Security looks different for every startup.
This is where the security operations centre (SOC) manager comes in. The focus of an SOC manager is broad risk mitigation: ensuring regulatory and legal compliance, controlling business-essential risks such as encryption or personally identifiable information (PII) protection, and balancing taking action to lower risk with both company risk tolerance and available resources.
At the earliest stages, it might just be one person managing the “centre” with a part-time focus. As a startup grows, it may need to have one dedicated person or a small team, depending on industry variables, compliance laws or regulations, and if it needs to communicate security risks to customers as part of the sales process.
Whether as a single person focusing part-time or an entire team unto itself, security operations are critical to identifying the most efficient ways to keep an organization secure. Speaking with BetaKit, John O’Brien, Security Leader – Customer Success at Microsoft Canada, explained the five things every SOC manager needs to know.
1. Know what’s ‘enough’ for your organization
Having a person focused on security – or even a whole security team – doesn’t guarantee protection from all attacks. Instead, SOC managers need to understand that the goal outcome of their work is more security and risk reduction versus getting to an impossible state of being fully secure.
That’s where the concept of ‘enough’ comes in. It represents an understanding of your organization’s true and practical security needs and building a strategy from there.
O’Brien recommended starting with identifying key risks—the things that would debilitate the business if harmed or taken. All planning should start with key risks to ensure they are covered. Beyond that, design an ‘enough’ benchmark, in collaboration with business leaders, based on regulations, laws, business goals, and available resources.
2. Only two metrics matter
O’Brien said that security metrics can differ from organization to organization, but two remain constant:
- Mean time to acknowledge: the average time it takes for the security team or person to acknowledge an alert.
- Mean time to remediate: the average time it takes for them to fix the issue.
O’Brien emphasized time to acknowledge because it’s a guidepost for how the team is doing overall, and provides signals about whether the team needs more resources or needs to reprioritize efforts.
“As time to acknowledge increases, it probably means they are getting drowned with alerts and there’s a problem,” he said.
Further, O’Brien said that mean time to remediate is critical because the longer it takes to fix a problem, the more time an adversary can run amok and cause damage. This metric can also be a signal to leadership that if someone is responding quickly but takes a long time to remediate, they likely need more resources or to develop a plan for stronger initial defenses.
3. Avoid the “cult of no”
Security teams are often labelled as the people who say no to every request in the name of keeping things secure, something O’Brien called “the cult of no.”
He said it’s critical for security teams to avoid being in this “cult of no” because the job of security is to make people aware of the risks associated with certain actions, not necessarily to stop them from taking those actions. It’s also critical for startups to engage in blameless post-mortems focused on security needs, not getting mad that something happened. O’Brien talked about blameless post-mortems in a recent BetaKit Live, saying that good security culture is prescriptive to help people solve problems rather than find scapegoats.
In the end, O’Brien said an SOC manager’s role is to make sure “everybody’s working from the same song sheet.”
4. It’s your job to articulate the value of security
O’Brien said that many SOC managers default to the fear-inducing elements of security: they talk about big, scary, complex risks and suggest people should simply trust the team’s recommendations.
He said this approach stems from the fact that the security person (or team) rarely has to accept the risk of a decision, as that’s on business leaders. However, O’Brien added that this should mean security teams have to talk about the risk openly so people can understand what they are taking on.
“There’s a misconception that security cannot be articulated clearly,” he said.
Specifically, O’Brien noted that a good SOC manager needs to articulate the value an organization gets from a risk reduction. This starts by understanding the organization’s security context, and can be turned into a value statement by explaining the costs of non-compliance, the potential issues avoided with a focus on security, and the lost revenues or reputation that a breach could cause.
This is a similar message shared with BetaKit by Kevin Magee, Microsoft Canada’s Chief Security Officer. Magee said hackers now think like innovative startups – with full customer service arms and tools to help them – so security leaders and founders need to think about security as a business line with real value (monetary and otherwise) attached.
5. You can’t outsource focus
Depending on company size and industry focus, it may not be a good idea to have a large in-house team. This is when outsourcing can be beneficial. There’s still a cost, but you don’t need to worry as much about employee management.
O’Brien offered two pieces of advice for startup leaders considering the outsourcing route:
Don’t reinvent the wheel: O’Brien said some startup leaders get concerned about building everything custom for their business. However, many third parties have best practices and existing processes your team can quickly leverage.
“Automation is the key to happiness,” said O’Brien.
Don’t ostracize your third-party team: an outsourced team may not be on payroll but you still have to treat them like team members.
O’Brien said this is because external and internal resources all have to work together toward your security goals. If you treat them as an ‘other,’ you won’t get the same value as you would with a collaborative approach.
Constraints breed creativity
On top of job-specific advice, O’Brien also said that SOC managers don’t need to be afraid of constraints. Asking your team (or yourself) to operate within budgets or specific priorities is valuable, as constraints help focus actions and breed creativity to solve problems. He added, though, that constraints need to be respectful of the magnitude of the request so SOC managers can still do their job.
“The security industry is a mix of creativity and constraints, both from a hacking perspective and from a defensive perspective,” said O’Brien.
Photo courtesy of Unsplash.