Group Purchasing
Group Purchasing

2023 Survey | Incident Response

2023 Survey | Incident Response (PDF, 0.81MB)Published: 12 Sep, 2023
Created by:
Megan Roddie-FonsecaTerrence Williams
Megan Roddie-Fonseca & Terrence Williams

The SANS 2023 Incident Response survey, published by SANS Institute in September 2023, examines how organizations' incident response (IR) programs have evolved since SANS last ran this survey in 2019. Written by Megan Roddie and Terrence Williams, the survey drew on responses from a global pool of incident responders spanning banking and finance, cybersecurity, government, and technology sectors, covering detection and containment speed, staffing and budget trends, malware analysis capabilities, and automation adoption.

Key findings:

  • Organizations detected 76% of incidents within 24 hours of compromise, a 17% increase since the 2019 survey
  • 54% of incidents were remediated within 24 hours of containment
  • Business email compromise (BEC) was the leading source of compromise, reported at 42%
  • Combined, malware infections and ransomware accounted for 55% of compromise sources, with ransomware alone at 20%
  • 43% of organizations experienced returning threat actors using the same or similar tactics, techniques, and procedures (TTPs), an 11% increase over 2019
  • Only 19% of organizations reported not assessing the effectiveness or maturity of their IR processes, down from 26% in 2019
  • 59% of organizations keep IR fully in-house, compared to 46% for SOC functions
  • 66% of hiring managers rank industry experience and security certifications as top candidate attributes; only 49% prioritize academic experience
  • Career growth opportunities (32%) and salary range caps (28%) were the leading causes of IR staff turnover, far outweighing benefits offered (7%)
  • 55% of organizations cited time and resources needed to evaluate and implement automation as the top hurdle to automation adoption
  • 18% of organizations reported that 75% to 100% of their incidents occurred in a cloud environment

The data shows organizations have made real gains in speed and process discipline since 2019, detecting and containing incidents faster and assessing their IR programs more consistently. But that progress hasn't translated into better outcomes against repeat attackers: the rise in returning threat actors using familiar TTPs suggests organizations still aren't systematically applying lessons learned from past incidents. Staffing remains the other soft spot, with career growth and pay, not benefits, driving IR talent out the door. Respondents represented organizations of all sizes, from under 1,000 employees to more than 50,000, with the largest concentrations in banking and finance, cybersecurity, government, and technology, and operations spanning North America, Europe, Asia-Pacific, and beyond.

FAQ

Meet the experts