If you are reading this blog, you are probably playing with the idea of securing your corporate information assets with a Security Operations Center (SOC) – a dedicated, centralized unit that continuously monitors, assesses and defends information systems, such as applications, websites, servers, networks, applications etc. You are responsible for protecting your organization’s critical systems, data and applications from internal and external cybersecurity threats. You are familiar with the most recent data breaches, and terms like DDoS attacks, Mirai, phishing and Ransomware aren’t new to you. You are worried about financial losses after a data breach, losses of customer data, damage to your reputation and brand, loss of market share, or legal consequences.
Related post: Building a Security Operations Center
And, if you’re like most people, you don’t currently have the mechanisms in place to protect your organization from breaches and threats. According to the 2014 SANS Incident Response Survey, a whopping 55% of organizations do not have a formal incident response team and, as a result, cannot perform effective incident response when threats arise. You are determined to improve your organization’s security posture, and building a SOC is an increasingly important element for information security leaders to achieve that goal.
Building a SOC is not to be taken lightly, and presents a myriad of challenges. To help you get a head start in your planning and decision making process, we’ve gathered a list of six questions you should ask yourself.
Let’s face it, building a SOC is expensive.
If you’re in a similar position as most IT professionals, you probably don’t have a huge budget for security-related spending, and struggle to convince executive management to allocate adequate funds to secure your corporate data. And yes, businesses seem to spend a higher percentage of their overall IT budgets on security than ever before (PricewaterhouseCoopers, 2014). Regardless, most of us can probably attest than “more than before” is simply not enough when it comes to securing your network.
And your spending doesn’t end by building a SOC either.
In addition to the initial costs of building a SOC, you have to make sure to have enough funds to operate it and perform occasional repairs, replace personnel, invest in new technology etc. When preparing your budget for building a SOC, make sure to have the financial support of your executive management team by considering the following three elements at a minimum:
A successfully operating SOC requires a number of talented, experienced resources who possess the necessary knowledge in IT, information security, and incident response management. Ideally, SOC employees have gathered an array of experience of diverse environments and businesses, and have been exposed to a variety of different threat profiles in order to properly detect malicious activity when it occurs. Another essential “must have” is a great sense of curiosity and willingness to learn about what’s new in the cybersecurity landscape.
More often than not, today’s organizations are affected by the so-called “cybersecurity skills shortage”. According to a study of the international shortage in cybersecurity skills, 82% of all surveyed businesses report a shortage of cybersecurity skills within their organizations. There are simply too few bodies to fill our in-demand cybersecurity jobs.
In collaboration with your Human Resources team, make sure you research if there are enough available, skilled cybersecurity resources in your area prior to building your SOC. When building your staffing program, you will need to look for candidates for the following positions:
Good SOC employees are hard to find but even harder to keep. They are usually required to work on a demanding shift schedule, keep up with the latest trends and developments in cybersecurity, work well under pressure, manage stress and never lose focus to look for malicious activity on customer networks.
Related post: Talent Shortage in Cybersecurity: How to Fill the Gap
Truth be told, your SOC employees will likely have the same, if not higher, expectations from you as an employer than other employees. They are working on the front line in protecting your business from threats and breaches, and are often under considerable pressure to perform quick and flawless work. In this context, CSO Online reports that security professionals with incident response responsibilities are prone to frustration, stress, and burnout.
Make sure that your SOC employees receive adequate benefits and compensation levels that compare to or exceed the industry average. Allocate parts of your budget to bonuses, account for promotions, provide opportunities for growth and ensure that shifts are being distributed fairly amongst your team. In addition, make sure to embed regular training sessions in your employees’ schedule, and encourage them to pursue industry-relevant security certifications.
A successful SOC should be located in a secured facility with strict access controls and appropriate software and hardware equipment. After all, you are trusting your SOC to handle your organization’s most critical data, and should safeguard it accordingly. Verify whether your existing office space can easily accommodate integrating a SOC on the premises. If not, find out whether there are suitable alternatives in your immediate environment. If your SOC is in a new location, make sure that it is secured but easily accessible for your employees, and that you have a trustworthy contractor to help plan and build your SOC according to your requirements and wishes.
Today’s threat landscape is evolving at a rapid pace, and so must your SOC. Without regularly scheduled training programs for SOC employees and management, keeping them up-to-speed on the latest findings, threat detection, and mitigation techniques, your SOC will not provide you with the return on investment you’re hoping for. Keep in mind that even the greatest technologies and processes are worth nothing without the backing of talented and trained people who operate them.
Make trainings and knowledge transfer a regular part of your team’s schedule, and ensure to assign somebody in your organization to design a comprehensive training program. If you don’t have the resources in-house who can assist, make sure to look for external resources that you can offer to your team to keep them up to speed.
Finally, if you’re considering building your own SOC, you’ll have to acknowledge its complexity and familiarize yourself with the essential pillars of a SOC: people, processes and technology (SANS™ Institute, 2015). A well-functioning SOC requires communication and collaboration amongst several functions (people), varying steps and procedures (processes) and disparate security software and hardware (technology). Only when all three elements are working together in harmony, your SOC can be successful. Make sure to invest enough time, money and resources in each of these three building blocks to guarantee long-term success.
Source: “Building a World-Class Security Operations Center: A Roadmap”. SANS™ Institute, 2015.
“Ice-climbing requires trusted teamwork and agility to continually detect and respond to hidden dangers in a challenging and ever-changing landscape – so does your SOC.”
Source: Managed SOC. Ernst & Young Global Limited, 2015.
It comes as no surprise that most security professionals would prefer running their own operations in-house instead of outsourcing this function. In a perfect world, you would have a budget large enough to cover the expenses associated with building and operating your own Security Operations Center. You would have access to a large enough pool of skilled resources who would love to join you on this journey, and would stay on for the long haul, always alert to uncover the latest cybersecurity threats. In case of an incident, your team of dedicated security professionals would escalate the situation to the appropriate channels and work at mitigating the negative impact of the incident for your business.
Realistically speaking, only a limited number of organizations can afford to build and maintain their own SOC, let alone recruit and maintain the necessary pool of skilled staff – the key to sustainable success for an efficient SOC. For most security professionals, building a SOC remains an idealistic and unattainable project.
Indeed, more and more IT security professionals consider outsourcing their security to a third-party provider not simply to save cost, but also to save time and effort in trying to keep up with an ever-changing threat landscape (IDC, 2016). In a 2016 survey conducted by CIO, CSO and Computerworld, over half of all respondents reported that their organizations are currently enlisting outside security consultants to assist with their IT security strategy, and 40 percent are relying on Managed Security Service Providers (MSSPs).
Regardless of whether you decide to handle your security internally or outsource your network monitoring to a third-party provider, make sure to prepare yourself carefully for both scenarios by choosing an approach that aligns best with your corporate strategy, objectives, and budget. And most of all, don’t be shy to ask as many questions as you can to educate yourself!
“He who asks a question is a fool for five minutes; he who does not ask a question remains a fool forever.” - Chinese proverb