The Security Operations Center – measuring the business benefits.
A Security Operation Center (SOC) is a central function within an organisation utilising people, processes, and technology to monitor and enhance the organisation's security stance while detecting, analysing and countering cyber incidents.
At some stage in your SOC journey, you will be required to demonstrate the business benefits of the investment in your SOC. This may be at the start, or during the life of the SOC depending on your organization.
To measure the efficacy of a SOC, certain prerequisites exist. Ensure that these are in place, without these, your SOC program is dead in the water.
Prerequisites include:
· Understood, well socialised workflow. The last thing needed during an incident is individuals or groups not knowing what to do.
· Clear, repeatable processes. This is crucial when third parties are involved.
· An established incident management process with KPI’s. Without these, it’s impossible to measure performance and demonstrate improvements.
· Advertisement/socialisation of the SOC within your organisation, so people know what it does, and what it doesn’t do.
· A clearly defined RACI so there is 100% clarity about who does what when. RACI stands for Responsible, Accountable, Consulted, Informed. Each letter in the acronym represents a level of task responsibility.
· Governance! This is crucial to hold parties responsible for their performance. Establish a committee, review process and escalation plan.
Basic Metrics
You can’t manage what you don’t measure! An old saying but true. Once the prerequisites have been established, measure the following:
· Compliance to handling times. For example, if your level 2 team has a one-hour handling time for a priority one incident, measure and report on how well they meet this metric.
· SLA attainment. For example, measure the actual time to resolve a priority one incident versus the SLA goal.
· First time resolution rates. A large percentage of incidents should be resolved by level one, ideally on the initial call.
· Noise reduction. Reduce events from thousands per day to an appropriate target of manageable, actionable security events.
Business Metrics
These metrics strive to demonstrate the business benefits of the SOC and include:
· Security - how effective the SOC is protecting the various business units. This may be measured by looking at the reduction in threats over a period.
· Financial - cost of a breach versus pro-active protection cost.
These advanced metrics are the most difficult to establish, but they should be your ultimate goal during your SOC journey.