In my travels I have found it matters more how you do IT securely than how you ‘do security’. What I mean by this is, the prevailing themes of orgs recently is to bolt on SOCs/MDR and other services to a low maturity/low capability IT organisations with the hope that its magic’s all the security problems away. This sounds lovely, the salespeople will almost certainly productise your security improvement journey and make it sound like a dream.

You will likely then have low maturity IT and low maturity security capability.

This will not improve things but likely add to constraints as resources are used trying to respond to false positives (because the SOC will ask you to confirm everything they do/ask for authorization to do most things).

So much like you need marketing, sales and cashflow (Business) to support the fact you need to maintain, manage and upgrade computer systems, you need that management of the computer systems part to work effectively before you start adding dedicated security capability.

As with most things in life this is not binary, to improve IT and Security you can of course embark upon this journey in tandem, but there is almost always a reality (unless you are implementing a green field/service specific architecture) that people (and therefore businesses/organizations) can only change ‘so fast’.

You might find adding an EDR sensible, but it doesn’t negate the requirement for configuration and asset management, let alone not managing change in a security conscious manner.

As with all things it depends, I can only show what I’ve seen in my travels. Bolted on security, from what I have seen, does not work very well.

It can be a band aid, but in the medium and long term you are going to need to sort out your IT if you want to have a successful and capable security program.