With cyberattacks and breaches on the rise, security should be a major concern for all companies. In particular, enabling the development of an analytics maturity model is a useful addition to your traditional security information and event management (SIEM)-based operations.

It is possible to step away from only applying the traditional SIEM model with its rule-based analytics and move toward an integrated approach. The security capabilities built over the last decades based on SIEM and security orchestration and response are valuable. However, organizations can now move toward a security model that leverages the power of the traditional SIEM model and data science.

Although there is not a one-size-fits-all approach when it comes to implementing a security analytics program, the security maturity model gives an indication of what one can expect and what many organizations have experienced. By identifying in which stage of the maturity model your company is, you can identify key milestones to focus on to move to the next stage as quickly and smoothly as possible. 

The Cost of a Data Breach is Time and Money

A recent market study found that the average cost of a data breach is $3.9 million. As if this wasn’t enough, the same study also showed that a breach stays undetected on average for 280 days within the company’s environment.

What does the 280-day figure mean for SIEM-based analytics? Data analytics and business intelligence analyze huge amounts of data to identify anomalies or create predictions based on historic data, but SIEM operations focus on real-time events and correlation of events ranging from one minute to seven days ago. This timeframe is 273 days too short. In that time, indicators and traces of an attacker might get lost or might not be correlated with current events.

Instead, you can implement a new approach to security analytics based on data science. An approach, such as a maturity model, uses the same tools and skillsets but changes the context of security events, including their metadata. Many organizations already have a large number of skilled data analysts within their ranks who focus primarily on business intelligence and market analysis. With this approach to security analytics, you can expand this team by adding security-focused data analysts while using the skills, tools and culture of the company’s current data analytics team.

Security Maturity Model Stages

The core idea of a maturity model is to identify the current standing of security operations, as well as to determine what the next stage is and how to get there. The goal is to identify which areas to focus on in order to move to the next stage as quickly and smoothly as possible. This maturity model is focused on six dimensions: vision, operating model, data and technology, engineering and operations, change management and people and enablement


Source: Joerg Stephan, Kim de Vries, Richard de Vries

The maturity model measures the maturity of a company. It functions as a guide on the journey toward full transformational maturity. In starting this journey, you will find colleagues in your company who have already thought through these phases and are waiting for the company to catch up.

1. Inactive

Sporadic business needs or individuals drive security analytics projects and dashboards. But, the organization does not have long-term security planning, roadmaps or governance. Sporadic activities may happen in small and/or isolated pockets across the organization due to a lack of a structured enterprise-wide mechanism or insight. Most of these analytical projects are only active in proof-of-concept or test environments.

Being inactive is tough, but it is also a nice place to be. In this stage, everything you do will have an impact right away. Consider founding a tribe or guild. Find the thought leaders in your company and give them the time and resources to explore how to use the maturity model framework to move to the next stage.

2. Aware

This phase is sometimes called “Explore.” Companies are aware of data-driven security analytics. They have started exploring the benefits and insights analytics could provide to increase resiliency. The organization is still primarily dependent on ad hoc processes and reporting for analytical insights. Decision makers consider feasibility and impact only to a certain extent. The company is aware of the need to support security analytics but has not put in place a strategy or methodology to do so.

3. Active

Security analytics slowly makes its way into daily operations. The security team is beginning to learn about and implement security analytics use cases beyond ad hoc requests. The use cases are starting to become more strategic and focused on structurally improving day-to-day operations and decision making. The reports go beyond descriptive statistics and tackle more strategic and insightful questions. These include trying to make inferences about future state models and risks. There is moderate management-level engagement with data-driven security analytics projects and their outcomes.  

4. Operational

The organization uses data analytics to enhance understanding. Stakeholders use it in daily operations to support decision making at various levels and across departments. Management knows about all security analytics-related projects in the organization. However, the departments and their analytical insights have not fully integrated.

5. Systemic

Data analytics is starting to become the focus from the top down. Not only is security analytics part of day-to-day operations, but it also is becoming a strategic focus and part of the business strategy. C-suite stakeholders are committed, engaged and support the transformational program. The business strategy and plan for most teams are clearly defined and aligned with the security roadmap, planning and security governance. The predictions and insights are used for structural improvements throughout the organization and strategic direction. 

At this stage, the organization should start cross-competency tribes to learn from each other and standardize tooling and data collection. It saves training costs and reduces downtime when cross-competency teams attend training together. Additionally, people from other teams can contribute to algorithms if needed.

6. Transformational

Companies that are truly transformational apply new tools and techniques and push for innovation. They aim to constantly grow data analytics capabilities and use them to achieve a competitive advantage. Data analytics capabilities are embedded in the organizational fabric with appropriate architecture and infrastructure underpinning performance. Every department explores security analytics use cases to optimize insights. Analysts combine information and data from different departments. They create holistic models underpinning the company’s security posture and detecting risks and threats.

Looking to the Future

Companies should focus on formulating a long-term security analytics strategy with a maturity model. This will provide direction and focus to the use cases. By creating this long-term vision, you can focus on the use cases that are needed and have the highest priority to ensure maximum effectiveness. Second, companies should focus on attracting and nurturing talent as early as possible. Having a dedicated and innovative team will help you move security analytics solutions forward. Lastly, companies should focus on transforming the infrastructure and data architecture to enable and optimize performance for security analytics.

More from Intelligence & Analytics

2022 Industry Threat Recap: Manufacturing

It seems like yesterday that industries were fumbling to understand the threats posed by post-pandemic economic and technological changes. While every disruption provides opportunities for positive change, it's hard to ignore the impact that global supply chains, rising labor costs, digital currency and environmental regulations have had on commerce worldwide. Many sectors are starting to see the light at the end of the tunnel. But 2022 has shown us that manufacturing still faces some dark clouds ahead when combatting persistent…

Cybersecurity in the Next-Generation Space Age, Pt. 3: Securing the New Space

View Part 1, Introduction to New Space, and Part 2, Cybersecurity Threats in New Space, in this series. As we see in the previous article of this series discussing the cybersecurity threats in the New Space, space technology is advancing at an unprecedented rate — with new technologies being launched into orbit at an increasingly rapid pace. The need to ensure the security and safety of these technologies has never been more pressing. So, let’s discover a range of measures…

Backdoor Deployment and Ransomware: Top Threats Identified in X-Force Threat Intelligence Index 2023

Deployment of backdoors was the number one action on objective taken by threat actors last year, according to the 2023 IBM Security X-Force Threat Intelligence Index — a comprehensive analysis of our research data collected throughout the year. Backdoor access is now among the hottest commodities on the dark web and can sell for thousands of dollars, compared to credit card data — which can go for as low as $10. On the dark web — a veritable eBay for…

The 13 Costliest Cyberattacks of 2022: Looking Back

2022 has shaped up to be a pricey year for victims of cyberattacks. Cyberattacks continue to target critical infrastructures such as health systems, small government agencies and educational institutions. Ransomware remains a popular attack method for large and small targets alike. While organizations may choose not to disclose the costs associated with a cyberattack, the loss of consumer trust will always be a risk after any significant attack. Let’s look at the 13 costliest cyberattacks of the past year and…