When speaking to clients about their security operations centers (SOCs), one word inevitably makes its way into the conversation: convergence. They want to know if they should merge their security operations—typically that of cyber and physical—so that they live under a single, unified security function.
I’m always eager to have such conversations because the SOC of the future is converged. Organizations with best-in-class SOCs have already gone down the path of integration. And now many security and risk leaders find themselves having to respond to the call for convergence—one that has become louder due to risks exposed by the COVID-19 pandemic and the adoption of Internet of Things (IoT) devices.
While these leaders have made ad-hoc adjustments to recalibrate to the new normal, the underlying issue remains: How to better identify, mitigate and respond to risks across multiple security operations when the surface area of those risks is larger and continuously expanding.
Converged SOCs can absolutely solve these challenges, but to do so successfully requires an integration strategy that takes into account three key areas: people, process, and technology. Below, I explore what this means for those building SOCs of the future, including best practices for security and risk leaders to adopt.
A SOC’s greatest asset is its people. Those most skilled know how to use technology to effectively augment what they do and how they do it. The rise in cyber risk and the increasingly blurred lines between cyber and physical threats—whereby attacks that originate in the cyber domain become real and significant risks in the physical domain—have created a need for security teams with more diversified backgrounds and technical expertise.
Security and risk roles often attract those with backgrounds in international relations, geopolitics, the military, or law enforcement. When building a team for a converged SOC, consider how you can build a truly diverse team, where members have different types of experiences and ways of thinking.
Ask yourself: How can I build a team that both understands and confidently engages with the full organization? How can I use the converged SOC model to remove silos and add more value to the business?
Consider tapping into non-traditional security talent pools, including those from supply chain; environmental, social and governance (ESG); brand and reputation; crisis management; government affairs; and third-party risk teams. Ensuring you have a mix of skills and backgrounds to better anticipate—not just react to—potential risks and challenges, is an effective way to futureproof your SOC team.
Process is the connective tissue between a SOC’s people and technology as well as the broader organization. When done right, it can result in an almost seamless flow of real-time information that supports decision making and adds value at nearly every step in the SOC workflow.
When designing processes for converged SOCs, it's important to consider what the business will become rather than what it is now. Once you collect data, how will you use it? Have you identified which information should be communicated and to whom? Do you have a clear escalation plan and process? Does it include all key partners across the organization? How will the integration deliver more value to the organization? If so, in what ways?
Just as architects ensure they don’t close off opportunities for expansion, security and risk leaders should ensure their process maps build in the redundancy needed to allow for future SOC developments—not merely to address the challenges of today. Build a process and map that serves as a link between humans, technology and the wider business, and then make sure it allows for future, modular plug-ins.
Technology has enabled business to transform and pivot during the pandemic, but it is only ever as good as the people who use it and the process that enables it to be transformative.
Keep that in mind when selecting technology providers. Your converged SOC needs tech that is fit for the future. That means you must spend a considerable amount of time and effort on the selection process. The right partner will have a forward view and share your ambition and vision.
When selecting a partner, there are two general principles to follow: 1) aim for providers with deep instead of broad expertise, and 2) check suppliers’ development roadmap. Going deep allows you to select best-in-class technology solutions with true transformative capabilities. Broad solutions might offer technology fit for today, but they are unlikely to develop at the same pace across all of the offered capabilities.
Ask questions that will give you an idea of whether or not you are speaking to a future-proofed partner. Questions should focus on unique selling points and investments in R&D. Then ask to see and be briefed on:
the product roadmap
where investments are coming from
the timeframe for delivery
how much of the future capabilities will be under the current terms
Dataminr is a key partner to hundreds of the world’s leading global SOCs. They use our real-time alerts—often received within minutes or even seconds of an event occurrence—to identify and mitigate risks early on, and more quickly and effectively protect their people and assets.
Al Bowman is an Enterprise Account Manager at Dataminr. Before joining Dataminr, he designed, built and led Deloitte’s Intelligence Services Center in London. Prior to that, he served in the British Army, where his final role was as the Director of the Army’s global risk and intelligence center.