Alert fatigue is a significant challenge for security officials in governments and organizations worldwide. Where the principal challenge in safeguarding operations and personnel used to be collecting sufficient actionable intelligence and data, today global security operations centers (GSOCs) are overwhelmed with more information than many organizations can process.
Overload, uber risk
Alert fatigue is at root a function of the exponential growth in data being pushed at GSOCs and other hubs of risk management. Institutions are subscribing to and collecting a widening range of data — everything from alarm data for buildings or networks with doors inadvertently left open to talk on Twitter.
And just like the incessant pings of a smartphone, any of it can be potentially of crucial importance.
With companies annually spending hundreds of thousands, or even millions, of dollars on data collection, it is no surprise that alerts would come in fast and hot. But the firehose of alerts can be mind-boggling. Employees can spend extensive time investigating and triaging, or responding to, alerts, many of them manually.
Beyond the difficulty of simply keeping up, such a level of alert overload is almost guaranteed to drown out important signals in the noise of false positives and low-priority pings. It can heavily degrade the decision-making process, or bring it to a halt.
The downside goes beyond rendering all that expensively acquired data useless. Alert fatigue can exert a real and serious toll on staff. If analysts are being deluged with data and alerts, and just trying to keep their head above water, their jobs become a repetitive task with little progression or growth. In some cases, employee burnout can further degrade a GSOC’s effectiveness. It can even lead to employment lawsuits.
The good news is that many companies are starting to recognize the issue. Five years ago, the talk was about volume and real time. But now it is becoming clear that the challenge is to figure out what really matters, and what doesn’t.
Managing the flow of data
While it is now easier to get data into a GSOC than to know what to do with it, there are steps that every company can take to make sure that superior awareness doesn’t lead to alert fatigue.
The first, and most important, task is to drill down on the mission of the organization and what it is trying to protect. While this sounds obvious, in an information-overload environment, it is often difficult to focus on the basics of why information is being collected and analyzed. Security leaders need to be clear on the outputs that they want to achieve.
Once a restatement of mission and needs is made, it then comes down to a process of methodically confirming the data sets and search strings that are required, and that the underlying methodologies are technically sound. In some cases, institutions may have purchased access to powerful platforms that are not being used correctly, with the result being volume rather than quality. The objective is to make sure security leader are pulling the data they want, rather than being overloaded with data that’s pushed to them.
When making such changes, timing is of crucial importance. Don’t make big course corrections in the middle of a crisis. And overall, successful GSOC operations are ones that work to constantly enhance their data sets and technology, and have the ability to change along with the risk environments they are working to master — to make improvement a daily routine.
Meanwhile, there is almost always a need to better understand the capacity of a team to use information in a way that best serves the overall mission. Too often roles and responsibilities are not in line with the realities of the mission.
When working to maximize the value of GSOC operations, the natural focus is on technology. Throttling unnecessary alerts and otherwise better sorting and prioritizing data will involve technological solutions that help filter and interpret alerts. But in the end, that technology allows the most critical alerts to be verified and contextualized by the most critical assets in the security apparatus: people.