Vision vs reality: why CISOs should look under the bonnet to understand what's really happening in the SOC

A major disconnect between management vision and the experience of frontline workers could ultimately put the operations of the Security Operations Centre (SOC) at risk.

This is a contributed article by Stephen Moore, Chief Security Strategist at Exabeam


Today's CISOs hold significant responsibilities on a number of fronts, everything from cybersecurity to keeping data safe, secure, and accessible at all times - not to mention business challenges, and things like governance, risk and compliance. Little wonder then that for many CISOs, the capabilities of their Security Operations Centre (SOC) are critical for ensuring that potential security incidents and operational risks are identified, analyzed, defended against, investigated, and reported on.

Yet many CISOs appear worryingly out of step with the on-the-ground realities being experienced by their SOC teams working at the coalface. This disconnect could potentially create a false sense of confidence when it comes to the analytic and response capabilities of the SOC and being operationally effective when crisis strikes.

Indeed, the findings of Exabeam's recent ‘State of the SOC' report highlight some stark differences between the views of leadership and those personnel who actually work in the SOC with regard to its processes, technologies, training and funding. It's this disconnect around key and fundamental challenges that may inhibit the SOCs ability to do its job effectively and efficiently.


Top pain points vary according to role

While the top pain points for CISOs and CIOs were false positives and white noise, for SOC managers and frontline employees like analysts, the biggest challenges included grappling with a high percentage of out-of-date systems and applications and spending a disproportionate amount of the working day on reporting and documentation.

For example, while 79% of managers and frontline employees voiced frustration with outdated equipment, just 22% of CIOs and CISOs saw this as an issue. And while all job roles highlighted false positives and keeping up with security alerts as a top concern, front-line workers were twice as likely to view this as a significant pain point compared to senior executives.

But the differences of opinion don't end there. When it comes to reporting, executives appear strongly focused on examining the raw number of incidents and false positives, while SOC managers are much more concerned about detection-to-containment-and-eradication times.


Mind the resource gap

Significantly, almost half (45%) of SOC professionals surveyed identified understaffing as a primary concern, with almost two-thirds (63%) going on to say they needed between two to 10 additional employees to maintain optimal SOC operations.

That's a big funding ask for many CISOs to resolve. But this widespread perception of under resourcing by SOC teams that feel overworked could perhaps be resolved in a more straightforward fashion. Implementing new processes, technologies, pre-scripted responses or orchestration tools can boost operational efficiencies and release staff to focus on bigger and more strategic issues.

With 47% of frontline workers and managers concerned about keeping up with security alerts, and worried about the negative impact this has on the quality of their work, getting this fixed is vital to enabling a strong analytic and response culture. This is particularly important when you consider that over a quarter (26%) of respondents said their tools were out of date and not user friendly, 38% are frustrated by the lack of integration between security tools and 31% are struggling to perform thanks to outdated technologies.


Upskilling the workforce

The real-life skills and experience of frontline staff is a further major cause for concern for SOC workers. The State of the SOC survey found that 62% of managers and frontline employees identified working alongside inexperienced personnel as a big problem, yet just one-fifth (21%) of CIOs and CSOs recognized this as a potential issue.

Understanding if experience levels are genuinely hurting the performance of SOC teams - and where the skills and capabilities gaps lie - depends on CISOs actively canvasing SOC managers and frontline personnel. They need to invest in face-to-face, visible interactions to get to grips with the pains and ambitions of personnel.

Building these relationships not only enables CISOs to make appropriate decisions about how training resources should be allocated to better support team workloads. It also opens the door to discussions about directed soft-skills training in core areas like team communication, leadership, and personal and social skills - all of which can help build cohesive, productive and effective teams that work well, especially during a crisis.


Grasping the opportunity - learn from people on the ground

The findings of the State of the SOC report highlight how many CISOs are unaware of the underlying issues that could potentially impact SOC performance. Whether it's understanding the realities of the technologies and processes currently in operation or the caliber and workloads of personnel working on the frontline, getting to grips with any disconnect between executive perceptions and workface realities is a critical first step to identifying what needs to change - and how.

Those CISOs that don't have their finger on the pulse when it comes to what's really going on under the surface risk facing a tsunami of very public challenges should a breach occur - and the SOC fails to respond as expected. The answer, as ever, is to dig below the commonly reported statistics and walk the floor on a regular basis to build insightful and open relationships with the people that count - those who can shine a light on the real state of your SOC's analytic and response capabilities.