Guest Post with Mahendra Ramsinghani: CISOs Need to Walk in the Shoes of a Security Analyst
Did you know that 50-80 percent of chief information security officers (CISOs) have never been security analysts? This means, they likely have never had to triage, orchestrate, enrich, alert, prioritize, remediate, or ticket security threats, or deal with most of the responsibilities that security analysts deal with on a day-to-day basis. It’s the equivalent of a U.S. Army general who has never held a weapon in his hand trying to blindly lead a team of foot soldiers. This creates one big fundamental question: How do CISOs, along with their security teams, decide which weapons – tools and technologies – are best suited to empower security analysts?
The Role of a CISO
Let’s take a step back and look at the role of the CISO – a management position that is usually appointed by either the CIO or CEO. CISOs play many roles depending on the organization – they can be some combination of the voice of reason, a risk mitigator, security budgeter, project manager, board communicator, or all of these. In a lot of cases, when a security breach happens, the CISO is the one who takes the fall. And because of this, typically most CISOs do not last more than 2-3 years at one company. In fact, one CISO told me it has become a “war out there” and the stresses of being in a perpetual firefighting mode are “not healthy for your soul in the long run.” The amount of pressure in this role is, without a doubt, immense.
The Role of the Security Analyst
The foot soldiers (security analysts) are on the front lines taking in a daily fire hose of alerts, logs, threats, and vulnerabilities, as well as dealing with asset mapping, root-cause analysis, and audits. Between analysis and triage, incident response and threat hunting, the work at the entry level is often a mixed, messy world that includes tracking multiple data sources, gathering the right set of information and correlating data from thousands of raw alerts generated by firewalls, systems such as IDS/IPS, SIEM and endpoint protection tools, among others. A tier 1 analyst’s first step is to triage and correlate the alerts, make sense of large volumes of data, and distinguish a false positive from an actual threat. Then, they must prioritize the alerts and pass them along to a tier 2 analyst to further investigate and determine the right course of action.
Security Analysts Are Failing to Win the War
Security analysts are facing a lot of challenges when it comes to sifting through alerts – namely that the systems they use are far too complex and disparate. Also, the status quo for companies today is to centralize all their security data. However, this is usually impossible − data volume and distribution make centralization impractical and extraordinarily expensive.
A recent survey by Tines, an early-stage cybersecurity company, polled 400 security analysts and the following results zero in on many of the pain points they are currently facing (CISOs – take note!):
- 71 percent of security operations center (SOC) analysts experience burnout as workloads keep increasing
- More than 60 percent of analysts felt that over half of their time was spent in tedious tasks that could be automated
- 64 percent of analysts said they will switch jobs in the next year
What’s more, in an October 2021 SANS Survey of 127 SOC analysts, more than 46 percent of analysts pointed out that their greatest challenges included: lack of orchestration, visibility, context, and a siloed mentality between security, IR, and operations.
How to Win the War
It’s clear that the tools and technologies security analysts are currently using are hindering their ability to get their jobs done so that they can better protect their organizations. Action needs to be taken from the CISO level down, with CISOs fully realizing the challenges security analysts face. A reevaluation of the security budget, adding automation tools, and ensuring enough analysts are on board (good luck with that) is only a baseline to solving this problem.
Dhiraj Sharan and Andrew Maloney started Query.AI to tackle this exact challenge, by creating the Query.AI Security Investigations Platform. The platform can unlock access to and value from cybersecurity data wherever it lives – across cloud, third-party SaaS, and on-prem environments – regardless of vendor or technology, without requiring centralization. However, no matter what technologies a company chooses to use, they need to be simple and effective to make the security analyst’s job easier, not more complicated.
The bottom line is that security analysts need a solution that provides a single view into a potential security threat that can give them all the information they need to make an informed decision to either act or not. On top of that, they also need a CISO who understands their challenges and has a constant open line of communication. By having a direct line to the CISO, security analysts are able to see a path to the CISO chair, which removes the idea that they’re in a dead-end job. In the end, a savvy CISO must understand the “weapons” their analyst teams need to be successful. Once this is established, leading the troops to victory becomes easy!