Skip to main content

The unpaved road of an agile Security Operational Centre

Maintaining an agile SOC is no easy feat, but it’s essential for strengthening cybersecurity. Here’s why taking care of people should be at the top of every SOC strategy.

Last week, I went to KraftCERT Norway, held at the Norwegian Museum of Science and Technology, to talk about the processes of our agile Security Operational Centre (SOC). It was the perfect setting for a bunch of tech workers who want to get together and discuss our challenges. 

The presentation I delivered at KraftCERT, without delving too much into specifics, was about the People, Processes, and Technology principle. Not only from an SOC perspective, but also from cybercriminals’ perspective.

Learn more about security at Visma

Empowering SOC responders and analysts

I strongly believe that everything related to SOC is connected to people, processes, and technology. Together, these three things make the core principle of Visma’s SOC – with the people component being the most impactful. You can have the best technology and perfect processes, but without the right people you won’t succeed. This is something I’ve had to learn during my years working as a System Administrator, Developer, Pentester, Information Security Officer, Security Researcher, and now, an SOC Manager.

Incident Responders and Security Analysts play some of the most crucial roles when it comes to fighting cybercrime. They are the guardians of your company, and should therefore be involved in all processes, at all times. So, how do you keep them involved? As a colleague, I recognise the importance of nurturing their growth, actively listening to their perspectives, and collaborating closely with them. 

I understand that we need to break the silos between teams and work side by side to develop and improve our SOC. That means that everyone can contribute in different activities and initiatives that fulfil the cybersecurity experience. Today you can be a Threat hunter, tomorrow you can be part of the Security Research team, and the next day you can be part of the Purple Team. Having a diversified process inside the SOC helps your colleagues to improve themselves and never get bored. 

Fostering a culture of support and care

To be able to respond to security incidents properly, the main requirements are creative thinking, problem solving, and analysing and responding to complex and dynamic situations. All of these requirements can make the job of an Incident Responder and Cyber Security Analyst both challenging and fulfilling. Therefore, they need to stay up-to-date on the latest security threats and technologies, adapt to new risks and attack vectors, and continuously improve their skills and knowledge. How can they achieve all of this if they’re buried under tedious and repetitive tasks?

Looking at it from another perspective, a substantial part of the cybersecurity community sees humans as the weakest link in the chain. What we have discovered over time is the fact that people are the main target for cybercriminals. Dealing with people is not always easy, and dealing with stressed people is even harder. Taking care of your colleagues will translate into more accurate responses in the case of an incident. People need to know that you’re there to help them rather than pointing fingers when they fall victim to cyber attacks.

Agility in an SOC is achieved through continuous processes. Those processes need to improve three things: prevention, detection, and response. These three improvements require structured learning from the incidents we experience – especially attacker tactics, techniques, and procedures. But also future technologies like artificial intelligence and machine learning, and their potential impact – whether it’s positive or negative. 

What’s the best way to do that? I don’t have the answer. But, I firmly believe that the involvement and caretaking of people is a key aspect of generating the best incident responses.

Most popular

  • What is financial cybercrime and how to prevent it?

    What is financial cybercrime and how to prevent it?

    Financial cybercrime can affect companies of all sizes and in all sectors – as well as private individuals – and can have dramatic consequences. But what are the types of attacks motivated by financial gains and how can we prevent these attacks from succeeding?

  • Espen Johansen

    Get to know Espen, our Chief Security Officer

    Espen Johansen has been with us for ten years, both in sales and management roles, various security positions and as board member for several Visma companies. Read on to learn more about his thoughts on the road ahead as CSO.