A new survey commissioned by Sumo Logic found that most companies have started to automate the triage of security alerts but most are at the beginning of this transformation.
Image: Sumo Logic

Slow-moving automation efforts and an increase in cloud environments are intensifying the alert overload crisis for security teams, according to a new study.

The “2020 State of SecOps and Automation” report found that IT infrastructure is changing faster than security teams can adapt to the new demands. Sumo Logic commissioned the 427 survey of IT security professionals which was conducted by Dimensional Research.

SEE: TechRepublic Premium editorial calendar: IT policies, checklists, toolkits, and research for download (TechRepublic Premium)

Big companies report up to 1,000 security alerts a day, and 86% of survey respondents are concerned about burnout, high levels of stress, and flight risk among security teams, due to the daily volume of alerts. Larger companies are making progress with automating some of the response to security alerts but only 3% report full automation.

Security professionals listed these top five reasons for the increase in alerts:

  • Constant changes to the type of threats that must be blocked: 67%
  • New tools to monitor threats: 60%
  • Growth of the apps and services that IT teams deliver to business stakeholders: 57%
  • An increase in cloud infrastructure: 55%
  • Growth in user endpoints including mobile devices: 52%

Cloud environments are a significant source of alerts overall. Seventy-five percent of respondents said cloud infrastructures generate more security alerts than on-prem environments.

To deal with this deluge of alerts, security teams are using automation but most are in the early stages of the process. Sixty-five percent of companies have only partially automated security alert processing while only 5% have not implemented any alert workflow automation. Companies farther down the path of automation are more able to address security alerts the same day they occur as compared with companies that are partially automated. Sixty-five percent of the highly automated companies said they were able to respond to all or most of the alerts the same day they were received, while only 34% of partially or not automated companies could respond that quickly.

Seventy-five percent of respondents said they would need to hire anywhere from three to more than 10 additional analysts to address all security alerts the same day they are received.

The survey also asked security professionals about how existing security incident and event management (SIEM) solutions are performing. Survey respondents said that the top frustrations with existing SIEM solutions are:

  • The high number of alerts: 43%
  • The complexity of operation: 40%
  • Not enough context for threat investigations: 37%
  • Lack of threat visibility across both on-prem and cloud environments: 33%

Also, companies that use different SIEM solutions for cloud platforms and on-prem networks are more likely to report a lack of threat visibility in both environments. Eighty-four percent of respondents said that a cloud-native SIEM platform would help with this issue.

Security team members listed automated alert triage with actionable insights and out-of-the-box content for rapid time to value as the two new features that would help the most with managing alerts.


Dimensional Research sent this survey to an independent database of IT security professionals, and 427 people completed the survey. All participants had direct responsibility for security operations at an organization with a significant investment in a public cloud and at least 1,000 employees. Participants included a mix of job levels, regions, company sizes, and industries.

Also see