When thinking about the modern security operations center (SOC), it’s clear that security touches every part of the business in today’s enterprises. This means the SOC analyst team—which many perceive as a dark war room separated from everyone else—must become more integrated with teams from across the company, from product development to sales to the C-suite. As this new dynamic proliferates, CISOs need to become the biggest advocates for the SOC team’s ability to develop processes and acquire resources.
They also have to stand up for them in the board room. Here are four ways CISOs can communicate to their boards to advance the interests of the SOC analysts:
- Align the SOC with business objectives.
When something goes wrong in the SOC, it’s seen as a failure across the whole organization, whether it’s reputational loss, monetary loss, or legal liability. To minimize potential damages, the board needs a clear understanding of security priorities and how breaches can harm the business. By creating this alignment with the board, the CISO not only protects the business, but also demonstrates the SOC’s ROI. When making the case for how the SOC should align with business objectives, CISOs need to answer questions like: What trends are the SOC analysts teaching us? What are we learning? What are the types of attacks we see most often in our environment? What have we done to mitigate those attacks? And, are there more proactive steps we could take with the SOC so we can spot attacks sooner?
- Within the SOC, align people, process, and technology.
The transformation of the SOC drives the use of fewer tools—and that’s great! Organizations are optimizing the processes for gathering and using data efficiently while focusing on risk-based objectives, not just cyber hygiene. Case in point: We recently started working with the United States Air Force on an initiative driven by the Air Force Cyber Command (ACC) known as “12N12.” The Air Force wants 12N12 to replace, reduce, and consolidate the tools, systems, and applications Air Force operators and analysts employ within the cyberspace security and defense mission area to 12 tools within 12 months. This type of deployment more efficiently uses technology to outsmart and outpace our adversaries and frees analysts to focus on critical threat-hunting and resolution efforts. By honing in on the right technologies that automate the manually-intensive mundane tasks, SOC analysts now spend more time hunting for potential threats that can harm the business. This shows the board that the CISO knows how to make the most of scarce cybersecurity talent.
- Ensure your SOC management team acts like team.
When security teams are alerted to an incident somewhere in the organization, they often don’t “own” that asset and don’t have the authority to do anything about it without permission, creating an inefficient cycle of approvals. It takes a defined and collaborative management structure to ensure there’s a process from alert to remediation when there are different arms of the business intersecting with security. The smartest CISOs build coalitions with their IT counterparts and with management. Together they can show the board they’re prepared by outlining risk and communicating impact through methods such as a business impact analysis scorecard.
- Realize immaturity drives a lot of failures of the SOC.
SOCs can fail if the maturity of the SOC isn’t driven from the top down. Most notably, an immature SOC creates silos, even within the security group itself. The board needs to know the SOC runs as the central nervous system for everything done from a security perspective. CISOs should advocate for more security metrics to get reported to senior business executives and the board, and take it a step further by offering context alongside the metrics. Jeffrey Wheatman from Gartner did a great job of explaining this at the recent Gartner 2020 Security & Risk Management Summit: “If we're just talking about a vulnerability or missing patch or something like an entitlement review, most business audiences don’t know what those things are. They don't care. They don't understand how it’s going to help them achieve the things that they are measured on. We need to make sure that we are telling them the right story.”
As cybersecurity advances and the role of the CISO continues to evolve, we’ll continue to see CISOs develop a more direct line to the board. As boards increasingly understand the critical importance of effective cybersecurity, CISOs will have more opportunities to communicate how effective SOCs impact the priorities that top managers care about: sales, profits, the company’s public reputation and long-term growth.
Julian Waits, general manager, cybersecurity, Devo