1 Security Incident x 4 Tools x 8 Roles = 8 Days

Collaboration can significantly improve this equation.

Collaboration may be the key to enhancing your security responsiveness, according to a recent global research report. Improving how your teams and products work together, including enhancing communication flows, fostering trust and transparency, and automating time-consuming tasks, could increase flexibility and effectiveness by 38% to 100%, depending on the size of the group. The bigger the group, the higher the potential improvement.

Our new global survey of 565 security professionals indicates the continuing need for greater effectiveness. Security operations teams are being inundated with security events as attacks and threat vectors increase in volume and variety. On average, investigations take people from up to eight different roles within the organization, using four or more security tools, eight days from detection to clean up.

Ironically, the groups with more advanced threat- and incident-management solutions conducted twice as many investigations because they had more detailed data and could detect more sophisticated and subtle attack behaviors. Almost half of those with advanced threat- and incident-management tools were able to shorten their average investigation times.

With the number of tools and people involved, respondents indicated that collaboration could improve effectiveness. The surprise was how big an impact they thought enhanced collaboration between the security analysts, incident responders, and endpoint and network operations teams would have. Centralized orchestration among these players was predicted to deliver a 38% to 100% improvement in effectiveness. These findings are promising for anyone worried about the cyberskills shortage and our ability to combat evolving threats. We can do more with what we already have.

It isn’t just about real-time alerts and case-management workflows. Our research identified three critical areas to develop: communication, trust, and automation.


Security investigations are iterative; the next step is influenced by the situation rather than prescribed by process. There are also so many people and products involved in a typical investigation, from different sites and time zones, that any form of manual communication or integration introduces delays and errors.

Given these hurdles, developing and enhancing orchestration between security products enables a host of time-saving human communications, including role-specific dashboards and monitoring tools, real-time visibility, policy and process-driven workflows, and access to current and historical event data. These, in turn, provide the most significant way to reduce incident response times by delivering more accurate and up-to-date information and prioritizing the areas in which to act.


Following closely on communication is developing higher levels of trust and transparency among teams, both internal and external to security operations. The two critical components of this are confidence that the information being received is accurate and complete, and confidence that work will get or has been done. Leading by example is critical here, demonstrating your trust in others and avoiding blame.

Having an incident-response game plan, practicing real-life scenarios, facilitating and coaching through each incident, and debriefing for the next iteration help create a positive attitude and continuous process improvement. This in turn encourages people to contribute as needed, even outside of their primary roles.


Finally, the security skills shortage is not going away. Scripting critical time-consuming local and remote tasks is a good way to start down the road of getting your security tools and computing machines to shoulder more of the load. Our survey found a significant willingness to automate or semi-automate many tasks that traditionally require human intervention. Some are low risk such as clearing a browser cache or restarting a Windows service; some are higher risk such as isolating a host, rebooting a system, or reimaging a disk. Survey respondents showed that low-risk tasks could be fully automated, and the higher risk tasks could be automated with a pause for human approvals. Consult the report and infographic for specific examples of automation preferences.

Our survey indicates that improving collaboration across people, process, and technology can have significant benefits, connecting the tools and roles to shorten critical security operations metrics: times to detection, containment, and remediation.

For more information on how collaboration can improve your security equation, and other findings on advanced threat and incident management, download the full report How Collaboration Can Optimize Security Operations.

Brian Dye is corporate vice president in the Intel Security Group and general manager of the group’s global security products at Intel Corporation. He is responsible for Intel’s global corporate security product portfolio and worldwide engineering, including product … View Full Bio

More Insights