Five Recommendations for Smarter Security Operations

Written by

Cyber security labor statistics indicate the talent shortage problem is not going away anytime soon. This has forced many companies to innovate and create operational efficiencies to make the most out of available staff without adding burdensome and counterproductive tasking.

In recent years, this resulted in a shift in resource planning challenges for cyber security executives. The conversations moved from “I can’t get my resource needs funded” to “I can’t find resources to achieve my objectives.” If you are a cyber security executive struggling to maintain a high level of security with your current staffing resources, here are five recommendations for smarter security operations:

  • Process Mapping: security operations at most companies comprise of processes, tools and personnel that typically operate in firefighting mode. This could lead to inefficiencies because there never seems to be enough time to get off the malware-busting hamster wheel to analyze the effectiveness of your operating activities. This is where process maps can come in handy, which requires detailing activities carried out by the operations team and mapping out how each activity starts and finishes. The outcome of this exercise should uncover areas of improvement and opportunities to eliminate non-value add steps. There are various process mapping software tools that can help with this exercise, but a simple whiteboard session can be just as effective.

  • Threat Modelling Framework: A threat modelling framework gives your team a schema for how to categorize and handle known threats. This can eliminate unnecessary triaging of incidents or reinventing the wheel for similar attacks. Threat modelling also can be a powerful framing tool for the security operations teams because it requires you view your critical assets from the adversary’s point of view.

  • Automation: Like DevOps and Agile, automation is becoming another overused buzzword with many definitions. To avoid the same trap, in this context automation simply refers to compressing several steps to save time and reduce workloads. In security operations, there are many data points that you must process before implementing any detection, prevention or response action. This includes data from intelligence gathering, monitoring tools, vulnerability assessments and penetration tests, to name a few. Invest in tools that reduce the manual effort required to make sense of all this information. A SIEM (security incident and event management) is probably the most popular example of an investment that can automate the information collection and validation processes for an operations team.

  • Smarter Teams: Cyber security knowledge continues to be a scarce commodity. In this environment, it’s wise to devote time to shrewd structuring of your operations teams’ responsibilities. Most operations teams have a three-tier structure (Tier 1, Tier 2 and Tier 3) that defines roles and responsibility. If you subscribe to this responsibility structure, it is important to take a look at the day-to-day activities of these roles to uncover if you could gain efficiencies from outsourcing. For example, Tier 1 and 2 operations analysts may be stuck on menial tasks that could be outsourced to a managed security services (MSS) company or replaced via tools and automation. These allow your Tier 1 and Tier 2 analysts to focus on developing Tier 3 skill sets. On the other end of the spectrum, Tier 3 analysts are more skilled and, therefore more sought after in the industry. As such, it may make more sense to outsource Tier 3 responsibilities to a reputable MSS provider.

  • Business Model Mapping: Like most business functions, resource constraints lead to a reduction in capability. This means you must make critical decisions about what parts of the organization on which to focus your security operations efforts. You can determine how to allocate security resources by evaluating your organization’s business model. In a business model mapping exercise, you will evaluate critical functions to understand how bad actors can impact critical business operations. For example, in manufacturing organizations intellectual property (IP) is vital to the business, so those companies’ security operations should focus primarily on how to avoid a breach of IP.

The impact of smarter resource allocation will continue to be a major factor for the cyber security function as the gap between supply of talent and the demand for more mature programs grows. The above recommendations are table stakes for anyone tasked with growing their security operations capabilities, even when there are no resource restrictions. Security leaders should strive to achieve efficiencies now before bad practices overwhelm their operations’ capability later.

What’s hot on Infosecurity Magazine?