The quality of business cybersecurity practices has improved slightly over the last two years – but only slightly, according to the latest Hewlett Packard Enterprise Co. State of Security Operations report.

HPE’s in-depth assessment of 137 security operations centers in 183 companies, which has been ongoing since 2008, finds that more than 26 percent fail to score a security operations maturity model – or SOMM – rating of one on a five-point scale. Such organizations “operate in an ad-hoc manner, with undocumented processes and significant gaps in security and risk management,” researchers report.

While the percentage of organizations in that miserable condition decreased slightly over the last year, the drop was only 1 percent. On the somewhat brighter side, 18 percent of assessed organizations have met or are working toward recommended security maturity levels, which is up slightly over the last couple of years.

Progress has been slow, however. The kick in the pants that jolts organizations into action is often financial loss due to a malicious attack, HPE says. Unfortunately, the number of organizations that meet that definition has been growing rapidly.

The report that found no meaningful difference in security preparedness based upon the size of the organization. Services companies fared best and telecommunication providers worst. In general, companies do best at relating security practices to business results and at implementing technology. They fare worst at putting reliable processes in place to detect and respond to vulnerabilities and breaches.

Organizations that achieve the highest maturity levels are typically those that map security practices to desired business outcomes, have policies in place, retain their best people can gather threat intelligence from across the organization. Researchers have high praise for “fusion centers,” in which the security operations center, or SOC, provides process governance, information-sharing and security expertise. That enables security teams across the organization to collaborate better or to tap into SOCs that are at higher maturity levels.

Much is broken

However, much of the report focuses on practices that aren’t working, or that sap resources that could be better deployed elsewhere. One of these is “threat hunting,” a new trend that has organizations applying analytics to hunt for potential bad actors before they strike. Although threat hunting is not inherently bad, HPE says, it’s no substitute for classic security information and event management. Many of the threats turn out to be mis-configured applications rather than real threats.

Researchers also take a dour view toward security outsourcing, unless it is done under the watchful eyes of internal staff. Too many organizations go the fully outsourced route with the expectation that they can entirely avoid liability that way, but they are mistaken, the report says. Outsourcing organizations are careful to specify that businesses retain liability for their own problems.

In fact, total outsourcing can backfire. “By completely handing off the solution to a provider that is not aware of the day-to-day operations and change within the organization, there is a gradual erosion in the business value from outsourced security solutions that results in gaps managing risk, security and compliance objectives,” the report says.

A better alternative is what researchers call a” hybrid solution,” in which the operational capability of the service provider is brought in to supplement internal security operations. It is perhaps not a coincidence that HPE offers precisely these kinds of services.

Government’s triple whammy

The report devotes special attention to weaknesses in the public sector, which suffers from the toxic combination of rigid rules, frequent turnover and limited upward mobility for security staff. Limited resources require many public-sector organizations to rely heavily upon outsourcing, with its contingent risks. They benefit from internal stakeholders who can help contracted service providers understand the organizational structure and make changes in a timely manner, the report says. However, the overall negative outlook on public sector security is ominous in light of recent reports about Russian interference in the U.S. election and 2015’s big breach at the U.S. Office of Personnel Management.

Open-source security tools also come in for a bit of a scolding from HPE, in particular because of the high levels of customization they require. With security leadership tenure averaging 18 months, the departure of people who understand how the tools are supposed to work can effectively leave organizations dead in the water. Over-reliance on open-source “consistently hinder[s] organizations, with most programs deteriorating and collapsing after the departure of key personnel that were intimately familiar with the custom solutions,” researchers write. On the other hand, “collaboration, sharing and open source tools now provide a more palpable entry point for organizations struggling under minimal security budgets to deploy security operations.”

Attempts to automate the threat detection and response process also usually yield disappointing results, the report says. Success requires “a high degree of confidence and accuracy in configuration management data,” but what usually happens is that organizations simply automate the ticket generation process. This creates a culture of triage, which creates more risks by simply slapping Band-Aids on real vulnerabilities.

Image courtesy of HPE