Security operations centers offer some pretty clear business benefits: improved situational awareness and visibility, reduced long-term security costs, and less operational security siloing. But despite the manifold benefits, SOC adoption isn’t universal. Far from it: in fact, according to EY’s Global Information Security Survey, 2017-2018, just half (or so) of all surveyed organizations have an SOC. What’s going on with the rest?
Well, there are some pretty significant challenges to building and operating an SOC. For one, upfront capital costs can be prohibitive, not ideal for cash strapped organizations, even if long-term, the financial investment pays off with a lower incidence of security mishaps down the line. Further, external and internal security regulations also introduce a level of complexity to the SOC development process.
Of course, the challenges don’t end once the SOC is fully operational. Since SOCs centralize security operations, SOC teams deploy a lot of different technology combinations, as many as 20; though, operational security management technology can offer a vastly more consolidated feature set (see below).
Fortunately, those common SOC challenges can be surmounted with the right practices. For starters, organizations shouldn’t drive security strategy out of their SOCs, which are foremost operational units. Nevertheless, an SOC’s mission must be in alignment with the organization’s overall, physical security strategy. For one, that strategy will lay down the organization’s baseline risk tolerance level. Additionally, successful SOCs continue to scale to their organization’s footprint as that changes.
Context-aware threat intelligence is important, here. And an SOC that does the front-end work of threat assessment is far more likely to be effective than one that doesn’t. That assessment will help staff discover physical security gaps in need of greater focus (and protection), e.g. more granular knowledge into layout and how employees act within their physical environment. The assessment also games out the impact of potential security incidents and their possible effects on security personnel, all of which help determine physical security requirements. Those requirements can include any of the following:
- Identify and control individuals who enter and exit the facility
- Track movements of building occupants and assets
- Control access to restricted areas
- Track and locate equipment, products, and other resources
- Track the location of personnel on site in the event of an incident
- Integrate control and security systems for greater speed and efficiency
- Protecting process automation networks and systems from potential intrusion
- Respond quickly to alarms and events
These requirements are part of the organization’s larger incident response framework, in which the SOC plays a key role. Indeed, the genesis of the SOC might have been to shore up physical security incident response, by giving the organization a centralized facility to consistently and continuously triage detected threats.
Another tip: the best SOCs are governed by established, rigorous processes. Their teams are engaged in continuous training that keeps pace with the emergence of new threats. Looking to implement other SOC best practices? Download our guide to operating an SOC.
Julie Tillyard, DFLabs: The Top 5 Challenges Faced by Security Operations Centers
Honeywell, International Society of Automation: Physical security for industrial assets: Growing threats demand an integrated strategy