Technology evolves, but culture sustains success
Vannessa V. 🛡
AI & Cyber Risk Leader | CSO30 | Australian Security Lead Avanade | Women in Security Award Winner 2024 | Keynote Speaker | Non-Executive Board Director | Mentor | Writer | LLB MBA PGDipPsy CISM CIPM CC
At Cybercon I presented with Phillimon Zongo on three themes related to Security Operations Leadership —resilience, evolution, and emerging technology.
Resilience guides building systems and strategies that not only defend against cyberattacks but bounce back stronger after incidents. Resilience isn’t just about tools; it’s about people, culture, prioritize actions with high impact and low effort.
Evolution
Security Operations must adapt to meet the demands of today’s industrialized attacker economy. From human-operated ransomware, avalanche attacks on identity to cloud-based DDoS attacks, response demands agility, collaboration, and innovation.
In mid 1990's traditional Network Operations Centers (NOCs) focused primarily on incident detection and response, with the main objective being network availability. Their key responsibilities included managing network devices and monitoring performance. Early Security Operations Centers (SOCs) were initially implemented for government and defense organizations to handle virus alerts, detect intrusions, and respond to incidents.
After 2000, large enterprises and banks began adopting similar monitoring operations. The Information Security Management Standard, released in 2005, added compliance to SOC objectives, and new tools like dynamic packet filtering firewalls and intrusion prevention were introduced.
Between 2007 and 2013 - was the 'golden era for SOC's they evolved significantly with the introduction of key security solutions such as Data Leakage Prevention (DLP) and Security Information and Event Management (SIEM). This period also saw a significant increase in advanced persistent threats (APTs), making SOCs crucial for detecting and preventing these threats. Managed Security Service Providers (MSSPs) emerged, offering shared security services initially to large enterprises and later to smaller organizations.
The evolution of SOCs continued with the introduction of next-generation SIEM and User Entity Behavior Analytics (UEBA), which are based on machine learning to reduce false positives and improve security monitoring.
By 2015, threat intelligence platforms and cloud security solutions became integral to SOCs, expanding their responsibilities to include cloud monitoring and sophisticated threat detection. Modern SOCs evolved into hybrid models, integrating automation and advanced threat hunting, and new names like Cyber Defense Center (CDC) and Cyber Fusion Center (CFC) emerged.
Looking ahead, more than 50% of SOCs are expected to embrace automated threat hunting and incident response capabilities.
Capabilities of Cyber Defence teams now provide comprehensive services, including:
Emerging Tech
The future security organisation will be powered by Gen AI and automation capabilities. Prompt books will guide workflow. Gen AI will provide summarisation capabilites will assist with incident reporting, advanced threat hunting and malicious code capabilities.
AI capabilities will be extended to protect Identities, endpoints, secure digital assets, and remediate threats and automate operations. Recently Microsoft published The 2024 Digital Cyber Defence Report showing the importance of Gen Ai integration for impact.
The image above - the "Hierarchy of Cybersecurity Needs," outlines a structured approach to building robust security operations by emphasizing foundational needs first and layering advanced capabilities on top.
At the core of this hierarchy is the integration of Generative AI and a healthy security culture, representing a strategic vision for modernizing security operations. The foundation of this hierarchy is protecting identities. Security Operations Centers (SOCs) must prioritize identity security by monitoring and responding to anomalous login activities, using tools like multi-factor authentication (MFA) and privileged access management (PAM). Generative AI can analyze vast login datasets to detect suspicious patterns in real-time.
The next step is protecting endpoints, including PCs, mobile devices, network equipment, and operational technology, with Endpoint Detection and Response (EDR) tools playing a significant role. AI-driven tools enhance endpoint security by automating malware detection, isolating compromised devices, and providing rapid remediation actions.
Securing digital assets, such as sensitive data and proprietary code, is essential for maintaining integrity and availability. SOCs monitor data flows, enforce access controls, and deploy encryption mechanisms, while AI automates the detection of data exfiltration attempts and provides insights into anomalous data movements.
Detecting and remediating threats in real-time is crucial, with centralized threat detection systems like SIEM and SOAR being vital. Generative AI enhances detection accuracy, reduces false positives, and accelerates threat response.
At the tyop of the hierarchy is the automation of security operations, leveraging insights from all layers to build a proactive, scalable security posture. AI tools automate repetitive tasks, freeing up analysts for higher-value work. Generative AI can also create reports, draft recommendations, and simulate attack scenarios to improve preparedness.
Integrating Generative AI across all levels of the hierarchy augments human capabilities and accelerates response times, while a healthy security culture ensures sustained organizational security. This layered, strategic approach balances people, processes, and technology to build resilience across the organization.
Cyber Defence requires a holistic approach built on 3 pillars:
Align, Invest and Measure.
Align: The First Pillar
Governance: Ensuring all security operations adhere to organizational objectives and industry standards is crucial. Governance provides the framework within which the SOC operates, ensuring that every action taken aligns with the broader goals of the organization.
Policy: Defining the rules and protocols that guide operations and decision-making is essential. Policies ensure consistency and clarity, helping SOC teams navigate complex security landscapes with confidence.
Recommended by LinkedIn
Business Drivers: Aligning SOC activities with broader organizational goals ensures that security is not just a cost center but a value enabler. By understanding and supporting business drivers, the SOC can contribute to the overall success of the organization.
Alignment ensures that the SOC operates within a structured environment, bridging security objectives with business priorities.
Invest: The Second Pillar
Security is a journey, not a destination. It requires continuous investment in three key areas:
People: Hiring, training, and empowering cybersecurity professionals is fundamental. Skilled and motivated individuals are the backbone of any effective SOC.
Process: Developing repeatable, scalable workflows for effective threat detection and response is critical. Well-defined processes ensure that the SOC can operate efficiently and respond to threats swiftly.
Technology: Deploying advanced tools to enhance visibility, detection, and automation within the SOC is necessary. However, as Jay Davey, Global Security Operations Centre Lead at Marks and Spencer, points out, “Technology is there to be a solution to a problem, but most of the problems are being caused by poor processes or people lacking the skills to adopt that technology.”
Investment is about allocating resources where they have the most impact. It’s not just about technology; it’s about ensuring that people and processes are equally prioritized.
Measure: The Third Pillar
Continuous improvement is achieved through:
Governance: Monitoring how SOC operations align with compliance and performance benchmarks ensures that the SOC remains effective and compliant with industry standards.
Use Cases: Defining and assessing specific scenarios the SOC is prepared to handle helps in understanding the SOC's capabilities and readiness.
Reporting: Evaluating metrics and outcomes to gauge SOC efficacy and inform stakeholders is vital. Transparent reporting provides insights into the SOC's performance and areas for improvement.
Measurement is crucial to understanding where we are today and where we need to go tomorrow. Without it, we can’t drive meaningful improvements.
The Missing Glue: Culture
While these three pillars are essential, the glue that binds them together is culture.
A strong culture fosters collaboration, trust, and innovation. It ensures that alignment is purpose-driven, investments are utilized effectively, and measurements lead to action. "Culture is the invisible force that ensures alignment is not just compliance-driven but purpose-driven. It ensures that investments in people, process, and technology are maximized and that measurements lead to meaningful action. Without a strong culture of collaboration, trust, and continuous learning, these pillars can’t deliver their full potential."
Why Culture Matters in SOC
Align Needs Culture to Thrive: A strong culture unites organizational goals with the SOC mission, embedding security into everyday operations.
Invest Needs Culture to Stick: A supportive culture fosters openness to change, reducing resistance to new tools and systems.
Measure Needs Culture for Action: Culture encourages honest measurement and reporting, not just metrics that "look good." It promotes accountability, where teams feel safe owning mistakes and improving, ensuring continuous feedback loops are actionable.
Without culture:
Culture creates the "human element" necessary for the success of any SOC initiative. Building a culture of trust, inclusion, psychological safety, and continuous improvement is essential to maximize the impact of the SOC framework.
References:
soctom whitepaper.pdf
Microsoft Digital Defence Report 2024
Photo Credits - Magnetic Shots