Mimecast has released the latest report from the Cyber Resilience Think Tank (CR Think Tank) highlighting four trends for building and operating a Security Operating Center (SOC). In the report titled, Transforming the SOC: Building Tomorrow’s Security Operations, Today, CR Think Tank members weigh the benefits and challenges of keeping a SOC in-house versus outsourcing it. The group also lays out key actionable tips to build a successful model for any size organisation.
As an independent group of security leaders dedicated to understanding the cyber resilience challenges facing organisations across the globe, the CR Think Tank provides prescriptive guidance based on lessons learned and decades of expertise. This latest report digs into the human element of team organisation, various cybersecurity strategies, and the tools and technology underpinning SOCs. The CR Think Tank agreed that what works for one organisation may not work for another and has identified the following trends as key factors to consider when building out a strategy for your organisation:
- The human element – upskilling is key
While the skill gap is clearly a challenge and it seems unlikely that any organisation will be fully staffed, the shortage does reveal an opportunity to upskill companies’ existing workforces through training academies or job rotations. “The primary driver for us are skills,” said Claus Tepper, head of cybersecurity operations Absa Group. “And I think South Africa is, as everywhere else, fundamentally challenged to getting the right people on board.” To solve for that, Absa jumpstarted an academy to develop and train talent recognising that it takes years for a team to become fully SOC-efficient.
In the report, all Think Tank members highlighted the importance of ensuring SOC analysts and engineers are tuned into the company’s cybersecurity strategy, business processes and overall business. Malcolm Harkins, Chief Security and Trust Officer at Cymatic, believes team structures can help with upskilling: “I believe structure drives behaviour,” Harkins said. “We’ve had creative ways of getting people out of their day jobs, such as job rotations between teams, and factory tours for security and management at just the cost of time and travel, because when people understand the criticality and unique needs of a function, they’re usually impressed.”
- In-house versus outsourced – relationships matter
Dependent on business needs, third party providers, like in other areas of the business, can be extremely valuable or, conversely, hinder progress.
When an outsourced relationship becomes a cyber security partnership, an external SOC team can be a key partner in addressing issues and shaping the organisation’s long-term security needs. However, a lack of physical presence in the office can cause miscommunication or trust issues, which are detrimental to the business.
CR Think Tank members highlights, that no matter if the SOC team is internal or external, the onus is on the CISO to showcase the SOC team’s value. As that team function is not often seen as a core competency, building relationships with the senior executive leadership team will ensure CISOs have what they need for success.
- Technology and automation – avoid the security chase
Automation has the potential to transform the life of a SOC analyst. Notably by increasing productivity and decreasing Mean Time to Resolution (MTTR). The experts recommend building automation into every project to make it part of the organisation’s structure. When it is thought about early on, automation becomes a natural part of every process. Shawn Valle, Chief Information Security Officer at Rapid7 agreed, stating: “Software developers build based on APIs, and then build UI on top of APIs, which is worthy of exploration in SecOps teams. That strategy of building automation from the beginning, we believe, makes analysts stronger and better versus using fewer people.”
The report highlights the potential of automation in the SOC but does warn against the over-use of it as it can make an organisation’s actions easier to predict and therefore more vulnerable to threat actors. “Automation itself is a form of vulnerability,” said Sam Curry, Chief Security Officer at Cybereason. “You have to check your blind spot at pseudo-random intervals to see who’s hiding there because the machine will become predictable and therefore exploitable. So, the mission is not to automate for the sake of it, but to make the humans more effective, improving the value of their output without weakening the whole.”
The CR Think Tank agreed that business and security need to be in lockstep to be proactive whenever possible and avoid the security chase.
- Processes and Efficiency – seating plans as the key to success?
Finally, the report highlights the importance of physical proximity when dealing with tech teams.
Seating location within an office can make a big difference – many companies opt to put their tech and security teams next to each other to foster creativity, agility and better communication. For example, seating SOC teams next to the product team can improve efficiencies in terms of how they iterate and build new tools. However, for employees who work remotely, communicating with internal teams frequently to ensure alignment on priorities and objectives is key.
No matter what an organisation’s SOC setup is, the most important factor is relationships. SOC teams, whether internal or external, need to be invested in the organisation’s mission and its core targets. With talented individuals in short supply, training, upskilling and using technology for efficiency gains are key to transform your SOC team.
Download the full report: Transforming the SOC: Building Tomorrow’s Security Operations, for more insights from the CR Think Tank.
Discussion about this post