The Security Operations Centre's relationship with the business
In many cases, the security of an IT system could be much improved if we could only get rid of the cause of most of the problems – the users.
Certainly, if you look at many cyber security textbooks, that is a common undercurrent, even if it is not explicitly stated. However, the reality of the situation is that, in most cases, if computer security prevents the business from working, then we are not being secure and are, in fact, doing a denial of service attack on the organisation that we are meant to be serving.
For this reason, we need to be aware of how the Security Operations Centre (SOC) interacts with the rest of the organisation we are working with. This will involve a two-way communication with the rest of the organisation and mapping the SOC’s objectives to the organisation’s business needs.
The basics – what is the organisation for?
The first stage in ensuring the SOC meets the business needs is to identify the key business processes where IT is used, or where security is a potential issue.
If there is already an IT division in the organisation, then that is a sensible place to start as they should have a list of services that they provide and an understanding of their criticality to the organisation.
Another useful source of information is available if the organisation has undertaken any risk analysis, as the information from that may highlight the business priorities. However, these are only starting points and a more structured analysis of security issues will need to be undertaken at some point (eg looking at information security risks using the ISO 27005 standard).
Culture and capability – what can and will the organisation do?
As well as knowing what the organisation needs in the way of security to meet organisational needs, you also need to understand the culture and capability of the organisation.
Capability is the ability of an organisation to implement the security controls that you wish to implement. This will be determined by a number of factors. The most obvious of these is budget – if you are a small organisation then it is most likely that you will not have the money or staff resource to undertake a complex set of security controls.
Another factor is the ability of staff in the organisation to implement the controls that you wish to put in place. Here we are not talking about the staff in the SOC, but the staff in the rest of the organisation, who are likely to have varying degrees of IT knowledge and this needs to be taken into account when deploying any security controls that members of the organisation will interact with.
Culture is more nebulous but is still important. With culture we are concerned with how important security is to the organisation (both as an organisational entity, and as individuals in the organisation), and how likely people at all levels are to listen and to follow any security advice given. An important aspect of this is how risk-averse the organisation is, which in turn is often dependent on how risk-aware the organisation is. This is something that the SOC can help with and in turn, help to modify organisational culture.
Communication – influencing change
As we mentioned above, it is not a one-way street, and the SOC is also responsible for taking a lead in security matters. In doing so, the SOC is responsible for helping to increase the security capabilities of the organisation and persuading the organisation to adopt a more security-aware culture. A key aspect of this is explaining the need for security in ways that align directly with organisational requirements and can be easily understood by people outside of the SOC. This is not always easy and, as discussed last week, having a business partner who is skilled in this can be very useful.
Education and training
When we are explaining the need for a particular aspect of security we may find that the organisation is willing to accept the need, but does not have the capability. It is here that an often overlooked aspect of the SOC comes into play – that of education. It is rarely up to the SOC to deliver the training itself; however, the SOC is ideally placed to advise the organisation on the type of training that is needed to reduce the likelihood of security incidents.
It is likely that at some point the operation of the SOC is going to come into conflict with a part of the operation of other parts of the business. This commonly happens when a control or monitoring system is implemented that has a negative impact on the performance of the other part of the organisation. Conflict of this type needs to be managed in a constructive manner and used as an opportunity for further communication between the SOC and the rest of the organisation.
Having clearly defined processes and procedures that have been approved at board level are very useful in giving a framework to help resolve these disagreements. They are also essential at helping deal with emergency situations when a fast response is needed and you want the SOC staff to be able to react without fear of recrimination for their actions.
It may not be possible to get the most secure IT system, but rather to get one that is appropriate for the organisation’s needs. This can sometimes seem as an unsatisfactory situation to those involved with the SOC, but it is more usefully seen as a challenge to have the SOC that is the best suited to that organisation as it is possible to be.
BSI (2018) Information Technology. Security Techniques. Information Security Risk Management. [online] available from https://bsol.bsigroup.com/Bibliographic/BibliographicInfoData/000000000030372032 [30 July 2019]
© Coventry University. CC BY-NC 4.0