A survey of 297 cybersecurity professionals conducted by SANS Institute found 83% of respondents felt they had the right policies, processes and controls defined, but only slightly more than two-thirds (67%) have actual metrics and reports that prove that assertion.

Sponsored by Expel, a provider of security operations platform, the survey finds the most widely tracked metrics are security incidents (74%), vulnerability assessments (59%) and intrusion attempts (44%). A total of 62% said they are relatively confident that security operations, network security and vulnerability management are either very well-defined or well-defined, followed by identity and access management (IAM) (60%), penetration testing (49%), controls validation (49%), application security (44%) and third-party supply chain/risk management (41%).

Overall, 8% said security metrics and key performance indicators (KPIs) are useful and effective in driving improvements in security processes, with another 33% describing them as being generally effective.

The survey also notes that 73% of respondents work for organizations that have conducted risk assessments in the last 12 months, followed by 67% that have conducted security tests and 66% that have conducted internal security audits. Some only perform internal assessments (21%), but most use a combination of internal and third-party assessments (54%).

Slightly more indicate that they do perform benchmarking (45%) versus those that don’t (41%). Respondents who do perform benchmarking employ a variety of tools, including automated vulnerability scanning (78%), open source security tool testing (54%) and commercial security tool testing (49%).

Well over two-thirds (69%) also make use of a cybersecurity framework to define, measure and assess SOC performance, with a whopping 74% of those respondents employing the National Institute of Standards and Technology Cybersecurity Framework (NIST CSF) as their preferred methodology for managing cybersecurity.

Expel CISO Greg Notch said the NIST CSF framework is often favored because it focuses on distilling information into actionable intelligence. Most cybersecurity teams are overwhelmed by alerts, so a framework provides a method for proactively managing cybersecurity tasks, he added.

Overall, only 54% rated their SOC maturity as either high (16%) or somewhat mature (38%), so there is clearly still plenty of room for improvement.

There is also a significant training gap. A full 43% of respondents said they don’t have formal IT/security training programs in place. That’s an issue because, given the rising level of volume and sophistication, training should be table stakes for organizations, said Notch.

The survey also suggests cybersecurity teams are relying more on external services. Nearly half of respondents (48%) said their organization takes a hybrid approach to SOC that is made up of an in-house team and external services providers. Nearly half of those respondents (47%) increased reliance on managed services, with 16% increasing usage significantly.

Ultimately, each organization needs to right-size their cybersecurity investments based on the level of risk to the business, said Notch. The challenge, as always, is first ascertaining that risk level and then finding a way to share those insights in a way business leaders can appreciate, he added. In the meantime, there is no substitute for cybersecurity fundamentals, noted Notch.

One way or another, however, the one thing that is assured is the policies, processes and controls that cybersecurity teams have put in place will continuously be put to the test.