Security operations centers (SOCs) have changed dramatically over the last decade. Gartner predicts that by 2022, 50 percent of all SOCs will transform into modern centers with integrated incident response, threat intelligence and threat hunting capabilities, up from less than 10 percent in 2015. Organizations are investing heavily in tooling for detection and response as the number of incidents across the business grows exponentially.
The culture and the people who operate and manage the SOC have to adapt to the accelerated pace of business. In reality, there’s no such thing as a silver bullet to solve the excess of challenges in security. No single security solution or individual can address every aspect of security. There’s a reason why everyone says information technology requires a combination of people, processes, technology and culture. Security covers many domains and disciplines, and the sum of these parts can drive a well-functioning security program, but only when you have the right strategy and operational model in place. However, to truly make a security program successful, you need to build a top-performing culture with the people who run the day-to-day operations of your program. I hope to shed some light on how we do that within our SOC.
I would argue that two of the essential elements of a SOC are its people and its culture. Talented experts improve the systems and processes needed to optimize and transform world-class security operations. You need talented people to pull all of the levers. It would be best if you had a strong, positive culture to motivate a team and infuse a transformational mindset in today’s complex landscape. And, while it may seem like a simple concept, your people need to collaboratively share diverse thoughts, expertise and experience to continuously improve the business’ security and the skills required to get ahead of the adversary.
Building a Strong Culture within the SOC through Career Development
When it comes to SOC culture, there’s no single person who can build or manage the environment. Business environments and IT systems have simply grown to be so complicated and distributed that no one person can be the single point of truth. Security brings together so many different disciplines that it requires specialized expertise when you get to the scale of an enterprise. And, you need a diverse team with a variety of backgrounds and experiences to handle the complexity.
Security is a team sport. All “players” in the game need to know the ins and outs of their respective positions and the strategies for their disciplines. One of the best ways I’ve found to empower my team is through collaboration. This is where I see SOCs transforming across people, process, technology and culture. It’s no longer acceptable for the functions to work in silos. For example, threat analysts need to work with network engineers, who need to work closely with Windows Server security experts and vice versa. The team members have to rely on one another to know how an adversary might operate using a variety of tactics and techniques. One of our objectives in the SOC is to detect threats that matter, to outsmart threat actors. We do that by bringing together the best and brightest talent with specialized competency.
Our global security operation centers foster a culture of trust, inclusion and openness. What do I mean by those three areas? Security, as a practice, requires professionals to trust and rely on their colleagues’ expertise to help secure systems. As a result, this trust drives a culture of inclusion and openness for new ideas, tactics and strategies. Think of it as a continuous learning opportunity. It requires our security experts to openly share their in-depth expertise and trust that it is accurate and effective for mitigating risks. It is an environment of continuous learning, too, because a single person can never be an effective generalist. There are just too many important details that can be missed.
Another critical part of building a strong culture within our SOC is to encourage employees to own their skills development path. SOC employees are encouraged to pursue those security skills that are most interesting to them, which align with the needs of the business. Additionally, I encourage my team members to communicate and openly share the skills and expertise for which they are known to other SOC team members. We all need to stay at the forefront, whether it’s industry certifications, application certifications, publications and, most importantly, the problems they have solved for clients. All of these areas can be applied to helping other clients who face similar challenges. When your colleagues in the SOC know you’re known for a particular area, they trust your expertise and can rely on the knowledge you have to help them solve a specific challenge for the client.
Focus on Elevating Success Stories to Solve Problems Elsewhere
Good security that does its job to protect systems isn’t usually celebrated. You often hear in the news of the latest breaches and the terrible data losses at large enterprises. It’s a security team’s worst nightmare. But, what about celebrating the successes of blocking nation-state adversaries, zero-day malware, or protecting the organization from a massive ransomware attack? These are the untold stories from the SOC.
Security practitioners and security operations teams tend not to celebrate the fact that they’ve prevented a significant cyberattack or blocked an adversary from inflicting more damage. As we’ve built our culture in the SOC, however, we celebrate the wins, the successful solutions and strategies that prevented a problem. By showcasing the successes of the team, we foster a continuous learning environment across all the members who make up the SOC.
We employ gamification and friendly team competition for finding specific types of attacks in the security environment. For example, many of our clients leverage penetration testing on their networks. It’s a best practice for our clients. It tests their systems and tests our services at the same time. If we fail to identify a pen-test for the client, they might wonder why we didn’t find that type of activity. Logically, you’d probably say the same for your security operations if you conducted a pen-test. To thwart this misnomer, we challenge our teams to proactively find pen-testers. When an analyst finds a pen-testing activity, we recognize that analyst and share the tactics and techniques across the group as a learning opportunity.
Think about other ways in which you might leverage gamification and rewards for the security analysts in your SOC. Our team is self-motivating and resourceful when faced with a challenge. Its members will eagerly find solutions using the latest AI techniques, machine learning, or reverse engineering to quickly pinpoint a pen-testing exercise or other attack techniques. Our culture fosters an environment that harnesses our security professional’s natural curiosity to find out how.
Additional Tips for Building Culture within the Security Operations Center
Collaboration, openness, trust and inclusion are critical elements to building our culture within our security operation centers. We also rely on gathering information from various systems and sharing that across platforms to speed up detection and response times, improve the quality of analysis and reduce the burden of alert fatigue for clients.
Below are some additional tips for building a world-class culture within a global SOC:
- Set up a mentoring program between junior and senior analysts.
- Set up learning paths for role specializations within the SOC.
- Facilitate lunch and learn sessions from subject matter experts to demonstrate their knowledge and expertise.
- Employ simulation-based training exercises based on current tactics and techniques to hone the practical experience.
In our next several SOC blogs, we will discuss the major roles in the SOC, and the skills needed to stay ahead of today’s latest threats, and the most important metrics to track for various leaders in the business. And, if you’re looking to extend your security team, learn how IBM Managed Security Services offers 24×7 monitoring, management and response to advanced threats, risks, and compliance requirements in this latest video short.