Security Ops. PHOTO: Cybercrime Magazine.

Embracing the Virtual SOC

Five new-normal best practices for cybersecurity success

– Contributed by Secureworks

Atlanta, Ga. – Jan. 14, 2022

The Security Operations Center (SOC) has gone virtual. Reason number one for this is, of course, the pandemic. At least that was the initial reason that we had our security staffs — like so many of our other people — working from home.

But the experience of working away from the office over the course of many months has led security professionals — again, along with everybody else — to question the necessity of coming into the office at all. So, what do we do now?

The good news

Before diving into some best practices, we all should consider adopting to ensure that our virtual SOCs perform at the highest possible level. Let’s make sure we understand the present situation.

Working from home is the new normal. If you manage a cybersecurity team, you should realize that the virtual SOC is unlikely to be a temporary measure that is getting us through the pandemic. It Isn’t. It’s the way work is going to be done in the future. And, frankly, it’s been a long time coming. The pandemic will be remembered for generations as a terrible experience — but it has also been a tipping point for the business culture of telework.

Mentally, let’s set aside all that the pandemic has meant and caused and focus on this: the virtual SOC as a problem to solve. In fact, let’s think of it as an opportunity. Consider, for example, that:

  • Given how difficult it is to find, hire, and retain cybersecurity in a labor market niche where organizational demand outstrips human supply by an order of magnitude, the virtual SOC dramatically expands your pool of potential hires.
  • Security is a 24x7x365¼ activity. So it’s not bad if your team is spread across multiple time zones.
  • Studies reveal that working from home makes people much more productive. It’s just a lot more comfortable to spend more hours on your computer concentrating on tough tasks if you can grab leftovers from the fridge, pet your cat, or exercise a little and get right back to work. Plus, contrary to popular memes, there are typically fewer distractions in a room at home with a closed door than there are in a busy office.
  • The virtual SOC can contribute to the overall cost savings your organization achieves by reducing the size of any office space it leases.

Yes, there are issues you need to address when your team is no longer routinely gathered in the same physical location for 50+ hours per week. This article suggests five best practices for attacking those issues.

Cybercrime Radio: How to quantify cybersecurity risk

Guiding investment decisions and measuring ROI

Making the virtual viable

1. Up your collaboration game. With your team physically dispersed, you’ll have to get more serious about how you share information, broker tasks, escalate issues, and keep workflows on track. 

This is a good thing, because many of us rely too much on our people being in physical proximity to each other. The result is often insufficient collaborative and process rigor.

With the right collaboration and automation tools, your workflows can become even more reliably consistent and systematized than they were when you were working together in person. It is particularly important that you properly automate task brokerage, since you want everyone on the team to be able to quickly see what they need to do next — without requiring a lot of supervision.

2. Rethink onboarding. While virtual SOCs make it easier to grow your team’s numbers, it can be tough to get a new person up to speed when they’re not working side-by-side with their more experienced peers. It’s time to rethink your approach to onboarding.

That new approach may entail a more intensive period of orientation on-site with a mentor who will also have to spend more days than usual on-site — and devote more of their time over the period to training the new hire.

You may also need to formalize more documentation relating to your SOC — policies, processes, tools, etc. — in writing: which will force you to think about onboarding in a more disciplined, less ad hoc way.

3. Get more intentional about upskilling. As with onboarding, upskilling your people over time can also be a bit of a challenge without the shoulder-to-shoulder work. So here too you will probably need to devote more resources to continuing education. That continuing education may include formal education via in-person and/or online courses, attendance at trade shows and seminars, on-site mentoring sessions, required reading, and such. It’s obviously important to incent remote staff for the extra efforts they will now have to invest in their own upskilling, whether you do so through compensation, advancement up the org chart, personal rewards, gamification, or some other means.

4. Wolf pack vs. lone wolves. For your SOC to function to its full potential, esprit de corps is a must. Metaphorically, SOC teams resemble military units. They fight together against a common enemy. They’re motivated to give 100 percent because they’re not only defending their organization’s infrastructure, they’re defending their collective pride in being really good at what they do.

Transforming lone wolves into a wolfpack was difficult enough under traditional working circumstances. Under today’s new normal, it can be even more challenging. That’s why SOC managers will have to be more diligent and creative about building a strong sense of team identity. Again, there are lots of ways to do this: regular on-site meetings and videoconferences, off-site team-building retreats, the occasional low-pressure group activity. And, also again, it may turn out to be good that managers are forced to engage in this kind of team building intentionally — rather than just relying on a shared workspace.

5. Thoughtful T&E budgeting. In the past, SOC leaders didn’t have to think a whole lot about T&E budgets. Now they will. When your team is far-flung geographically, you will spend more money to bring people periodically into headquarters — and you have to be smarter about how you spend it.

Of course, it’s always been difficult for security to get the funding it needs. But you really have to push for the extra money you’re going to need to keep your virtual SOC operational and culturally united. And given the fact that you won’t get as much as you ask for, you’re going to have to be smart about how you allocate that money.

Here at Secureworks, we’re dealing with the virtual SOC in two ways. First is the virtuality of our own operations, since we’ve been as affected by the pandemic as anyone. In fact, the five best practices above are in large part the result of our own experience — as well as insights we’ve gleaned from our numerous partners and clients.

Second is in our support of our operational relationships with our clients. As the nature of your SOC changes, so must the way we at Secureworks serve you. So, we’re paying close attention to how your geographically dispersed teams work with each other and with us.

And, of course, we’re directly participating in our clients’ virtual SOC models — because a large part of our value proposition is to function seamlessly as an extension of your virtual SOC, delivering the information, services, and support you need, when you need them, so we can collaboratively protect your organization and fight our common adversaries at scale.

No SOC has ever been 100 percent physical or 100 percent virtual. Even in the old normal, we often needed to work remotely in a pinch. And even under the new normal, we’re still going to assemble in the office whenever it makes sense for us to do so. It’s just that we’ll do much more of the former and much less of the latter. Let’s come to terms with that now. Make your next move by considering our five best practices and considering what they mean to you as a series of next steps.

Secureworks is here to help — not just as your trusted partner, but as a fellow voyager on this journey. Learn more about the impact digital transformation has on cybersecurity and how you can keep your digital business protected.

Joe Strathmann, VP of Global Operations,  Ken Deitz, Chief Information Security Officer, and  Radu Leonte, Senior Director, Advanced Security Analysis & Response at Secureworks

About Secureworks

Secureworks is 100 percent focused on cybersecurity. In fact, it’s all we do. For nearly two decades, we’ve committed to fighting the adversaries in all their forms and ensuring that organizations like yours are protected.

Secureworks® Taegis™, a cloud-native security analytics platform built on 20+ years of real-world threat intelligence and research, improves your ability to detect advanced threats, streamline and collaborate on investigations, and automate the right actions.