According to a recent study published by Symantec, 52% of security organisations are "doing well" in responding to routine security events. But these same organisations struggle when under a complex cyber attack.

Like a skilled surgeon, incident responders are best when they’re well practised. But most organisations can’t keep that kind of skilled proficiency on a full time team. And while the general sense in the industry is that security spend is increasing, CISOs still need to manage their business and investments responsibly to show that the organisation and the operational expense is right-sized to the enterprise’s risk appetite.

This means keeping a handle on the baseline operational cost of the security organisation. But how do you manage those spikes with the team and resources you have?

When the heat is on, security organisations need to have the confidence to look outside their immediate teams for the capacity, niche skills and processes to restore the enterprise to business as usual. The principles of cloud govern here when you can drive down your operational baseline but then rapidly scale when new challenges emerge.

This requires a different kind of expectation-setting in the C-level ranks to accept that surge as the new normal, but there are several aspects that a CISO can rely on to gain this kind of operational agility:


Turning to third party cloud infrastructure providers can take some of the spot capacity burden off of IT. As conditions worsen under an attack, a security organisation can ratchet up sensing and logging, capture forensic images and rely on off-site virtualised storage to handle spikes in data needs.

This gives the incident response team access to more contextual data and gives them more computing power to crunch that data, perform offline analysis and get to the root cause.


Other security tools are putting the benefits of the cloud behind their products through the network effect of information sharing. When you can capture every packet on your network and process it in context; or when you can follow every link that is clicked to recreate its effect in a virtual machine; or when you see not only all the events that are happening to you, but which of those are happening to others as well, you gain significant actionable insight on where and how you’ve been pwned.


You won’t have the right people inside your enterprise every day, so you need the flexibility to reach them. Several companies offer this sort of guerilla consulting/incident response capabilities, but there’s a catch. At a time where organisations are increasingly turning over their IT, HR, procurement and other operations to third parties, these first responders need carte blanche to work in and through all of your providers on your behalf.

In fact, organisations looking to go this route may want to examine the contracts and SLAs they have in place to start making surgical changes. You need an emergency release valve to ensure "one team, one fight" during an attack.


Finally, it's not "surge" if you can't turn it off. Rapid elasticity should be baked in as an organization moves from detection through response and recovery and back into normal operations. This cycle of detect, surge, recover may happen again and again; it may lead to a new baseline as certain threads are followed through to legal action or broader remediation. But at the end of the day, the organisation can step down the surge capacity across any front.

One of our key recommendations for high performance security operations is to employ the cloud (of compute, people and processes) to solve the growing security challenges faced by global organisations every day. But we’re just getting warmed up. I’m interested in hearing your war stories of what went right and what went wrong if you recently "surged to meet demand".

By Ryan LaSalle, senior executive, Accenture technology labs