Hopefully by now you’ve read our new paper “Keeping a Trusted Eye On Today’s Government Networks: Building or Realigning the Government Security Operations Center” and Rick Howard’s article on the talent needed for the SOC. If not, you can download them here.
For more perspective on the topic, let’s reiterate the need for process as an important component of your SOC planning. As a former Army officer and graduate of both the Naval Academy and West Point, Tim Haight understands the importance of process in government and - as former Chief of one of the Army CERTs - in particular in Security Operations Centers.
By Tim Haight, Owner, Knowetic Solutions, LC
Like many organizational capabilities, a Security Operations Center (SOC) can be described in terms of its people, process, and technology: three components that must work in harmony to deliver the services needed to keep the enterprise secure.
On the surface it seems clear why people and technology are essential to a successful SOC, but the importance of process can be more difficult to articulate – especially as it relates to a capability that many feel is more art than science. Nonetheless, process does play a critical role in the creation and operation of the SOC. Here’s why:
- The SOC is a service organization – just like the IT service organization. Adopting an Information Technology Service Management (ITSM) framework such as the Information Technology Infrastructure Library (ITIL) provides many benefits to the IT service organization. Embracing a similarly process driven approach will extend those same benefits to the SOC. Strategically, the “right” process approach can make the SOC more accountable to its customers and align SOC priorities with business priorities. Operationally, almost any process approach should reduce redundancies leading to increased resource utilization and quality of service.
- Effective organizations are not stagnant and process is a key enabler in defining metrics to be used for improvement. Process and metrics can sometimes be like the “chicken and egg,” but you will probably have situations where you design a process around the desired metric, and other times when you choose the metrics to evaluate a critical process. The important thing is to tie meaningful metrics to implementable processes, measure those metrics, and then use those measurements to improve over time.
- Your Information Security Management System (ISMS) does not need a SOC to be ISO/IEC 27001:2013 compliant. But if you have a SOC and you want to be compliant, it needs to be process-based. So if you don’t want to adopt process to be more effective or more efficient (see 1 and 2 above), then adopt process to be compliant.
- Process is a gap filler between the people and the technology. Your cyber security technology is not a complete solution – it probably does a lot, but at some point your SOC analysts need to take the output and make decisions. Likewise your analysts are not by themselves a complete solution – as gifted as they are, they still need technology to enable their success. Your people and your technology joined together by process is a complete solution. Focus process efforts on those points of interaction between the people and the technology. That balance helps guide junior analysts without stifling the creativity of senior analysts.
Process has an important place in the successful SOC. Hire the right people and implement the right technology, then get to work on defining and executing the right processes.
Download our new SOC paper here.