Top of the list was smarter tools that will simplify work (31%), while greater flexibility over working hours and location followed close behind, at the same rate as increasing team headcount (both 28%). This indicates that cybersecurity professionals see technology and human factors as equally important in improving employee experience.
“The pandemic created new expectations around work flexibility that employees are unwilling to relinquish, while newer industry entrants are digital nomads with high expectations around flexible work. Leaders are also beginning to see the potential of innovations in areas such as AI and low- or no-code to build smarter tools that make work more fulfilling. These are areas that ThreatQuotient will continue to draw on in the future.”
Enterprise Times: What does this mean?
This is a report that asks questions that similar reports do not. Its focus on cybersecurity automation will get the attention of many in the C-Suite, along with the CISO and CIO. Interestingly, the report has a section looking at how different roles view automation.
The lack of any one primary use case for greater automation in cybersecurity is also interesting. In fact, only one use case, regulatory and compliance, appeared more than twice in the top three across all five sectors. It begs the question as to which use cases can be seen as measures of maturity and which are simply the first steps on the ladder.
One thing that will hamper greater automation is the lack of new money. Taking it from other projects will create friction, and that, in turn, may well create new barriers to adoption. At the same time, a wider view of the macroeconomics around organisations shows other new technologies. These are also demanding greater budgets such as generative AI and large language models (LLMs). Who will end up getting the most out of budgets going forward?
ThreatQuotient has provided a set of five recommendations that should provide a valid roadmap for those looking for a way to improve their automation. While it might be tempting to skip to those, there is much value to be had in reading the whole report.