There’s no denying that the cybersecurity field is a demanding one. Practitioners are constantly on alert for new threats, and they often have to work long hours to keep systems secure. The volume of threats and the pressure of the job have led to burnout and turnover becoming a serious problem within the cybersecurity community.
SOC teams are our frontline defenders, and if they are stressed and under pressure, the overall effectiveness of the SOC will decline. For security leaders, the question is: How can you support your SOC team and give them the tools, resources, and training they need and create a culture where they can excel and you can be confident that your team is successfully addressing your organization’s cyber risk?
We had the opportunity to sit down and discuss this very topic with security leaders, including Josh Copeland, Cybersecurity Director at AT&T, Xavier Ashe, SVP of Security Operations at Truist, and Paul Keener, SVP of Cybersecurity Operations at City National Bank. You can listen to part of that conversation in the video below.
How You Can Increase Confidence that Your CyberSecurity Operations Team Is Performing Well
1. Provide dedicated training during onboarding and beyond.
Training is an essential part of any job, but it is especially important for security teams. To be successful, security teams need to be certified on the tools, products, and processes they will actually be using.
While there is no single hard-and-fast timeline for how long training should be, SightGain recommends the minimum training period should be three to four weeks of onboarding. This will give team members the time they need to learn the necessary skills and become familiar with the tools and processes.
By taking the time to properly train your security team at the moment of hire and throughout their career, you can ensure that they will be able to effectively protect your business.
2. Review metrics and analysis to see how your team is performing.
By regularly measuring the performance of your security and vendor tools against the threats you face, you can evaluate how your security stack is performing against active exploits. You’ll also want to implement a repeatable process to evaluate your analysts.
By giving your analysts clear targets, well-thought-out goals for their work, and the ability to train within your organization’s production systems, you will create an environment where they feel confident and prepared to handle adversary activity.
3. Make decisions based on those metrics and outcomes.
Identifying the necessary metrics and associated outcomes will enable you to clearly articulate your next steps.
Here are a few examples of next steps you may identify:
You see that an analyst needs retraining to be more effective.
You identify an opportunity to create a standard operating procedure (SOP) based on how your analysts have handled alerts and incidents over time.
You spot a process that has been so effective that you consider adding that workflow into a security operations playbook to automate the task.
4. Report to senior leadership to show success, ultimately to get buy-in for existing and future initiatives.
As a security leader, part of your job is giving your team the vision, providing them with what they need to do their job well, and getting out of the way and letting them work. You can then take their success and learning to the board and C-suite to showcase their expertise and where they are excelling, along with areas that could use further investment or be opportunities for future initiatives that would strengthen the organization’s security posture even further.
5. Relentlessly pursue a positive, affirming culture.
Lastly, culture is an underlying component of a confident security operations team that can’t be overlooked. Make it clear that effective security operations are the result of a team effort, and build a culture where you share successes and difficulties, especially across silos within your organization.
A key part of learning and growing is to let analysts know to not be afraid to fail. Fail fast, fail often, but never fail the same way twice. A culture of trust and sharing allows for your team to learn from each other and improve.
Finally, when you see an issue, address it as soon as possible, building trust in your teams who know that when there is an opportunity for improvement, you will consistently identify and take action on that opportunity.
What Steps Do I Take to Measure Operational Effectiveness?
Within our industry, there are a lot of vendor tools that say they do a lot of things. But when it comes down to it, the question you should be asking is, “Are these ‘things’ actually happening and effective for us?”
That’s where SightGain comes in. SightGain is the world’s first Threat Exposure Management Platform.
By testing your controls against the malicious tactics you face, SightGain enables you to:
Train and improve your personnel
Determine the ROI of your security controls
Identify the cause of your residual risk
Find performance gaps across your people, process, and technology solutions
Automate reporting of efficacy for a variety of security frameworks
What category do you fall into? Our team is available to talk through your challenges and questions and show you how SightGain can help you improve your threat detection, train and test your security operations team, and slash your cyber tools spending by up to 20%.
You can request a live demo or an on-demand product here.