Survey: Poor Planning Hinders Enterprise Response to Security Incidents

Poor planning is keeping enterprises from responding quickly to major security threats, with only 52 percent of companies having a dedicated incident-response team in place even though 90 percent of them report experiencing major incidents throughout the year, according to a recent survey.

Major Incident Management Trends 2016, a survey on the state of IT emergency response conducted by Dimensional Research and commissioned by xMatters Inc., polled 400 IT professionals and found that that large organizations are still struggling to manage Internet security incidents. xMatters specializes in cloud-based communications management.

“Reliance on digital infrastructures has dramatically increased the impact and frequency of major incidents,” according to the report.

The report found that while IT and business leaders within individual companies are mostly aligned on what constitutes major incidents and how to resolve them, there is still a lack of standard definitions and processes between companies and across industries. “Without these standards, IT departments lack benchmarks and best practices to help drive improvements,” according to the report.

Indeed, companies’ struggle to respond to incidents is not for lack of trying, the study found. Two-thirds of IT departments have target resolution times when an outage occurs, but 76 percent of them routinely exceed their target times, which range from less than 15 minutes (7 percent) to longer than 90 minutes (19 percent).

Despite these poor numbers, 44 percent of companies said they don’t have a dedicated incident-response team, and even when they do 56 percent of those employees also play a different role in the enterprise.

Moreover, less than half of companies—49 percent—have some kind of automated notification system in place when there is an incident, which would speed response times considerably. Instead, 49 percent of respondents said team members are contacted manually, while 2 percent report having some other kind of notification system.

There also remains a certain amount of apathy among business stakeholders about the occurrence of incidents being inevitable, with 76 percent tolerating them as “an unavoidable fact of business,” according to the report.

The next several years will see companies beginning to change the current landscape by putting more streamlined processes in place to handle incidents, according to Dimensional Research. 

“Over the next few years, we expect more definitions to become standardized,” the report said. “Right now there is no one right way to organize teams or resolve major incidents.”