SANS Institute Research Shows What Frameworks, Benchmarks, and Techniques Organisations Use on their Path to Security Maturity
December 2023 by SANS INSTITUTE
Expel, the security operations provider that aims to make security easy to understand, use and improve, today released a new research report, “Frameworks, Tools and Techniques: The Journey to Operational Security Effectiveness and Maturity” by the SANS Institute. Commissioned by Expel, the report shares and analyses research on a range of security operations centre (SOC) practices and outlines the current state of the SOC within many organisations, based on in-depth survey findings of IT and cybersecurity professionals from around the world. This research set out to:
• Determine if frameworks are used to define, measure and assess SOC functions and, if so, which framework(s) organisations prefer
• Assess SOC metrics currently in use and the presence of any policies and training, as well as respondents’ sentiment regarding efforts to improve cybersecurity
• Capture respondents’ self-assessment process for their organisation’s security program maturity and examine the security program components that contribute to maturity
• Learn if organisations benchmark performance and whether they use KPIs to drive improvements in security processes
“Our research sheds some light on the wide range of frameworks and metrics organisations use, but also shows that respondents have mixed feelings about the maturity of their security programs,” said Dave Shackleford, senior instructor at the SANS Institute. “Not enough respondents’ organisations have executive-level governance, and too many are missing well-defined training programs. These are important gaps that must be addressed. As security operations mature, we expect to see these areas improve over time, but it will require intentional investment to see impactful results.”
Below are a selection of the insights from the SANS Institute’s research:
The majority of respondents employ a cybersecurity framework, with the National Institute of Standards and Technology Cybersecurity Framework (NIST CSF) being most popular.
The survey found that 69.4% of respondents currently use a framework to help define and measure policies, processes, and controls, where only 22.1% don’t. Almost three-quarters (74%) of respondents that employ a framework use the NIST CSF—almost twice as many as the next three most popular frameworks (ISO 27001, NIST 800-37, and MITRE).
Good news: two-thirds of respondents use metrics to assess and improve security.
Two-thirds of respondents are currently using metrics to assess operational security performance. Just under 22% are not, and another 11.8% aren’t sure. The top three metrics collected and measured by respondents include security incidents (74%), vulnerability assessments (58.5%), and intrusion attempts (43.9%).
Organisations can improve their use of IT and security training programs and cyber-readiness exercises.
More than 40% of respondents said they don’t have formal IT/security training programs in place. Of those that have training, more than 72% consume materials via video content, 60% use third-party certification exams, 55% get regular emails with educational content, and about 34% reported that they train through a Wiki or knowledge centre. Upwards of 30% of respondents don’t perform cyber-readiness exercises on a routine basis. Those that do perform cyber-readiness exercises rely on penetration tests and tabletop exercises (tied at 73.7% each) along with incident response testing (71.7%). Disaster recovery tests (56.1%) and red/blue/purple team exercises (38.6%) round out the responses.
Read the full report to see data on other SOC trends, like hybrid SOC usage, how respondents view the usefulness of security metrics and key performance indicators (KPIs), and how organisations rate their SOC maturity.
“The research revealed a lot of encouraging information, especially around how respondents are leaning on frameworks to help assess and drive their security programs. These frameworks are some of the most useful tools for driving the effectiveness of security operations,” said Greg Notch, Chief Information Security Officer, Expel. “That said, there are certainly a lot of areas for improvement, specifically in terms of preventative measures. SOC teams seem to be making progress, but there’s more work to be done to avoid repeating mistakes that have vexed organisations for years.”