Fail to prepare, as the saying goes, and you prepare to fail. This maxim certainly applies to most large-scale IT projects, and doubly so for Security Information and Event Management (SIEM) projects.

Recent figures from industry observers including Gartner have shown that SIEM projects have a surprisingly higher failure rate compared to other projects. Does that mean the SIEM concept is flawed? Not at all – otherwise companies wouldn’t even be attempting SIEM deployments. The benefits of SIEM are clear: rapid ROI, ongoing savings in manpower and equipment, more effective security management, and compliance with key legislation.

No, the failures simply highlight the fact SIEM is one of the most ambitious and far-reaching projects that can be undertaken by a company. Because SIEM ties together so many disparate technologies, and working groups – from specialised IT teams to C-level board executives, including risk control groups, compliance executives and HR on the way, project success is inevitably based on careful preparation and planning.

Points of failure

So what are the reasons behind the project failures? Gartner, McKinsey and other sources state that the leading reasons were, not altogether surprisingly:

• No cross-function steering committee was appointed at the outset
• Project owners did not have clearly defined roles
• Projects had no defined timescale, or where too ambitious for the timescale
• Requirements were poorly defined
• Poor planning for continuity or remediation.

Inevitably, poor involvement of non-IT teams was close behind. These reasons clearly highlight planning as an essential before starting a SIEM project.


But where should the planning and preparatory effort be directed, to minimise both risks and costs in a SIEM deployment? I believe there are four key steps which should underpin preparation work.

SIEM matters

Before we get to those four steps, let’s first recap what a SIEM system is. It’s software that takes input logs and alerts from a range of systems (firewalls, routers, anti-malware, servers, etc) and informs IT teams of unusual occurrences which warrant further investigation.

As well as collecting and storing this raw log data, the system safeguards the data for subsequent audit needs and for compliance-aligned reporting. This same source data satisfies multiple needs and functions, in that the security team will use it to see if any breaches have occurred; the IT team will check to see if network devices are working correctly; the compliance team will check to see that security breaches have not occurred, and so on.

Crucially, SIEM cuts information overload by reducing false positives and negatives, excluding “normal” activities from view (so reporting by exception), consolidating logs from different systems into single “alerts”.