By Christopher Morales, CISO and Head of Security Strategy, Netenrich
I’ve spent enough time in this industry to see a lot of "innovative" approaches to security, but let’s face it: trying to solve real Security Operations Center (SOC) challenges is exhausting. You have to map attack surfaces, validate controls, tune alerts, and - worst of all - actually resolve complex threats.
Who has the energy for that?
If you’re tired of the heavy lifting required for true cyber situational awareness and long for the good old days of reactive, chaotic panic, you’ve come to the right place. Based on my observations over the years, here is my definitive, five-step recipe for ensuring your security operations completely and spectacularly fail.
Why use intelligent correlation when you can just drown your analysts in raw logs? If your goal is to ensure your day-to-day SOC challenges are completely insurmountable, the trick is to ingest every single piece of telemetry from every toaster, smart bulb, and legacy server in your environment, and then dump it all into one giant, unsearchable bucket.
By ensuring your team has to sift through 10,000 low-fidelity "informational" alerts a day, you guarantee they will be far too exhausted to notice the actual ransomware payload executing in the background. It’s not a data lake; it’s a data swamp. Grab a snorkel and enjoy the mud.
If you’ve heard me talk lately, you know I champion the A.C.T. (Attack Surface, Controls, Threats) framework. Well, if you want to fail, I highly recommend dropping the first two letters immediately.
Why bother keeping track of your attack surface? Shadow IT is just your employees being "agile." And why audit your security controls? Just assume your firewalls and EDR agents are functioning flawlessly 100% of the time, despite never testing them. By focusing purely on chasing active threats, you get to live in a perpetual state of surprise. You can't defend what you don't know exists, which really takes the pressure off.
Want to know how to drive me crazy? Show me a SOC that measures its success entirely on a spreadsheet.
If you want to ruin your security posture, reward your analysts solely based on their Mean Time to Acknowledge (MTTA). If you incentivize your team to close tickets in under three minutes, they will absolutely do it. Will they actually investigate the root cause? Of course not! They’ll just hit "Resolve: False Positive" and move on to keep their metrics green. It creates a beautiful illusion of productivity right up until the moment your customer database ends up on the dark web.
We’ve all been told that SOAR is the ultimate silver bullet for all your Security Operations Center challenges. To ensure total failure, I recommend using it to encode your most rigid, outdated processes into digital cement.
Create complex, "set-it-and-forget-it" automation workflows for every conceivable incident and forbid your analysts from ever deviating from the script. When an adversary inevitably pivots and changes their tactics - because, you know, they are humans who adapt - your SOAR platform will be stuck trying to execute a "logical" step that no longer applies. The attacker gets lateral movement; you get a perfectly automated dead end. Win-win!
Everyone wants to talk to me about "Agentic" workflows right now. So, if you really want to fail, why not use them to blindly sabotage your own network? Give a fleet of autonomous agents full, unsupervised "write" access to your production environment. Skip the "human-in-the-loop" safeguards and ignore ground-truth validation entirely.
When an ungrounded agent decides to "solve" a minor suspicious login by proactively shutting down your entire global, customer-facing cloud infrastructure... well, look on the bright side: the network is technically perfectly secure if nobody can use it.
If reading this gave you mild heart palpitations, good.
It’s surprisingly easy to slip into these bad habits. I see too many teams out there drowning in these exact soc challenges - saturated with noisy data, metric-chasing, and rigid processes that prioritize efficiency over efficacy.
At Netenrich, my team and I believe in the exact opposite of this list. We believe in true cyber situational awareness. We believe in mapping your attack surface, continuously validating your controls, and using agentic systems not as rogue decision-makers, but as an incredible force multiplier for human expertise.
If you're ready to stop failing and start actually resolving threats, let's talk. But if you really want to build that Data Graveyard... well, good luck out there. You're going to need it.
— Chris Morales