A FALSE SENSE OF

CYBERSECURITY
H O W F E E L I N G S A F E C A N
S A B O T A G E Y O U R B U S I N E S S
Overconfidence might be
a threat to your business.
We recently surveyed 500 senior cybersecurity
professionals – and found that while most have
suffered a breach, almost all felt that there were
no gaps in their cybersecurity coverage.

In fact, it seems that the safer you feel, the

more danger your business is in. So, how strong
is your confidence? Could you unknowingly be
jeopardising your business?

01
ADARMA | A FALSE SENSE OF CYBERSECURITY

Executive summary
Despite high levels of confidence many organisations have experienced
cyber breaches, highlighting the need for a more comprehensive approach to
cybersecurity. The complexity and fragmentation of the cybersecurity market,
the rapid adoption of multiple tools and a shortage of skilled staff further
contribute to the challenge. To address these issues, several key
recommendations are provided: 6. Consolidate the security stack
Consolidation can improve efficiency,
visibility and reduce complexity in the
security stack. However, organisations must
carefully evaluate what to consolidate
3. Avoid creating analytic islands and the value it brings. Engaging an 9. Use KPIs to ensure that you are
In the face of digital fragmentation, independent security architect can ensure delivering the outcomes you expect
organisations should strive to connect their the motivations of various parties are Test regularly so that processes are
1. Consider the entire lifecycle data to gain a holistic view of their entire considered, preventing adverse impacts embedded into all participants’ DNA.
of security technology infrastructure. This requires expertise in on cyber resilience. This will facilitate a rapid response from
It is essential to monitor the technology understanding data sources and their value all stakeholders, reducing the impact on
itself and evaluate its effectiveness and building integrations and automation cybersecurity professionals by allowing them
regularly. Organisations must ensure to ensure comprehensive visibility. to focus on incident remediation.
they have the capability and resources 7. Trust in people, not just technology
to manage their security tools effectively Confidence in cybersecurity professionals
to avoid creating a costly and unrealistic is crucial, as they play a significant
security blanket. Different tools may require 4. Review tool configurations role alongside the tools they leverage. 10. Support cybersecurity
specific expertise, so it is essential to have Tool configurations should be regularly Understanding your business context and professionals
professionals skilled in managing various reviewed to ensure their effectiveness the threats most likely to impact you will Security professionals often face
technologies. and suitability for providing the required help inform your security controls strategy. high-pressure situations and feel a
coverage. Engaging an independent third Recognising gaps in control coverage allows personal commitment to defending their
party to assess and provide an unbiased organisations to take steps to address them. organisations. Investing in workplace well-
evaluation is recommended. Overconfidence can leave organisations being initiatives and considering third-
2. Be selective in data ingestion vulnerable to unexpected attacks. party Managed Security Services Providers
Organisations should focus on identifying (MSSPs) can help alleviate some pressures
the specific data sources that cover their and support the team’s mental health.
unique use cases instead of indiscriminately 5. Use Artificial Intelligence
ingesting vast amounts of data. By ingesting (AI) cautiously 8. Engage with stakeholders
logs that alert to malicious behaviour While AI has the potential to reduce false outside of technology
particular to the organisation, teams can positives and aid in decision-making, its Data owners are invaluable in assessing the By implementing these recommendations,
save costs and avoid alert fatigue. Threat use should be approached with caution. impact of an event, as are representatives organisations can address the challenges
modelling is an effective way to facilitate The technology is still evolving, and from Legal and Compliance. In addition, of over-confidence, avoid complacency,
this. Also, ensure you have processes that organisations should closely monitor communications specialists can help and enhance their cybersecurity posture,
involve regularly reviewing data ingestion its use and decision-making to build trust proactively develop internal and external effectively protecting their business from
and evaluating the effectiveness. and confidence. communications plans. emerging threats.
02 03
ADARMA | A FALSE SENSE OF CYBERSECURITY

Contents
Executive summary 02

Contents 04

Introduction 06

1 2 3 4 5 6
COMPLEXITY THE DRIVE TO ARE SECURITY HARNESSING THE THE STATE OF RECOMMENDATIONS
AND RISK 08 CONSOLIDATE 18 TEAMS TOO FULL POTENTIAL OUR SECURITY & CONCLUSION 54
CONFIDENT? 24 OF ARTIFICIAL TEAMS 44
Does increasing the The drive to INTELLIGENCE 36 Conclusion 55
number of cyber security consolidate 20 Confidence vs. reality 26 Pressure, productivity
tools lower your risk of How can the integration and performance 46
Recommendations 56
cyberattack? 10 of AI and automation
Consolidation Battle-ready or
challenges 23 enhance security
just battle-tested? 28 Capability and
Is the fragmented security operations? 38
expertise 47
technology landscape
increasing risk to security High confidence
Automation:
teams? 14 correlates with your Improving capability
A challenge of
odds of having suffered and performance 49
resources and priorities 40
an attack 30
Is cybersecurity shifting
to a data problem? 17 Cultural impact on
Adarma's approach response to a major
Research methodology 58
to assessing coverage ransomware attack:
starts from the top down, a case study of a global
examining six key steps 32 industrial business 50 Appendix 59

Prioritising wellbeing 53 About Adarma 60

04 05
ADARMA | A FALSE SENSE OF CYBERSECURITY

Introduction
Over the years, the cybersecurity It is no surprise that as organisations moved from what was formerly seen financial services, insurance, retail, aviation,
market has grown and developed, expand their IT capabilities, adopt as a compliance function or the manufacturing, technology and defence.
but it has also become more numerous SaaS services, move to the cloud, implementation of technical controls

complicated and crowded. and employ remote workers, their security to one that allows the organisation to As we work closely with in-house
teams have accumulated a vast array of exploit the opportunities that technology security teams through our Hybrid SOC

The UK Governments Cyber Security security tools and technologies. Many of presents, driving the company’s agenda engagements, we aim to gain a better

Sectoral Analysis 2023 reported that these point solutions promised to be the and delivering business outcomes and understanding of the challenges faced in

1979 companies are operating in the UK silver bullet to end all security woes. real value across the organisation. the Security Operations field. This includes

market, offering cybersecurity products But instead, have left many organisations dealing with outdated legacy technology,

and services. With so many acronyms like with a patchwork of solutions, overlapping Adarma is an independent leader in adapting to new advancements like AI, and

SIEM, SOAR, EDR, NDR, MDR, XDR, IDS, IDP, in capability or presenting gaps. detection and response services. We coping with the ongoing skills shortage that

VM, SOC, it is no wonder that the market is specialise in designing, building and affects the cybersecurity industry.

difficult to navigate. Vendors often over- Furthermore, they are struggling to hire and managing cybersecurity operations and

promise, claiming to be able to eliminate all keep the necessary talent to manage and run a UK-based Security Operations Centre This report aims to uncover security teams'

threats and breaches. Our research shows optimise this complex technology stack. staffed by over 150 security analysts, challenges and discuss strategies for

that 61% of those surveyed believe that engineers and delivery managers. We overcoming them.

the technology landscape's fragmentation Meanwhile, cybersecurity has been working deliver hybrid SOC services and security

poses a challenge to improving their its way up the Board’s agenda, now listed as advisory to enterprise customers across

security capability and performance. a top 3 risk by most. Cybersecurity has also

06 07
ADARMA | A FALSE SENSE OF CYBERSECURITY

CHAPTER 1

COMPLEXITY
& RISK

Does adding more cybersecurity

tools really enhance your safety
or could it increase risk?

08 09
ADARMA | A FALSE SENSE OF CYBERSECURITY

Figure 1: Number of security tools vs. breach

Number of security tools vs. whether the organisation had suffered a cyber breach in the past
2 years

Does increasing the 100% 75% 50% 25% 0% 25% 50% 75% 100%

number of cyber security 18 0 100

tools lower your risk 17 17 83

of cyberattack? 16 14 86

It might be a natural assumption that an There are other factors at play here; 15 100 0
organisation would become more secure we assume organisations with more tools
14 25 75
with more security tools. We asked our are larger and are likely to be in more
research respondents to select the security highly targeted sectors for example. 13 20 80

Number of Security Tools

tools currently implemented in their
12 11 89
organisation from a list of 20 tool categories However, what we can conclude, is
defined by Gartner, see Appendix 1. The that despite the variety of tooling they 11 17 83
mean number of tools selected was five. had in place, they suffered a cyber
breach regardless. 10 11 89

Figure 1 is the correlation of the number

of tools compared with whether an
organisation had been breached in the
past two years. This displays an inverse
relationship, indicating that the more tooling
9 13 87
It should be noted that we did not specify
the definition of a 'cyber breach' in this 8 25 75
context. Therefore, it was left up to the
respondents to determine what they 7 21 79

an organisation has, generally, the more considered a breach to be. 6 37 63

likely they are to have been breached.
5 33 67

4 37 2 61

3 21 7 72

2 36 11 53

1 26 12 62

Suffered a breach in the past 2 years?

No I don’t know Yes

10 11
ADARMA | A FALSE SENSE OF CYBERSECURITY

“ I think it’s naive

Assuming that having more security the SIEM or EDR. Failing to do so can result
tools will automatically lead to enhanced in missed alerts.
security is a simplistic notion that

to think that just

overlooks the intricacies and overlaps The cyber operations director at a large
of security technology. UK insurer adds, “The attack surface grows
exponentially if you throw more tools at

because we have
Scott McElney, the CISO of the Weir Group, it. The attack surface is really hard to
has pointed out that adding more tools understand; if you start adding in loads
may increase risk due to the complexities of tools and vendors, and the supply chain

more tools, we’re

involved in managing them and the requisite increases, it’s incredibly difficult
skills needed to configure and optimise and complicates the attack surface.
them. Furthermore, it may be difficult The other thing to consider is resourcing;

more secure.
to identify any duplications or gaps the technology often requires human
in coverage. interaction, and people need to look at
those alerts and follow them through,

I’d argue it’s the

McElney emphasises the importance of for example. I think it’s naive to think just
properly configuring the security tools and because we have more tools, we’re more
ensuring that alerts are received correctly by secure. I’d argue it’s the other way round.”

other way around.”

Cyber operations director, large UK insurer

12 13
ADARMA | A FALSE SENSE OF CYBERSECURITY

Is the fragmented Our research found that 61% of respondents

believe the cybersecurity market is too
“Security teams have generally been
acquiring technology to try to keep pace
McElney agrees and warns: “More tools
could add more risk if you don’t have the

security technology fragmented, complex and cluttered and

that this is now a barrier to improving their
landscape capability and performance in security.
increasing risk to This is exemplified by the UK government’s
with this change and the threat posed by
adversaries, but they find themselves in a
very complicated place with a patchwork
of tools either overlapping in capability or
presenting gaps.”
expertise to fine-tune and harmonise them
across your digital ecosystem. Security
professionals tend to specialise in one
technology, making it difficult to find
someone who can specialise across

security teams? cybersecurity sectoral analysis from 2023,

showing 1,979 firms active within the market The cyber operations director at a large
multiple technologies.”

providing cybersecurity products
and services.
John Maynard, chief executive officer at
Adarma, believes that the overabundance
of confusing acronyms and marketing claims
adds to this confusion and potentially
leads companies to misunderstand or
overestimate their security technology's
effectiveness.
“Our IT environments have become hugely
complex and expansive over recent years.
As organisations have moved to the cloud,
many have enabled a largely remote
workforce, so the attack surface has grown,”
he explains.
UK insurer explains, “The differences This increasing requirement for specialised
between solutions are probably 2 to 3%, expertise adds pressure to security teams
the rest is the same, firms put all their effort to attract and retain qualified personnel,
into the 2 to 3% - that’s where you get the who are becoming harder to find due to
silver bullet marketing. The reality is that the growing cybersecurity skills shortage.
if you don’t configure it correctly, you’re
getting the same tool. SIEM technology
is a great example.”
“ More tools could add
more risk if you don’t
have the expertise
to fine-tune and
harmonise them
across your digital
ecosystem.”
Scott McElney, CISO, the Weir Group

14 15
ADARMA | A FALSE SENSE OF CYBERSECURITY
Is cybersecurity shifting
to a data problem?
“ The volume
Individual security tools usually do a
very good job of detecting and analysing
the part of the network that they monitor.
of data and
For example, Endpoint Detection & Response
solutions are thorough in their analysis
of activity on the endpoint. They do not,
however, have visibility of other parts
telemetry of the IT estate, such as active directory,
cloud applications or webservers,
to name a few.
is growing
The issue this can create is one dubbed
“analytic islands”, silos of data that, while
exponentially.
valuable, do not contain the context of
what else might be happening across the
network. “Most organisations suffer this
digital fragmentation, so we really need
However, the to think about how we can knit the data
together to get a more holistic view of what
is happening; that’s where the expertise,
value in that
integration and automation of an MSSP can
offer huge value,” Dan Baker, chief delivery
officer at Adarma explains.
data is not.” According to the cyber operations director
of a prominent insurance company, the
amount of data and telemetry is increasing
Cyber operations director of a large UK insurer rapidly, but the value of that data is not. It
is crucial to identify where the value lies in
the data. Additionally, the value obtained
16
from analysing data is inversely proportional
to the cost of doing so. Therefore, we must
be very selective about the data types we
cover. He argues that CISOs mandating you
ingest everything and try and figure out
what is going on afterwards are taking the
wrong approach.
To ensure effective protection against
malicious behaviour, focus on the areas you
want to cover and analyse the relevant logs
that will alert you to malicious behaviour
specific to how you are structured and the
value you have to an attacker.
Your coverage could be false if the use
cases are not correctly configured, so
remove any unsuitable or non-firing ones
for accurate coverage. Regularly reviewing
configurations is crucial to avoid overlooking
potential vulnerabilities and attaining a
false sense of security. Failure to do so could
result in significant gaps in your protection.
As our cyber operations director puts it,
“Unless you keep on top of it you will have
massive holes; your configurations need to
be reviewed regularly because if not, you
fall into that naivety of thinking yeah,
we’re good.”
17
ADARMA | A FALSE SENSE OF CYBERSECURITY

Reducing your toolset

might seem counterintuitive,
but could it make your
systems more secure?

CHAPTER 2

THE DRIVE TO
CONSOLIDATE

18 19
ADARMA | A FALSE SENSE OF CYBERSECURITY

The drive to consolidate

The obvious answer to a sprawling security
toolset is to consolidate or rationalise so you
have fewer technologies to manage, fewer
integrations (or swivel chairing) to contend
with and less technology-specific expertise
required across your team – a big win in a
market where talent is in short supply.
Technology vendors such as Microsoft,
Splunk and CrowdStrike, to name a few,
have been building out their security
platform play for several years now, and
many organisations are choosing to go all
in on one platform for simplicity’s sake if
nothing else.
When asked, “Do you plan to consolidate
your security tooling in the next 12 months?”,
80% of respondents are in the process
of consolidating or planning to, and an
additional 18% see a need to. A mere 2%
saw no need to consolidate.
A large UK insurer is one of those companies
looking to consolidate and simplify its
80% of respondents
technology stack. As their cyber operations are in the process
director explains, “You must first gain a
better understanding of what to consolidate
of consolidating or
and the value it presents,” admitting the planning to, and
bottom line is often a driver for such a move.
an additional 18%
But he hastens to add, “Security teams must
ensure they don’t jeopardise their cyber see a need to.
resilience in the process.”
As figure 2 demonstrates, the more security
tools teams have acquired over the years, Figure 2: No. of tools vs. intent to consolidate
the more likely they are to see a need
for consolidation. Does this then suggest 100%
that the way to combat the ever-evolving
threat landscape is not to invest in more 80%
technology but instead put our efforts and
pounds elsewhere? 60%
40%
20%

0%
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18

No, we don't see a need No, no plan yet, but we Yes, plan to but haven't Yes, we are
to consolidate tools see a need to consolidate consolidated it yet consolidating it

20 21
ADARMA | A FALSE SENSE OF CYBERSECURITY

Consolidation challenges

“ When you look

We inquired about the difficulties in Maynard suggests that consolidating
consolidating one's security technology your tools and gaining better visibility
stack. The responses revealed that the most of your application estate can lead
significant challenge is the complexity of to more effective resourcing, less

at changing your implementation and the necessary expertise.

Other challenges include the ability to
leverage and optimise, being restricted
digital fragmentation, and centralised
competencies. This, in turn, can help your
security team focus on maximising your

security tooling,
to a single vendor, and losing functionality. current products.

A skilled security architect should lead this A cyber operations director at a leading UK

there are lots

sort of project, sponsored by the CISO, Insurer explains that their ideal state is a
suggests McElney, “when you look at refined and consolidated infrastructure that
changing your security tooling, there are lots provides a clear view of all data sources.
of interested parties who are motivated by They want a solution that presents true

of interested different needs,” he says. “A consolidation

project needs to be led by someone
independent, like an architect.”
positives instead of a flood of false positives
that distracts the team. Tool sprawl can lead
to the opposite outcome, which is not what

parties who are

they want.

motivated by Figure 3: What are the biggest challenges in consolidating your security
technology stack (Tick up to three)?

different needs.” 50%

Scott McElney, CISO, the Weir Group 40%

30%

20%

10%

0%

Complexity and Capability Locked into a Loss of Limited

the know-how to leverage/ single vendor functionality innovation
to implement optimise

22 23
ADARMA | A FALSE SENSE OF CYBERSECURITY

CHAPTER 3

ARE SECURITY
TEAMS TOO
CONFIDENT?

A deeper look at the

industry's false sense of
cybersecurity and why
feeling too secure could
sabotage your business.
24 25
ADARMA | A FALSE SENSE OF CYBERSECURITY

Confidence vs. reality

95% of
Having implemented an often-complex ƅ 53% of respondents were “very confident”
security technology stack, we wanted to
ƅ 42% of respondents were “somewhat
understand how confident security teams
confident”

respondents
are in the performance of this technology
and if they can leverage the technology ƅ 5% of respondents were “not confident”
proactively to defend their organisation.

are confident
When asked, “Based on the tools you have As figure 4 displays, this confidence
in place, how confident, if at all, are you generally increases the more security
that you do NOT have gaps in your control's tooling an organisation has in place.

that they do
coverage?” we found:

Figure 4: Number of tools vs. confidence in controls coverage

NOT have
18
gaps in their
control’s
17
16
15

coverage.
14
13
12
11
10
9
8
7
6
5
4
3
2
1

0% 20% 40% 60% 80% 100%

Very confident Somewhat confident Not confident

26 27
ADARMA | A FALSE SENSE OF CYBERSECURITY
Battle-ready or just battle-tested?
Having more tools in place generally gives
us more confidence; it helps us to feel secure
that the technology will do its job.
However, as any security professional
knows, technology is only as good as its
implementation and ongoing optimisation.
Therefore, we asked organisations if they
can proactively implement controls using
their current toolset to defend against
new threats.
28
We found: Figure 5: Ability to proactively Figure 6: Detecting and responding
implement controls using current tool to potential threats in your IT
ƅ 58% of respondents responded, set to defend against new threats environment (Detection & Response)
“Yes, always - we have the capacity
and capability to implement controls”
5% 5%
ƅ 37% of respondents responded with 10% 17%
“Yes, sometimes - if we have someone
that knows how to do it”
ƅ 5% of respondents responded, “No,
we do not have the ability to do it”
37%
Commenting on these statistics, McElney 58% 28%
surmises, “Everyone is confident until shots
are fired; battle-ready is different to 40%
battle-tested.”
Yes, always - we have the capacity 1 - Expert capability
We also asked how teams rate their and capability to implement controls
2 - Good capability
capability in Detection & Response; 58% Yes, sometimes - if we have someone 3 - Some capability
that knows how to do it
4 - Low capability
stated they have good or expert capability, No, we don't have the ability to do it 5 - No Capability
whereas only 15% considered they have low
or no capability.
“ Everyone is confident until shots are fired;
battle-ready is different to battle-tested.”
Scott McElney, CISO, the Weir Group
29
ADARMA | A FALSE SENSE OF CYBERSECURITY

Figure 7: Confidence in controls coverage vs. if the organisation has been

breached: Yes/No/I don't know

80%

60%

40%

20%

High confidence correlates with your 0%

odds of having suffered an attack

Very confident Somewhat confident Not confident

Yes No I don't know

At first glance, the results suggest that our
cybersecurity teams are doing well. They feel
assured about their coverage and ability
to detect and respond to a cyberattack.
However, we wanted to ensure objective
data supported this perception. To do so,
we compared their confidence and
perceived capability with whether the
organisation had experienced a security
breach in the last two years.
Figures 7, 8 and 9 demonstrate that
organisations that have suffered a breach
are more confident. This can be interpreted
in a couple of different ways; one is to say
that having survived a breach, the security
Another is to infer that this confidence is
misguided and that those that are the most
confident are also the most complacent, Figure 8: Ability to proactively implement controls vs. if the organisation has
perhaps failing to review their controls and been breached in the past two years: Yes/No/I don't know
therefore leaving themselves vulnerable
to attack.
80%
However, we also hypothesise that this could 60%
result from differing interpretations of the
40%
term ‘coverage’. Coverage to some may be
at the security engineering level; do we have 20%
the right tools and configurations in place
0%
to protect against perceived threats?
Yes, always - we have the Yes, sometimes - if we No, we don't have
capacity and capability have someone that the ability to do it
to implement controls knows how to do it
A comprehensive approach would assess
coverage from a holistic perspective, Yes No I don't know

team is now more confident, perhaps due
to learnings and improvements made
post-breach.
including the business context and strategy,
down to attacker tactics and corresponding
controls required.
Figure 9: Capability in detection and response vs. if the organisation has been
breached in the past two years: Yes/No/I don't know

80%

60%

40%

20%

0%
1 - No capability 2 - Low capability 3 - Some capability 4 - Good capability 5 - Expert capability

Yes No I don't know

30 31
ADARMA | A FALSE SENSE OF CYBERSECURITY

Adarma's approach to assessing

coverage starts from the top
down, examining six key steps:

01.
What we see
What is the business context?
First, we need to understand the
background: what strategic objectives
consistently
does the organisation have?
This is especially relevant if they’re
expanding geographically or
02.
Protecting the vitals
is an inverse
relationship
entering a new market segment. We also need to understand what
is critical to running their business.
An airline, for example, must be

between
able to fly planes, and an online
retailer must be able to transact
online; this helps to understand the

confidence and
truly critical systems of a business.
03.
The threat landscape
We need to understand the
threat context for this business.
Who is likely to threaten them
05. the likelihood
of having been
and why? What assets or systems Warning systems
are they likely to target? What detection content must
be in place to alert against

04. breached.
malicious behaviour?

The attackers' MO
What Tactics, Techniques
and Procedures (TTPs) do

06.
these attackers use and
consequently, what data
sources does the SOC need to Response systems
ingest to detect said TTPs?
And do we have appropriate
response actions in place to
contain an attack should it
successfully access its target.

32 33
ADARMA | A FALSE SENSE OF CYBERSECURITY

Organisations
What we see consistently is an inverse The cyber operations director at a
relationship between confidence or prominent UK Insurer acknowledges that
perception of capability and the likelihood there are gaps in their system, and they lack

do not audit
of having been breached, and we are not
alone. The CEO Report on Cyber Resilience
by the University of Oxford Saïd Business
School found “an inverse relationship
confidence in their abilities. However, the
team works diligently every day to identify
and address these challenges.

their own between preparedness and resilience:

the more prepared CEOs think their
organisation is for a serious cyberattack,
According to McElney, relying too much
on tools can be risky. The key is to have
confidence in your team and ensure they

finances, nor
the less prepared it could be in reality. have the necessary tools to do their job well.
The reason? A misguided perception of high Focus on more than just one aspect of your
preparedness can lead to overconfidence work, be confident in all areas.

should security
and complacency, ultimately jeopardising
the organisation’s resilience.”

The report recommends that the best way

teams mark to approach the “preparedness paradox”

is to embrace it: to think of preparedness
not as an end state but as an ongoing “ The key is to have
their own
set of activities and processes continually
challenging the organisation's preparedness.
confidence in your
team and ensure they

homework.
We would agree; organisations do not
audit their own finances, nor should security
have the necessary
teams mark their own homework. An tools to do their
independent party needs to challenge and
test your security posture to enable
job well.”
the ongoing development of resilience. Scott McElney, CISO, the Weir Group

34 35
ADARMA | A FALSE SENSE OF CYBERSECURITY

CHAPTER 4

HARNESSING
THE FULL
POTENTIAL
OF ARTIFICIAL
INTELLIGENCE

AI isn't as prone to
overconfidence as
its human colleagues.
Can it help to improve
your threat defences?

36 37
ADARMA | A FALSE SENSE OF CYBERSECURITY
How can the integration of
AI and automation enhance
security operations?
Although some SecOps leaders may not
foresee AI having a significant impact in
the next five years, it is remarkable that
61% believe it could manage up to 30% of
security operations, with 17% even predicting
this percentage to increase to 50%. While
the specific functions AI may undertake
are still uncertain, it is encouraging to see
there is ample room for innovation and
advancement in this area.
The cyber operations director of a major UK
insurer believes that AI has two significant
applications in cybersecurity. “One is the
reduction of false positives. AI can help you
understand from your specific environment
and user behaviour what is and is not an
alert of interest." He argues that "95%
of alerts are false positives, but they still
require a human to look at them; arguably,
AI could reduce that significantly."
38
” 95% of alerts are
The second area of focus is on isolation and
containment, with a particular emphasis on
the potential role that Endpoint Detection
false positives, but
& Response (EDR) could play. However, it is
essential to have leaders who have faith in
technology to perform its role effectively.
they still require a
There is a concern that computer errors
could abruptly shut down profit-generating
systems. It might take a while before our
human to look at
C-suite leaders trust AI enough to permit it
to ease the workload of security teams.
them; arguably,
It is a fact that the cybersecurity industry
is still in the early stages of utilising AI,
and there is much room for growth and
AI could reduce
development. According to McElney, there
is a lack of expertise in this area since
the technology is relatively new. Security
that massively.”
professionals need to be aware of the
source of information and understand if it
comes from AI capabilities that have been
trained on particular data sets. Furthermore,
there are challenges in providing training on Cyber operations director, large UK insurer
these techniques since the technology is still
in its infancy.
39
ADARMA | A FALSE SENSE OF CYBERSECURITY

Automation: A challenge Figure 11: The benefits of automation

of resources and priorities

What do you believe the benefits of automation would be, if any?

0% 10% 20% 30% 40% 50%

Figure 10 shows that the SOC currently
automates tasks evenly, indicating that
teams are looking for increased operational
efficiencies across the board. Interestingly
53% of respondents claim they would prefer
time on reporting, while it is also the least
Ease my decision making due to
automated task (over 70% do not automate improved contextual information
reporting). Perhaps there is an opportunity
for happier teams through less manual
reporting requirements. Reduce mundane or repetitive tasks

that they or the team did not have to spend

Improve my accuracy and consistency

Figure 10: Automated tasks
Thinking about automation of your security operations, what types of activity, if any,
are currently automated? (Tick all that apply) Decision making made at speed
and scale
40%

30% Reduce the number of people

required in the team
20%

10%
Save me time
0%
0% 10% 20% 30% 40% 50%

Forensic Reporting Automated Data Automated Context Response

imaging threat hunting gathering alert triage enrichment actions

We were surprised to discover that, when According to our research, 42% of

asked about their level of automation, even
our most experienced customers had very
little. When asked why, some customers
cited a lack of expertise, resources and
time as a challenge. To properly implement
automation requires skills and time to
accomplish, which many organisations lack.
respondents believe automation will provide
better contextual information to aid in
decision-making. Additionally, we hope
that automation minimises mundane and
repetitive tasks, improves accuracy and
consistency, and allows us to accomplish
more with fewer resources or in less time.

40 41
ADARMA | A FALSE SENSE OF CYBERSECURITY

While most respondents claim their
automation efforts have been somewhat
successful, they acknowledge that getting
there was challenging and time-consuming.
Our research shows that while we believe
the benefits of automation to be wide- Figure 13: How would you best describe your automation efforts?
ranging, implementation is not without its
Thinking about the automation that has been implemented, how would you best describe
challenges. Despite these difficulties, most the experience?
of our respondents (73%) said they believed
that their efforts to be worth it in the end. 0% 10% 20% 30% 40% 50%

More complicated that we expected and

ineffective in the end

More difficult than we anticipated but

worth it in the end
Figure 12: How successful is your automation?
Thinking about automation that has been implemented, how successful would you say it More difficult than we anticipated and
has been? in the end the results were poor

40%
Challenging and time consuming
but we succeeded in the end

30%

Straight forward, well worth the time invested

20%
0% 10% 20% 30% 40% 50%

10%

0%

1 2 3 4 5
Unsuccessful Somewhat Somewhat Successful Highly
Unsuccessful Successful Successful

42 43
 CHAPTER 5

THE STATE
OF OUR
SECURITY
TEAMS Despite claims of
feeling secure from
attack, many security
professionals are feeling
anything but relaxed
in their current roles.

44 45
ADARMA | A FALSE SENSE OF CYBERSECURITY
Pressure, productivity
and performance
The cybersecurity skills shortage is well
documented, and the difficulty recruiting
and retaining the right talent is a challenge
all CISOs face. This contributes to the
widely reported pressure placed on the
security industry; Gartner's research states,
“cybersecurity professionals are facing
unsustainable levels of stress.”
In our study, we asked participants to share
their opinions on their security team's
Figure 14: How would you best describe the productivity of your security team?
Members of the team are feeling burnt
out and ready to quit. Staff turnover is high,
I believe a security incident is imminent.
Frustrated and exhausted and mistakes
are being made. I lack confidence in
our ability to defend the organisation.
Fulfilled and engaged. Productive and
high performing. We are confident in
our defence.
Stretched, we don't have bandwidth or
capability to innovate however we are
doing the basics well.
Staff are challenged and stress levels
are high, it's only a matter of time
before mistakes are made.
46
productivity and performance. Concerningly
29% reported feeling challenged and
stressed, leading to inevitable mistakes.
Additionally, 18% expressed frustration,
exhaustion and a lack of confidence in
their team's defensive abilities. Fortunately,
only 4% of teams are in a critical state, with
members feeling burnt out and ready to quit
where staff turnover is high, and a security
incident is imminent.
0% 10% 20% 30%
0% 10% 20% 30%
Capability and expertise
During our interviews, we asked about stress someone skilled up that doesn’t care, it’s
and whether it is a unique challenge in almost like we’re victims of our own passion.”
the cybersecurity industry. One director of
cyber operations shared that while stress is While confidence in our control’s coverage
not exclusive to the cyber realm, it is more was high (95%), this does not appear to
prevalent in organisations that rely heavily be mirrored in how respondents view the
on data for decision-making. He went on capability and expertise of their teams.
to explain that the cyber world is filled with When asked, “Thinking about the capability
passionate and dedicated individuals, which and expertise of the staff in your team, how
can also contribute to stress levels. would you rate the maturity of the following
categories on a scale of 1 to 5. We found the
“The days are long, and it requires heavy average score across all capabilities was
focus. But the pressure is also there because, 3.5, perhaps indicating that our capability
within this industry, you have very dedicated does not quite live up to our confidence.
individuals that care. It’s not often you find
40% Figure 15: Capability & expertise of security teams
Thinking about the capability and expertise of the staff in your team, how would you rate
(on a scale of 1-5) the maturity of the below categories?
0% 20% 40% 60% 80% 100%
Reporting
Ability to measure success and
report to the wider business
Incident Response
Readiness to respond effectively
to an incident
Exposure Management
Understanding and controlling your
exposure across your IT estate
Detection & Response
Detecting and responding to potential
40% threats in your IT environment
Threat Intelligence
Understanding the threats you face
0% 20% 40% 60% 80% 100%
1. No Capability 2. Low Capability 3. Some Capability 4. Good Capability 5. Expert Capability 47
ADARMA | A FALSE SENSE OF CYBERSECURITY

Improving capability
and performance
With this in mind, we asked what prevents
organisations from improving their
capability. Respondents seemed unable to
agree on the root cause of the problem. As
shown in figure 16, responses were spread
across the board with no clear winner.
Perhaps it i’s the case that SOC teams have
too many competing priorities and different
tasks to be able to nominate just one factor.
These results indicate that there is no single
underlying cause of Security Operations
challenges, more likely it is a combination of
all these factors that hold our teams back.

“ It’s almost like Figure 16: What is holding you back from improving capability and performance

we’re victims
How would you rate (on a scale of 1-5) the importance of the below categories?

0% 20% 40% 60% 80% 100%

Diversity

of our own A lack of different perspectives and

diverse representation

passion.”
Communication
We struggle to articulate the value of
security investment to the board or c-suite

Investment Priorities
Director of cyber operations, large UK insurer Competing investment priorities across
the business

Fragmentation
Fragmentation of the technology
landscape - too many points solutions

Recruitment
Unable to recruit and retain people
with the right skill sets

Budget
Lack of security budget

0% 20% 40% 60% 80% 100%

1. 5.
 This prevents us This is not an issue
from improving that affects our
ability to improve

48 49
ADARMA | A FALSE SENSE OF CYBERSECURITY
Cultural impact on response
To a major ransomware attack:
a case study of a global
industrial business
In 2022, a global industrial business
experienced a highly determined
and capable ransomware attack.
The incident created a stressful
environment that tested the resilience
and capabilities of the company's
employees and their cybersecurity
partner, Adarma. The strength
of the response came from the
organisation's culture, emphasising
teamwork, leadership, and Adarma's
commitment to exceeding contractual
obligations.
50
Recognising Weaknesses and
Allowing Individuals to Shine
During the cyberattack, the employees of
the business were thrust into an intense
and demanding situation. The stress level
was palpable, and the magnitude of the
attack revealed itself over the course of
several days. This realisation prompted the
employees to step up and address their
vulnerabilities collectively.
On a positive note, despite the pressure,
the situation also allowed individuals to
showcase their skills and expertise. One
technical employee expressed enthusiasm,
recognising the gravity of the situation
and feeling empowered to confront the
challenge head-on. This sense of ownership
and determination highlighted the positive
impact of a culture that encourages
personal growth and taking responsibility
in times of crisis.
Leadership Leading by Example
The response to the attack revealed a
remarkable display of leadership within the
organisation. Adarma’s co-founder, actively
participated in the resolution process by
working night shifts. By personally taking on
these demanding tasks, he demonstrated
his commitment to supporting his team and
leading by example. This act resonated
with the employees, fostering a sense of
solidarity and motivating them to follow suit.
These actions exemplified a culture
that values collective effort and instils
a strong work ethic.
Going Beyond Contractual Obligations
In the face of the ransomware attack,
the organisation faced a challenging
situation without any contractual obligation
for Adarma to assist. However, when
approached for help, Adarma stepped in
without hesitation, providing their expertise
and resources. Their willingness to assist
despite the absence of a formal agreement
demonstrated the power of relationships
and the recognition that responding to a
cyberattack is a matter of urgency.
The response emphasised the importance
of collaboration, trust, and mutual support,
central tenets of a culture that values
relationships and prioritises the greater
good over individual interests.
We are all stronger together.
The Role of Culture,
Leadership and Relationships:
The response was ultimately successful
due to the hybrid team’s ability to rise to
the occasion, recognise their vulnerabilities,
and display exceptional performance
under pressure.
Leadership played a critical role in guiding
and inspiring the response,
with executives leading by example and
demonstrating the organisation's values.
Furthermore, the incident highlighted
the significance of relationships and
the willingness of external partners to
provide support, even in the absence
of formal agreements.
Ultimately, the response to the ransomware
attack demonstrated that culture plays a
vital role in shaping an organisation's ability
to respond effectively to cyber threats and
build resilience in the face of adversity.
51
ADARMA | A FALSE SENSE OF CYBERSECURITY

66% of organisations Prioritising wellbeing

believe recruiting
With over half (51%) of organisations risk-based alerting to risk-based response.
stating their staff are challenged, stressed, This automated, risk-based approach
frustrated or exhausted, we believe enhanced the bank’s cyber risk management

from a more organisations need to start questioning

whether this is a risk they can afford to
ignore or if it is one we all need to start
and enabled them to make faster and more
accurate and dynamic risk-based decisions,
thus alleviating pressure on the Security

comprehensive, prioritising. Operations team.

more diverse talent

Two-thirds (66%) believe recruiting from a We asked the cyber operations director
broader, more diverse talent pool would of a large UK insurer if outsourcing could
offer significant help with the cybersecurity alleviate some of the pressure on his team,

pool would offer

skills shortage. Furthermore, 35% would and he remarked, “Yes and no. Yes, because
consider working with a third party we have a large organisation we can call
Managed Security Service Provider to upon that’s very capable, and it means, at

significant help with develop engaging diversity strategies

and benefit from a more diverse team
of talent.
times, we can enable our skills. However, we
need to maintain a certain level of expertise
with our internal team. That said, Adarma

the cybersecurity 22% of respondents said they would

brings the full weight of its machine, from
threat intelligence to EDR, to 24/7 SOC.
outsource to ‘overcome the shortage of I think hybrid is absolutely the way forward.”

skills shortage. skilled security professionals,’ while a further

19% perceived it would help ‘reduce burnout
or frustrations within the internal team’. “ I think hybrid
is absolutely the
Automation can aid security operations
teams both in terms of workload and quality way forward.”
levels. At Adarma, we worked with one of Cyber operations director
the UK’s largest banks to move beyond of a large UK insurer

52 53
ADARMA | A FALSE SENSE OF CYBERSECURITY

CHAPTER 6

CONCLUSION Conclusion
This report provides valuable While AI offers potential benefits,

& RECOMMENDATIONS recommendations to enhance an

organisation's cybersecurity posture and
it requires cautious implementation and
continuous monitoring to build trust.
response capabilities. By considering the
entire lifecycle of security technology Finally, and most importantly, recognising
and allocating resources for ongoing the pressure faced by security professionals,
configuration, optimisation, and integration, organisations should prioritise
organisations can avoid costly and their well-being through workplace
unrealistic security measures. initiatives or consider the support of an
MSSP. By implementing the following
Furthermore, integrating and consolidating recommendations, organisations can
data sources to create a holistic view of the strengthen their security defences, optimise
organisation's estate enables better threat resource allocation, and protect against
detection and response. Selectively ingesting evolving cyber threats.
relevant data and regularly reviewing tool
configurations ensures effective coverage
and minimise alert fatigue. Independent
assessments and expert guidance are crucial
in maintaining tool efficacy and making
informed decisions. While consolidating
the security stack can improve efficiencies,
careful consideration is necessary to
preserve cyber resilience. Balancing reliance
on technology with investing in people's
capabilities and confidence contributes
to a robust security posture.

54 55
ADARMA | A FALSE SENSE OF CYBERSECURITY
Recommendations
1. Do not assess security technology
in isolation; think about the entire lifecycle
of that technology and the people and
processes required to configure, optimise
and integrate it on an ongoing basis.
Organisations must have the capability
and resources to feed and water their
security tools; otherwise, they can prove
to be a costly and unrealistic security
blanket. Remember that different tools will
likely require various experts to manage
them, and it is uncommon to find security
professionals skilled across multiple
technologies.
2. Be wary of creating analytic islands.
With digital fragmentation at an all-time
high, it is essential that an organisation
can knit their data together to create a
holistic view of what is happening across
their estate. This requires expertise in
understanding data sources and their value
and building integrations and automation.
3. Be selective in the data you ingest into
your security operations centre. First,
understand where you are exposed and
examine the data sources required to cover
those use cases. By ingesting the logs that
will alert you to malicious behaviour specific
to your organisation, you will save money
and your team from alert fatigue.
56
4. Review your tool configurations
regularly; if left unattended for too long,
they will likely stop firing or be unsuitable
to give you the required coverage. We
recommend that an independent third
party undertake this exercise to provide an
objective assessment.
5. Consolidating your security stack can
help improve efficiencies and visibility,
reduce complexity and potentially lower the
technical expertise required on your team.
However, please proceed cautiously; it is
essential to understand what to consolidate
and its value. We recommend you start by
developing desired business outcomes and
then have an independent security architect
lead this project to ensure the motivations of
various interested parties are considered and
that your cyber resilience is not negatively
impacted due to a desire to cut costs.
6. Do not rely solely on technology
to secure your organisation. It is essential
to have confidence in your people as much
as the tools they leverage. Knowing you
have gaps in your control’s coverage is not
bad as you are more likely to be taking steps
to close those gaps. Being overconfident in
your coverage could leave you vulnerable to
an attack you were not expecting.
7. AI has the potential to help reduce 9. Get in touch. We can help you
false positives and to make isolation consolidate your toolset and protect your
and containment decisions. However, we business in a complex environment. To find
should tread with caution. This technology, out more, visit www.adarma.com or get in
as are our skills at utilising it safely, is still touch at hello@adarma.com.
new and in its infancy. We recommend
monitoring AI and its decisions until we build .
confidence and trust in the technology.
Identify test areas where it may bring the
greatest benefit and carefully monitor to
ensure desired outcomes are delivered.
Engage staff so that they realise the risks
and understand you are not saying no to
innovation, simply asking to understand
the risks.
8. Security professionals are passionate
about what they do, which makes this a
great industry to be part of; however, it
also means our people are under a lot of
pressure and feel a personal commitment
to defending the organisation, day and
night. We must invest in ways to support
teams and look after their welfare and
mental health, whether through workplace
well-being initiatives or a hybrid approach
to managing your SOC using a third party
MSSP. By having an MSSP undertake initial
triage and develop automation, your staff
will be empowered to engage in value-add
activities that motivates them and improves
your security posture.
57 | 57
ADARMA | A FALSE SENSE OF CYBERSECURITY

Research methodology Appendix

Adarma commissioned Censuswide* to 1.0 Cybersecurity Tools Pick List
conduct a survey of 500 individuals who met
the following criteria: Data Lake Cloud Workload Protection

The individual must be employed The survey asked 22 questions covering IoT / OT protection Next Gen Firewall
in an organisation with: three topics:
SIEM Access Management
ƅ 2000+ employees 1. Tool sprawl

ƅ UK Headquartered or with 2000+ 2. AI and automation Cloud Access Security Broker Web Application Firewall
UK-based employees
3. People and the cybersecurity
ƅ 2 or more security team members skills shortage Data Loss Prevention Security Service Edge

And must have a job title of:
ƅ Information Security Manager, Director
or Head of
ƅ Security Operation (Centre) Manager,
Director or Head of
Options to multi-choice questions were Cloud Security Posture Management EDR, Endpoint Protection
randomised. Adarma also interviewed
Chief Information Security Officers and Identity Protection Threat Intelligence Platform (TIP)
Security Operations Directors from their
customer base. Secure Email Gateway IDS/IPS

ƅ Cybersecurity Manager, SOAR Breach and Attack Simulation

Director or Head of
Secure Web Gateway NDR

*Censuswide abides by and employs members of the

Market Research Society based on the ESOMAR principles.

58 59
ADARMA | A FALSE SENSE OF CYBERSECURITY
About Adarma
We are Adarma, independent
leaders in detection and response
services. We specialise in designing,
building and managing cybersecurity
operations that deliver a measurable
reduction in business risk. We are on
a mission to make cyber resilience
a reality for organisations around
the world.
60
Our team of passionate cyber defenders
work hand in hand with you to mitigate
risk and maximise the value of your
cybersecurity investments. Powered by
the Adarma Threat Management Platform
and optimised to your individual needs,
we deliver an integrated set of services
that improve your security posture,
including best-in-class Managed Detection
and Response.
We operate with transparency and visibility
across today’s hybrid-SOC environments
to protect your business as you transform,
innovate and grow. Adarma delivers the
cybersecurity outcomes you need to make
a remarkable difference.
hello@adarma.com
www.adarma.com