In its latest book, 11 Strategies of a World-class Cybersecurity Operations Center, MITRE states that while SOCs perform critical work protecting their organizations, they are often underfunded and undervalued. SOCs should align with, protect, and support the business — and Resolution Intelligence Cloud from Netenrich can help. This is the second post in our series outlining how to implement MITRE's 11 strategies to secure — and scale — your business.
CHALLENGE: SOCs are on the front line in defending a constituency’s cyber assets. Where they are in the organizational structure, and how they are funded, directly impacts their ability to fulfill their mission.
Every day, SOCs are responsible for protecting an increasingly complex organizational infrastructure against sophisticated threat actors whose job is to find gaps, exploit vulnerabilities, breach networks, gain footholds, establish persistence, and steal, encrypt, or destroy valuable assets. That’s a lot to tackle without adequate funding and, more importantly, without sufficient authority to determine cyber-protection priorities.
But getting authority and funding requires that SOCs show value to the powers that control budgets. So how can a SOC leader assess value of something not happening and quantify it in currency?
The recent SecurityWeek article “Quantifying ROI in Cybersecurity Spend,” shows that it’s not easy to place a value on cybersecurity, especially when nothing bad happens. Too often, executives see SOCs as cost centers, where a bunch of people seem to be sitting around not doing much. They begin to wonder what they are paying for, and CISOs begin to feel like fuse boxes, just waiting to get fired.
Put another way, CISOs are like goalies. People tend to remember goals scored, rather than goals saved. Inevitably, something will go wrong, a threat actor will score big, and fingers will point at CISOs, whether they had the latitude to make the save or not. It can seem like a no-win situation, and it’s one of the reasons MITRE wrote this book: The current system is broken.
In its 2022 Cyberthreat Defense Report, CyberEdge reported an upward trend of organizations allocating more of their IT budgets to information security, year over year, from 2018 and 2020 — from 12.1% to 12.8%. Over the next two years and despite no slowdown in emerging threats, that number leveled off to 12.7%. CyberEdge suggested a gating factor: Not enough skilled people to deploy and run new technologies.
A dearth of skilled people has several implications. Salaries go up as businesses compete to hire skilled staff. SOCs can’t keep buying more tools and assume their current staff can manage them effectively. The more stressed the SOC staff are, the more likely they are to quit.
No one wants to spend money on security if they believe it could be better spent on business innovation and revenue-generating services. But also, there’s no game without defense — and with defenders in short supply, it’s a delicate balancing act.
In his novel Anna Karenina, Tolstoy posits that every unhappy family is unhappy in its own way. The same could be said about unhappy SOCs. Every SOC has its own story, its unique challenges, but also, what seems to be a rather strange, universal barrier to success: A lack of authority to do its job. Ubiquitous or not, it’s a big enough problem for MITRE to call it out.
Now, imagine a world where SOCs and CISOs could more easily demonstrate their value. Where they could show executives the threats they are thwarting, the business disruption they are preventing, the dollars in lost business they are saving. Where they could provide the situational awareness needed to command authority and show that they are taking proactive steps to protect the business.
Authority and trust go a long way in creating and maintaining a happier and more effective team. Competent people like to make decisions, and good managers must give them the support and flexibility to do so.
With Resolution Intelligence Cloud, they can. The platform ingests all of an organization’s security and operations data and empowers SOCs and their digital ops colleagues with a common operational picture (COP) that allows them — and in turn, their business leaders — to have situational awareness. With this complete picture, they can identify risky behaviors and pre-incident situations, rank them by business risk, and correlate extensive context to take fast, decisive action to minimize any potential damage.
They can show their leadership the damage they’ve avoided — goals saved — and that enables them to start quantifying value and assessing business risk that the SOC addresses. And they can up-level their current staff, making them more effective and a lot less stressed, so that SOC leaders can get out of the hiring craze and focus on securing the business more effectively.