Cybersecurity professionals are a core element of an organization’s cyber defenses. While much has been written about the shortage of skilled cybersecurity staff, far less focus has been given to how to enable these professionals to make the greatest impact. In short, how best to set them up for success.
Our recent analysis aims to advance this area of understanding by exploring the question: Does organizational structure affect cybersecurity outcomes? The findings will hopefully prove useful for anyone considering how to structure a cybersecurity function to achieve the best outcomes. Download the report
Approach
Our starting point was an independent survey commissioned by Sophos into the experiences of 3,000 IT/cybersecurity professionals working in mid-sized organizations (between 100 and 5,000 employees) across 14 countries. The research was conducted in the first quarter of 2023 and revealed the realities of ransomware, cyber risk, and security operations for security professionals operating at the frontline. The findings formed the basis of the Sophos State of Ransomware 2023 and State of Cybersecurity 2023 reports.
This analysis looked at those cybersecurity experiences through the lens of the organizational structure deployed. The goal was to identify if there is any relationship between structure and outcomes and, if so, which structure reported the best results.
Survey respondents selected one of the following models that best represented the structure of the cybersecurity and IT functions in their organization:
- Model 1: The IT team and the cybersecurity team are separate organizations (n=1,212)
- Model 2: A dedicated cybersecurity team is part of the IT organization (n=1,529)
- Model 3: There is no dedicated cybersecurity team; instead, the IT team manages cybersecurity (n=250)
Nine respondents did not fall into any of these models and so were excluded from the analysis. Organizations that fully outsourced their cybersecurity, for example, to an MSSP, were excluded from the research.
Executive summary
The analysis revealed that organizations with a dedicated cybersecurity team within a wider IT team report the best overall cybersecurity outcomes (model 2) relative to the other two groups. Conversely, organizations where the IT and cybersecurity teams are separate (model 1) reported the poorest overall experiences.
While cybersecurity and wider IT operations are separate specializations, the relative success of model 2 may be because the disciplines are also intrinsically linked: cybersecurity controls often have a direct impact on IT solutions while implementing good cyber hygiene, for example, patching and locking down RDP, is often executed by the IT team.
The study also made clear that if you lack essential cybersecurity skills and capacity, how you structure the team makes little difference to many of your security outcomes. Organizations looking to supplement and extend their in-house capabilities with specialist third-party cybersecurity experts (for example, MDR providers or MSSPs) should look for flexible partners who demonstrate the ability to work as an extension of the wider in-house team.
Analysis highlights
The analysis compares the reported experiences of the three groups across a number of areas, revealing some thought-provoking outcomes.
Root cause of ransomware attacks
Interestingly, the reported root cause of ransomware attacks varied by organizational structure:
- Model 1: Almost half of attacks (47%) started with an exploited vulnerability, while 24% were the result of compromised credentials.
- Model 2: Exploited vulnerabilities (30%) and compromised credentials (32%) were almost equally likely to be the root cause of the attack.
- Model 3: Almost half of attacks (44%) started with compromised credentials, and just 16% with an exploited vulnerability.
Ransomware recovery
Model 1 organizations were far more likely to pay the ransom than the other groups, and reported the lowest rate of backup use to recover encrypted data. In addition to being the group most likely to pay the ransom, model 1 organizations also reported paying much higher ransoms, with their median payment more than double that of models 2 and 3.
Security operations
The biggest takeaway from this area of analysis is that while model 2 organizations fare best in security operations delivery, most organizations find it challenging to deliver effective security operations on their own. Essentially, how you structure the team makes little difference if you lack essential capacity and skills.
Day-to-day cybersecurity management
There is a lot of common ground in this area across all three groups, and all experience similar challenges. More than half of respondents in all three models report that cyberthreats are now too advanced for their organization to deal with on their own (60% model 1; 51% model 2; 54% model 3).
All models also share similar worries around cyberthreats and risks. Data exfiltration and phishing (including spear phishing) feature in the top three cyber concerns for all three groups, and security tool misconfiguration is the most common perceived risk across the board. Essentially, everyone has the same top concerns, independent of organizational structure.
Important note
While this analysis provides unique insights into the correlation between IT/cybersecurity structure and reported outcomes, it does not explore the reasons behind these results i.e., causation. Every organization is different, and the structure of the IT/cybersecurity function is one of many variables that can impact propensity to achieve good security outcomes, including industry sector, the skill level of team members, staffing levels, the age of the organization, and more. These learnings should be used alongside other considerations to identify the best approach for an individual organization.
Learn more
To learn more and see the full analysis, download the report.
As stated, this analysis focuses on correlation rather than causation, and further research is needed to understand the reasons behind these outcomes. In the face of today’s cybersecurity challenges, any gain for defenders is important and we hope this analysis will spur further study into how organizations can leverage their internal structure to help optimize their defenses.