Recently, a cartoon circulated on LinkedIn that caught my eye. In the cartoon, two people struggle to move a cart with square wheels. A third person comes along offering round wheels, but is told “No thanks! We are too busy.”
Security operations is a stressful business. There is always more to do than there are resources available to do it. It’s too easy to get caught up in day-to-day activities and forget to come up for air. The tragedy in this is that, sometimes, we are too busy to see that the reason we get bogged down is because we need to adjust or improve our processes, approaches, methodologies, techniques, and/or technologies. Our industry is constantly evolving. Possibilities may exist today that did not exist even one or two years ago. A fresh perspective may provide insight into where and how efficiencies and improvements can be introduced.
I rarely come across a Security Operations Center (SOC) that isn’t struggling to keep up with its work queue. At the same time, I’ve never seen a SOC that wouldn’t benefit from taking a step back and assessing *why* it is overwhelmed. Are there any potential bottlenecks or inefficiencies that process or technology could address? Are there time-consuming tasks being performed that don’t provide much value? Are team members spending a disproportionate amount of time waiting for queries to return or otherwise fighting with the technology that’s supposed to be helping them?
In my view, a swamped SOC presents an opportunity -- a wake-up call. That is actually a good thing, provided the organization can seize the opportunity. Being overwhelmed indicates that it is a good use of time to take a step back, assess where time is being spent, evaluate the value of each of those activities, and determine if efficiencies can be introduced. The security operations community is a helpful one -- peer organizations and others in the industry are often more than willing to offer some suggestions and helpful advice. The question is more whether an organization and its leadership is self-aware enough to seek advice, receptive to feedback, and prepared to listen and learn. In my experience, it is helpful to learn from the successes -- and failures -- of others.
I am also reminded of another picture I’ve seen recently on LinkedIn that contains the quote “The most dangerous phase in the language is ‘we’ve always done it this way’.” There is a lot of truth in that.
Security operations is a stressful business. There is always more to do than there are resources available to do it. It’s too easy to get caught up in day-to-day activities and forget to come up for air. The tragedy in this is that, sometimes, we are too busy to see that the reason we get bogged down is because we need to adjust or improve our processes, approaches, methodologies, techniques, and/or technologies. Our industry is constantly evolving. Possibilities may exist today that did not exist even one or two years ago. A fresh perspective may provide insight into where and how efficiencies and improvements can be introduced.
I rarely come across a Security Operations Center (SOC) that isn’t struggling to keep up with its work queue. At the same time, I’ve never seen a SOC that wouldn’t benefit from taking a step back and assessing *why* it is overwhelmed. Are there any potential bottlenecks or inefficiencies that process or technology could address? Are there time-consuming tasks being performed that don’t provide much value? Are team members spending a disproportionate amount of time waiting for queries to return or otherwise fighting with the technology that’s supposed to be helping them?
In my view, a swamped SOC presents an opportunity -- a wake-up call. That is actually a good thing, provided the organization can seize the opportunity. Being overwhelmed indicates that it is a good use of time to take a step back, assess where time is being spent, evaluate the value of each of those activities, and determine if efficiencies can be introduced. The security operations community is a helpful one -- peer organizations and others in the industry are often more than willing to offer some suggestions and helpful advice. The question is more whether an organization and its leadership is self-aware enough to seek advice, receptive to feedback, and prepared to listen and learn. In my experience, it is helpful to learn from the successes -- and failures -- of others.
I am also reminded of another picture I’ve seen recently on LinkedIn that contains the quote “The most dangerous phase in the language is ‘we’ve always done it this way’.” There is a lot of truth in that.
No comments:
Post a Comment