SOC it to Them – But make sure the fundamentals are in place first

Many organisations are cottoning on to the benefits of a Security Operations Center (SOC) when it comes to achieving effective enterprise-wide systems monitoring, incident detection and response. The need to implement a SOC is increasingly being seen as a business imperative by many large organisations to help minimise impact and return to ‘normal’ business operations following an incident. Consequently, a SOC is likely to feature as a priority on many a CISO’s annual budget.

Whilst the technologies and services that are currently available to support SOC implementations can be highly impressive, the underlying requirements that sit at their core aren’t particularly new. Amongst others, these include the need to:

  • understand potential cyber-related threats
  • keep systems patched and up-to-date
  • identify when systems have been compromised and respond quickly
  • implement effective incident reporting
  • learn from incidents when they do happen.

But here’s a word of warning: If you don’t already have a reasonable level of maturity in these activities, you’ll be taking a risk in dashing hell for leather to implement a SOC. If something goes awry with any component of your SOC, you’ll have very little to draw on in terms of fall back arrangements.

Without good planning, you’ll also potentially over-design (and by implication over-invest in) your SOC capability as you’ll have little by way of a reference point when baselining your requirements. And then, of course, there’s your risk profile. If you don’t fully understand the relative criticality of your information systems and the potential disruption or damage to the business should they be compromised – and then reflect this in detailed and structured scoping and planning – you may run the danger of incurring significant cost in the wrong places, or leaving valuable elements of your business exposed.

A well-planned SOC provides a hub whereby the activities outlined above can be brought together so that they can be implemented consistently enterprise-wide – and managed via a single concentrated capability with speed. For many organisations that do have the fundamentals in place, this can be highly compelling, both in terms of enhancing the organisation’s cyber defence capability and delivering cost benefits. Highlighting the need to implement a SOC to top management can also be a useful way of addressing – in one fail swoop – a group of activities that traditionally fall short in cybersecurity assessments and audits.

So, while a SOC is not a cure for all ills, it can significantly speed up your organisation’s cyber response capability and deliver resourcing efficiencies – whilst potentially simplifying your reporting up to the board. Just make sure that all this is underpinned by a strong cybersecurity culture and a high level of baseline security disciplines first. In addition to the incident-handling related activities outlined above, these should include:

  • a risk-based cybersecurity governance approach that’s driven from the top (and not merely paid lip service to)
  • a comprehensive approach to information risk assessment that results in pragmatic decision-making
  • a fit-for-purpose third party assurance approach
  • effective security awareness that puts human behaviour at its centre.

If supported by strong cybersecurity practices across the board, a well-implemented SOC can supercharge your ability to respond to cyber incidents consistently, effectively and fast.

About the author


Simon Rycroft
Co-Founder, CRMG
simon.rycroft@crmg-consult.com