SecurityBrief Asia - Technology news for CISOs & cybersecurity decision-makers
Asia
Guides
#
cloud security
#
cybersecurity
#
endpoint protection
#
firewall
#
ransomware
Search
Story image
#
Cybersecurity
#
IT Training
#
Digital Skills
Many organisations still lack formal IT security training in 2024
Wed, 20th Dec 2023
Author image
By Catherine Knowles, Journalist
Follow us

As we enter 2024, organisations are examining the state of their security operations centres (SOCs) and how they measure performance, amid a cybersecurity landscape that continues to evolve in complexity and severity.

According to new research from the SANS Institute, sponsored by Expel, a security operations provider, more than 30% of organisations do not regularly perform cyber-readiness exercises, and 40% lack formal IT/security training programmes.

Dave Shackleford, senior instructor at the SANS Institute, stated that the research "sheds some light on the wide range of frameworks and metrics organisations use", although organisations had "mixed feelings" about the maturity of their security programmes.

He highlighted the importance of executive-level governance and well-defined security training programmes as areas for improvement. Shackleford believes that "As security operations mature, we expect to see these areas improve over time, but it will require intentional investment to see impactful results."

The report, titled 'Frameworks, Tools and Techniques: The Journey to Operational Security Effectiveness and Maturity', is based on survey findings from IT and cybersecurity professionals globally.

It reveals that 69.4% of respondents currently use a framework to help define and measure their policies, processes, and controls. The most popular framework is the National Institute of Standards and Technology Cybersecurity Framework (NIST CSF) with 74% of framework-using respondents selecting it, almost twice as any other framework.

The research also delivers some encouraging data; namely, two-thirds of respondents are using metrics to evaluate security efficacy. The top three metrics in use include security incidents (74%), vulnerability assessments (58.5%), and intrusion attempts (43.9%). However, nearly a quarter of respondents are not leveraging metrics, while another 11.8% remain unsure.

When it comes to IT and security training, more than 40% of organisations lack formal programmes. For those that do have training, video content is the most consumed (72%), followed by third-party certification exams (60%), emails with educational content (55%) and training through a Wiki or knowledge centre (34%).

Greg Notch, Chief Information Security Officer at Expel, stated that the findings demonstrated some "encouraging information" but also highlighted areas for improvement. He said "SOC teams seem to be making progress, but there’s more work to be done to avoid repeating mistakes that have vexed organisations for years."

The report offers insights into how organisations can improve their readiness for potential cyber threats, highlighting the role of benchmarking performance and the use of key performance indicators (KPIs) in driving security measures.

Related stories
Smarttech247 & SentinelOne launch AI-powered cybersecurity for SMEs
GitHub's 2FA initiative helps secure software supply chain
ExtraHop report shows Singapore firms vulnerable to ransomware attacks
Jason Haddix joins Flare as Field Chief Information Security Officer
Ransomware threats escalating in Southeast Asia – report
Top stories
Zscaler introduces enhanced ZDX service for improved IT operations
The importance of cybersecurity training for software developers
HID acknowledged as Leader in Gartner Magic Quadrant for Indoor Location Services
Exclusive: How Darktrace is tackling AI-driven cybersecurity
Record ransomware attacks in March 2024, report finds