Alerts are ignored and turnover is high as security teams suffer from incident overload, report says

James is editor in chief of TechForge Media, with a passion for how technologies influence business and several Mobile World Congress events under his belt. James has interviewed a variety of leading figures in his career, from former Mafia boss Michael Franzese, to Steve Wozniak, and Jean Michel Jarre. James can be found tweeting at @James_T_Bourne.

If everything incident which happens at an organisation is of super-critical importance, then how can the system fully function? Alert overload for security teams is not uncommon, yet a new report from Critical Start encapsulates the issues many personnel face.

The company’s report, ‘The Impact of Security Alert Overload’, polled more than 50 security operations centre (SOC) professionals across enterprise and managed security services, finding more than two thirds (70%) of those polled check more than 10 security alerts per day. This is up dramatically from last year’s report, where only 45% got into double figures daily.

What’s more, teams are more likely to be diverted, with more than three quarters (78%) of those polled said it takes at least 10 minutes to investigate each alert, up from 64% in 2018, while almost half of respondents said they only get 20 hours maximum in training each year.

The response to this is understandable; security teams either ignore high-volume alerts or try and fill the gaps by hiring more analysts. 38% of those polled agreed in both cases, while only two in five of those polled said their primary job role was to analyse and remediate security threats. In a potentially surprising finding, analysts ‘increasingly believe their role is to reduce alert investigation time or the volume of alerts’, as the report puts it.

In total, if a company’s security operations centre has too many alerts for a team to process, then more than half (57%) fixed it by turning specific alerting features off to reduce volume. 39% simply ignored certain categories of alerts.

“The research reflects what we are seeing in the industry,” said Critical Start CEO Rob Davis. “As SOCs get overwhelmed with alerts, they begin to ignore low to medium priority alerts, turn off or tune out noisy security applications, and try to hire more bodies in a futile attempt to keep up.

“Combine that stressful work environment with no training and it becomes clear why SOC analyst churn rates are so high, which only results in enterprises being more exposed to risk and security threats,” added Davis.

If standards continue to decline, there is one evident course of action. 80% of those polled said their SOC had experienced at least a 10% turnover rate, with 6% of respondents saying more than half of their analysts had left over the past 12 months.

You can read the full report here (pdf, no opt-in).

Interested in hearing industry leaders discuss subjects like this and sharing their use-cases? Attend the co-located IoT Tech Expo, Blockchain Expo, AI & Big Data ExpoCyber Security & Cloud Expo and 5G Expo World Series with upcoming events in Silicon Valley, London and Amsterdam and explore the future of enterprise technology.

View Comments
Leave a comment

Leave a Reply

Your email address will not be published.