What does it take to run a successful security operations center (SOC)? In interviews with top security personnel, the answer emerged clearly. You require three key elements: protocols, processes – and especially people.
Those first two are relatively easy to set. In most organizations, it's a matter of resources, organization and policy. The better (and better funded) those things are, the more successful the SOC will be. It's the third leg of that triad that is proving to be the biggest challenge today. The cybersecurity talent shortage is real, and it's growing.
How real? Worldwide, there are approximately three million cybersecurity jobs going begging, and given the constantly increasing needs for security solutions, that figure is only going to climb. By 2022, experts predict that the shortfall will be even greater.
The shortage is having a deleterious effect on SOCs. Running a security operations center is already an expensive affair; if you can't get workers to run it, you're just going to have to pay more in order to attract talent, assuming you can even find qualified personnel. If you're using SOC as a service, the fees charged will be going up as SOCs seek to hire the people they need. Meanwhile, the workload for SOC teams continues to increase.
That a SOC is an absolute requirement today is clear; incidents occur on a minute by minute basis, and they need remediation. Since many attacks are so sophisticated, you need top personnel to deal with these incidents. If the personnel just aren't there, what's a SOC to do?
One idea, of course, is to hire people away from another SOC. While that could be an effective short-term strategy, it's likely to be an expensive one, because you will have to outbid the other organizations that are also seeking top personnel. Even if you succeed in luring an employee, there's no guarantee they will stay.
Besides, just roping in personnel because they have a good background is not a successful strategy. In the modern world, the SOC team has to understand how different IT teams work, alone and together - how they are vulnerable, what the security gaps are, what to watch out for in the context of the work of the organization, the connection between different attacks and how they might be related, and more. Doing that requires familiarity with the organization and its departments and/or clients that cannot be attained in a day, or maybe even in a year.
To successfully carry out their mission, SOCs need serious employees who are going to remain with the organization and utilize what they learn on the job to ensure constantly-improving security. A better strategy is to take promising recruits and train them in what needs to be done – with a little help from their friends. Here are some ideas on how organizations can cope with a shortage of employees, but still run an effective SOC:
Outsourcing: Like in any big organization, you need support from the outside. This means that you need to use experts who have knowledge about specific threats and can help deal with them. This includes mitigating the threats and educating staff about how to deal with them and similar ones in the future.
Nobody is expected to know everything, and new threats are coming onto the scene every day. That's why SOC staff need an outside “lifeline” that will supply the answers they need when faced with a new or unfamiliar threat.
Teams should choose service-oriented solutions with experts who will be just a phone call away, ready to provide quick responses. With that kind of backup, SOC teams will be able to quickly manage any incident, remediate it, and learn from it in a timely manner.
Multi-faceted solutions: How does a SOC protect its users/clients? With security software and systems. A good SOC will have a wide variety of those, deployed for the various departments/clients and while most of the systems on the market are effective in one or another context, SOC administrators will want solutions that manage threats across verticals, giving them maximum coverage. It's much easier to manage one platform, with one point of contact to provide assistance when needed.
One concern with any cybersecurity tool is ensuring that it is deployed effectively, and a big part of that is avoiding false positive alerts. To prevent those, personnel need to get to know the security system and how it needs to be deployed so that day-to-day work activities do not set off unnecessary alarms.
Automation and orchestration: According to experts, there is a ransomware attack somewhere around the world every 14 seconds – and that's just one kind of attack. No human team can work at that pace, and no single security system can handle that volume. An effective SOC will have multiple systems with an automated management system that “orchestrates” everything, properly organizing, prioritizing and managing incidents and threats. Systems can alert personnel as to what the most urgent threats are at any given moment, enabling them to direct resources accordingly.
Running a SOC – which may serve thousands of clients and users – is a complicated, messy and expensive affair, and finding personnel to run it is the most complicated and expensive aspect of the story. The most effective way of developing a SOC staff is to train personnel in-house, with the appropriate support from outside sources and quality security systems. With that kind of backing, SOC staff will do the job they were hired to do, without breaking the bank.