Security team size at the largest organizations does not scale with the number of overall employees, but they are more likely to include staff with specialized roles, say the results of the latest survey conducted by Osterman Research in partnership with ProtectWise.
They interviewed 400 security analysts in the US to uncover the state of network security across organizations mid-size and large organizations, and have found that despite a number of differences, mid-sized and large organizations share a number of pain points:
- Two-thirds of all respondents deal with security overload by prioritizing the highest value targets
- Nearly half of the respondents would like for data to be retained longer
- The polled analysts anticipate they will spend more time both on processing security incident logs and remediating security incidents over the next two years.
The research also pinpointed some of the differences. As noted before, large organizations generally do not have a much larger security team that mid-sized ones.
“The mean number of employees at the largest organizations surveyed was almost 26,000. These companies had an average of 17.5 security personnel, or one security pro for every 1,488 employees,” the survey showed.
At the same time, the mean number of employees at the midsized companies surveyed was almost 2,510 (an average of 13.3 security personnel, i.e., one security pro for every 189 employees).
“This means that security pros at the largest organizations are unable to dedicate the same number of person-hours per 1000 employees than smaller companies can,” the researchers noted.
While keeping in mind that larger organizations face a greater number of threats and generally experience a higher rate of false positives, the survey results have shown that security teams at the largest organizations are spending less hours on detecting and remediating threats than those at mid-sized companies, but more hours at reviewing incident logs.
“Security teams within smaller organizations spend more time and resources on triage. Meanwhile, security teams in the largest organizations are prioritizing threat intelligence, forensics and threat hunting,” the researchers pointed out.
Another thing that differentiates the security teams of large organizations and mid-sized ones is the number of specialized roles:
“Among various specializations, organizations with threat intelligence specialties appear to gain the most significant benefits. Having a TI role does not save security staff any time investigating alerts, but it does saves time in detection/understanding of threats,” they noted.
“Effectiveness seems to increase as teams transition from a simple focus on triage, to triage and threat hunting, finally evolving to triage, threat hunting and threat intelligence.”
Finally, while more than 50 percent of organizations are using both endpoint and network security tools for remediation, the reliance on endpoint-only tools decreases as organization size increases.
“Despite the amount of public discussion, the use of endpoint security to remediate security incidents may be more suitable for smaller organizations and/or those with less complex environments, with organizations graduating to network security as the size of the organization, security team and the number of alerts and threats increases,” Michael Osterman, principal analyst of Osterman Research, pointed out.