In the rapidly evolving realm of cyber security, the role of Chief Information Security Officer (CISOs) takes center stage as they navigate the complex landscape of digital threats. Troy Wilkinson, is a world-renowned speaker, a co-author of an Amazon Best Seller, and a trusted commentator on prominent news networks such as NBC, CBS, and Fox. Troy shared invaluable insights on how to maintain a robust Security Operations Center (SOC) with Black Hat attendees in Las Vegas earlier this month. This session was sponsored by Hunters.
1. Set Clear KPIs: Measure What Matters
Troy Wilkinson's voice echoes with resonance when he asserts, "You can't improve what you can't measure." This fundamental belief underscores the significance of establishing well-defined KPIs for the cyber security team. These metrics, carefully crafted, must align with the organization's overarching cyber security goals and broader business objectives. By defining tangible and measurable benchmarks, CISOs equip their teams with a structured roadmap towards success, ensuring that progress can be tracked and communicated effectively throughout the organization.
2. Don't Lose Sight of the Goal: Take a Holistic Approach
Troy firmly endorses that cyber security should operate holistically, as an enabler for the business while keeping security top of mind. This entails minimizing user friction by seamlessly integrating security measures into everyday workflows. Troy advises security teams to see themselves as part of the teams ‘selling’ the organization's products and services by minimizing business downtime, protecting sensitive data, and restoring systems quickly after an incident has happened. Taking a holistic approach positions cyber security as a critical business ‘function’ rather than a ‘friction’ that slows down employees.
3. Maximize Efficiency: Time to Value is Critical
In a rapidly changing economic landscape, ‘time to value’ is more important than ever. Troy sheds light on the importance of quickly proving the value of new solutions. Gone are the days that business leaders are given years to implement complex solutions. Modern CISOs are expected to successfully oversee a frictionless on-boarding process of a product or service that proves its value within days, weeks or months. This approach facilitates seamless integration with the existing deployments, and rapidly enables cyber security teams to detect and address emerging threats.
4. Prioritize Quality > Quantity When Working with an Outsourced SOC
As enterprises navigate the intricacies of modern cyber security, many turn to Managed Service Providers (MSPs) to enhance their SOC capabilities. Troy underscores the importance of obtaining high-quality tickets from these providers. This meticulous curation of incident reports is aimed at minimizing false positives and elevating high-priority concerns. Such stringent curation allows internal teams to focus on critical issues, thereby accelerating response and containment times.
5. Think of Cyber Security as a Business Function
Troy Wilkinson underscores the transformative power of viewing cyber security through a business-oriented lens. He encourages CISOs to move beyond the conventional boundaries of security and instead embrace it as an integral business function. By aligning the decision making process for cyber security with core business principles, CISOs will foster an environment where security initiatives become more effective and efficient, alleviating friction with the rest of the organization when it comes to adopting a security-first mindset.
6. Use Automation in the SOC to Enhance Efficiency
In his pursuit of attaining enhanced efficiency within SecOps workflows, Troy embraces the advantages of automation within the SOC. He dispels the misconception that automation means replacing the humans of the SOC. The value of automation is to empower SOC analysts to focus on higher-value tasks. Automation manages routine and repetitive duties, liberating analysts to engage with real threats and incidents. Being intentional about the use of automation can significantly enhance productivity and empower cyber security professionals to dedicate their expertise to strategic initiatives that improve the organization's overall security posture.
To establish and maintain an effective SOC, CISOs must think strategically about technology investments, speed to value, key performance metrics, and use automation to increase efficiency while reducing 'noisy' alerts that distract analysts from 'real' incidents.
If you'd like to hear gain more insights from seasoned CISOs, check out The SOC Show, hosted by Hunters' CISO-in-residence, Rob Geurtsen.