Most of the people in an organization work from 8 a.m. Monday through Friday, 5 p.m. Security Operations (SecOps) teams are, however, expected to ensure 24/7/365 business continuity, including the dreaded night shift. At the end of each shift, the SecOps team has to typically consist of tossing a spreadsheet on the floor in a meeting room to address open events, transferring the baton — rinse and repeat.
The cybersecurity sector is facing a significant lack of professional and a recently published Cyber Security Workforce Survey (ISC)2 identified a shortfall of 2.8 million cybersecurity workers globally, with around 500,000 in the U.S. alone. The report also suggests that the tech workforce needs to expand by 145 percent internationally and by 62 percent in the U.S. if the industry wants to keep up with the growing requirements in the sector.
For several reasons, this large skill deficit is worrying. One is that bad actors are becoming more advanced, and the surface area that organizations are accountable for handling is only rising. Threat experts who are responsible for defending their organizations from these threats are overworked and understaffed and at an increased risk of burn-out, which enhances their organization’s susceptibility to incidents on security threats or even breaches.
If someone speaks about data security skills gaps, they also must consider speaking about talent shortages in core urban areas where demand is extremely high. But at the same, it is worth it because the removal of the geographical aspect has eased the shortage barrier. Any person across the territory is free to work, without any location constraints. No longer being bound by geography could help an organization solve a wide range of recruiting challenges, including expertise, talent, and time zone coverage.
This modern way of operating, of course, is not without its obstacles. People have started realizing that they have been used to walking around the office and interacting with their colleagues, but users can’t do that on Zoom. An organization needs to find out how to work together and document project success in a clear, repeatable manner with a single basis of reality. An organization is needed to just find a specific platform or a project management system that fits the particular needs of your company.
Automating the path to a remote SOC:
If someone steps back to the on-site SOC, where two experts are seated next to each other, they know that when one gets up, the other needs to keep an eye on things. But situations differ in the case of a remote SOC, where analysts are not seated side-by-side and may not know whether anyone is looking at their screen. And a tiny second where no one pays notice may be a crucial moment of weakness to the company. The best possible solution at the figure-tips can be “automation”.
Security automation systems are known for collecting warnings and following the first phase of the Organization’s Incident Response Plan (IRP) no matter what. When the first five steps are followed and two minutes later someone doesn’t know anything about it, there are other mechanisms in place that will bring it to the knowledge of the SOC. There’s a safety valve in there.
It’s not too difficult to achieve this backstop. Here’s an example of how the company could do this:
• Check the IRP
• Ensure escalated procedures are in place for unattended inquiries and occurrences with clear indicators, dates, and obligations.
• Prioritize inactivity/age and criticality events and alerts.
• install management alerts when target remediation times are skipped.
As a company becomes more advanced with their automation solution, they can:
• offer leadership for the rapid recognition, activity, and resolution of bulk metrics.
• Add individual contexts to inquiries (analyst notes, event metadata, actions taken, and so on)
Remote work in the COVID era isn’t simple to undertake for anyone, but it showed us that it’s possible to run a SOC like this. Perhaps we should probably make the change permanent. Perhaps now is the time to dedicate time and efforts to this framework and strengthen the security talent pool outside the regular high-demand areas.