Interview: The inside word on Exabeam's State of the SOC report
As security operations centres (SOCs) become commonplace amongst businesses across the globe, the cybersecurity professionals responsible for running the centres have a pretty clear idea of what they need.
That's according to Exabeam's latest State of the SOC report, which explores UK and US cybersecurity professionals' views about their work.
Amongst the highlights, the report found that 91% of SOCs have been operating for three years or more, and 55% believe their SOC is sufficiently staffed.
Respondents also rely on outsourcing: 5% outsource their entire SOC, while 95% outsource parts of it. They rely on outsourcing for detection and monitoring, while response and expertise remain in-house.
We quizzed Exabeam's chief security strategist Stephen Moore about the report's key highlights.
What was the thinking behind the report?
Depending on the location of your desk, your perspective and daily professional pain will differ. From personal experience, I know that the views of teams working on the front line of cybersecurity can be at odds with the executive team.
We wanted to find out how widespread this issue is and also to better understand how those working in the SOC think about critical areas such as technology, hiring, skill sets etc. – all of which contribute to well run and efficient SOCs. We questioned the front line worker to the C-suite.
What did you find?
The report highlights technology challenges; hiring and staffing issues; processes and pain points; as well as finance and funding difficulties, all of which have the potential to limit the ability of SOCs to tackle ever increasing volumes of security alerts and potential cyber attacks.
It also identifies a number of key differences between US and UK SOCs. This was especially noticeable around technology, where 79% of managers and frontline employees expressed frustration with oudated equipment, compared to 22% of CIO and CISOs. However, all job functions highlighted false positives and keeping up with security alerts as a top of mind concern.
This disconnect was clear when it came to staffing levels too. 45% of SOC professionals believe their SOC is understaffed, and of those, nearly two thirds (63%) think they could use anywhere from an additional 2-10 employees.
It's interesting that for most organisations it would take a breach or at least a "near miss" to get approval for another 10 associates. And 62% of managers and frontline employees see inexperienced staff as a key pain point, compared to just one fifth (21%) of CIO - CISOs.
When the survey compared the function of a SOC between the UK and US it found little or no noticeable difference, with the US edging slightly farther ahead perceived abilities in the area of identify and threat assessment, with the UK slightly ahead in data loss prevention and malware analysis.
Where there any other surprises?
Only 51% of the companies who responded had cybersecurity insurance in place. What's interesting was the reason not to add it; many executives said it was too expensive and therefore elected not to buy it.
Without question, the adoption of cyber insurance is a business decision not a technical one. This could be an indicator that CIOs and CISOs are owning too much of the pain and acting on a decision that better owned outside of technology.
More UK organisations have it than in the US – but still, the number is low. Maybe CIOs look at the cost and think it is too expensive to add to their budgets? Who knows?
How do we change things?
Your business faces a cybersecurity crisis – whether that's an internal leak, or a data breach - and the SOC must be able to manage, repair and explain the event in a timely manner. The public reputation and private careers of leadership depend on this overwhelmed resource.
Even though the burden of technical security is on frontline employees working in the SOC, when questions are asked of a business' security posture, it's the C-Suite that needs to have the answers. From where will these answers come?
Communication is key. Both groups need to make time to talk. If there's a recurring problem that keeps getting brought up in emails and tickets then face it, don't let it be buried in emails.
If your company gets audited, or breached, all of these forgotten complaints and requests will come to light. It's far better to identify it beforehand, ahead of time. CISOs need to be portrayed as the right person for the job, and they need to lead from the front. Security is not a job you can't sit idly on and watch happen. Make time to communicate with staff, prioritise their pain.
Any final thoughts?
Organisations today face an ever-increasing number and variety of threats – and any disconnect between SOC leadership, and those on the ground managing day-to-day operations – no matter how small - should signal an alarm bell.
Any disconnect between the executive team and those at the coal-face of cybersecurity practice could leave an organisation open to the worst that cyber criminals have in their war chests – and if that happens it's too late to talk.