People and process are just as important to the creation and management of an effective Security Operations Center (SOC) as technology, according to experts speaking at Infosecurity Europe today.
Vodafone group technology security director, Emma Smith, urged attendees not to get swept up in the glut of innovative new tools flooding the market.
“Process, behaviour and culture can deliver more bang for your buck than technology could ever deliver,” she argued. “You need to attract and retain the right people.”
Firms that are successful in doing this offer a clear career path to joining IT employees, Smith added.
Others on the same panel – including O2 Telefonica director of business operations, Adrian Gorham, and Close Brothers CISO, Chris Gibson – agreed, the latter adding that “giving people an interesting job keeps them interested”.
Gorham continued that processes are key to running an effective SOC, because no center can run in isolation.
“The SOC monitors and picks up alerts but it must have solid relationships with other parts of the business,” he added, name-checking the internal CERT, network monitoring center, service management department and IT operations.
“If you want to make anything work, you need to work with systems architects and business analysts,” Gorham argued.
Head of information security at the London Metal Exchange, Russell Wing, agreed that processes are “crucial” to a smooth-running SOC, initially helping teams to better understand their environment – the first step towards better threat detection and response.
“You also need to make sure the SOC has the right metrics and response processes to be able to close down attacks quickly,” he added. “You can’t secure what you can’t measure. You need to know what happens in your environment, so metrics are very important.”
A good place to be start is measuring C&C traffic coming out of the organization, as that will provide SOC teams with a good indicator of whether hackers are getting around existing defenses,” Wing explained.