If humans are the weakest link in the infosec space, then it is imperative to foster a strong internal culture that promotes vigilance, responsiveness and accountability in the face of threats. That rule applies to not just general employees across your organizations, but also the security professionals working within your Security Operations Center.
But building that culture is a long-term challenge. So where do you start? And how do you sustain the cyber behaviors you’re trying to reinforce? Jordan Silver, senior manager of service delivery at Hawaiian Telcom, offered his own unique takes on this in a presentation this week at CyberRisk Alliance’s InfoSec World Conference in Orlando, Florida.
According to Silver, a lot of speakers at cyber industry events cite the importance of having a strong security culture. And yet, “not a lot of people talk about how to build that culture. …”
Silver said that developing a culture among your SOC employees starts at the top. It requires strong leadership and a deliberate effort to bring your expectations to fruition.
“Culture is generally shaped by the worst behavior we, as leaders, allow to exist,” said Silver. “…If you decide that you want a culture that matters, and that'll be good and beneficial for your organization, you have to actually be intentional about driving that.” Otherwise, you’re leaving it to your SOC employees to develop their own set of workplace norms for themselves — “and you don’t want that,” he continued.
Silver shared a series of recommendations on how to shape SOC culture. For starters, you’ll need a clear vision, so all parties understand what’s expected of them. “If people don't know where they're going, they have no idea what they're supposed to do to get there,” said Silver. “Once you … know where you're going, you have to be … fanatic about communicating your vision. ... People want to know they're part of that vision and not just working for someone to do something they don't care about.”
If communicated properly, this vision can even give your employees a sense of fulfillment upon achieving it. And don’t be shy about repeating the message, Silver added.
“If it feels like you're saying it too often, it’s probably just right,” he said. “You're gonna tell them weekly, you're gonna be telling them daily. Everything you do is going to tie back to that vision, if you’re doing it right.”
Having a tactical mission statement helps to further lay out expectations. For instance, the Hawaiian Telecom security group’s mission is “to continuously monitor and enhance an organization's security posture, while protecting preventing, analyzing and responding to cybersecurity incidents — with the collaboration of technology, well-defined processes and procedures, and the aloha spirit.”
It's also important to explain why your policies and procedures are what they are, rather than forcing them to blindly follow orders. That way, if your normal operating procedure fails to fully mitigate a major incident, the SOC employees at least fully understand what the intended endgame is, which increases the odds that they’ll take the right steps to get there.
Silver also emphasized the importance of showing confidence in your SOC employees, allowing them some flexibility, self-sufficiency and autonomy while adhering to your vision. After all, “Why hire smart people if you're then going to dictate everything they do all day long?” Silver asked. “How many of you go to work and say, ‘I really hope that I get micromanaged today and get told exactly what I should be doing”?”
“You teach them the why, you teach them the what, and let them go to town,” Silver continued. Delegation also benefits CISOs or security leaders, because that they are not constantly buried under work, he added.
Silver said when delegating to employees under your charge, follow the 80% rule: If the end product is 80% as good as you would have done, that’s worth it, because your employees are “going to be excited that you trusted them, [and] they're going to take ownership of it,” he explained. “And that ownership is going to make it so much better than anything you could have done because it's permanently off your plate, and… that 20% probably didn't matter that much.”
Beyond setting a mission, you also should establish clear individual goals for SOC employees — and these goals must be explicit, not vague.
This isn’t always easy, especially if the company tends to emphasize revenue and financial ROI as its chief KPIs. “When we're talking EBITDA in the hundreds of millions, as a SOC person, I don't see that, I just can't connect. The numbers are too big. The goal is too far out. It's too many clicks away from me,” Silver explained. That’s why it’s important to lay out realistic and measurable department-specific goals or KPIs that spell out which jobs functions are most relevant to completing the mission you’ve set forth. And “because they're measurable, and they're attainable, they actually have an impact. And then people feel good about it,” said Silver.
And don’t overload the employees with these KPIs either. Choose your best five measurements of success, Silver advised. “The way I was taught to kind of think about it was: If you're in the middle of an island somewhere and all you have is your iPad, what five numbers will tell you if your team is doing their job correctly?” he said.
Silver also emphasized creating a positive, supportive atmosphere for SOC workers, starting by creating an environment of “pure accountability,” which means that “it's your job to hold your partners and your peers accountable for what we all said we're going to do. It's not my job as a manager to scold someone when they do wrong. It's my job to make sure that the team is empowered to understand it's their job to correct each other, to help each other. And that's the best kind of accountability.”
That requires trust, which security leaders must earn over time through thoughtful interactions and open, honest communication with their employees.
Silver’s other key recommendations were to hold regular group meetings (which can be opportunities for fun and socialization), and one-on-one meetings “where you can spend time helping your employee be better at whatever they want to do.” Also, you should document employee workflow, procedures and responsibilities in writing; to encourage training and industry education; and to be worker friendly with policies such as time off.
“Be the leader you wish you had,” he said.