SecurityBrief Asia - Technology news for CISOs & cybersecurity decision-makers
Story image
Many organisations still lack formal IT security training in 2024
Wed, 20th Dec 2023

As we enter 2024, organisations are examining the state of their security operations centres (SOCs) and how they measure performance, amid a cybersecurity landscape that continues to evolve in complexity and severity.

According to new research from the SANS Institute, sponsored by Expel, a security operations provider, more than 30% of organisations do not regularly perform cyber-readiness exercises, and 40% lack formal IT/security training programmes.

Dave Shackleford, senior instructor at the SANS Institute, stated that the research "sheds some light on the wide range of frameworks and metrics organisations use", although organisations had "mixed feelings" about the maturity of their security programmes.

He highlighted the importance of executive-level governance and well-defined security training programmes as areas for improvement. Shackleford believes that "As security operations mature, we expect to see these areas improve over time, but it will require intentional investment to see impactful results."

The report, titled 'Frameworks, Tools and Techniques: The Journey to Operational Security Effectiveness and Maturity', is based on survey findings from IT and cybersecurity professionals globally.

It reveals that 69.4% of respondents currently use a framework to help define and measure their policies, processes, and controls. The most popular framework is the National Institute of Standards and Technology Cybersecurity Framework (NIST CSF) with 74% of framework-using respondents selecting it, almost twice as any other framework.

The research also delivers some encouraging data; namely, two-thirds of respondents are using metrics to evaluate security efficacy. The top three metrics in use include security incidents (74%), vulnerability assessments (58.5%), and intrusion attempts (43.9%). However, nearly a quarter of respondents are not leveraging metrics, while another 11.8% remain unsure.

When it comes to IT and security training, more than 40% of organisations lack formal programmes. For those that do have training, video content is the most consumed (72%), followed by third-party certification exams (60%), emails with educational content (55%) and training through a Wiki or knowledge centre (34%).

Greg Notch, Chief Information Security Officer at Expel, stated that the findings demonstrated some "encouraging information" but also highlighted areas for improvement. He said "SOC teams seem to be making progress, but there’s more work to be done to avoid repeating mistakes that have vexed organisations for years."

The report offers insights into how organisations can improve their readiness for potential cyber threats, highlighting the role of benchmarking performance and the use of key performance indicators (KPIs) in driving security measures.