The modern Security Operations Centre has been shaped over time by technical, cultural and adversarial shifts. Reacting to changes in architecture, toolsets and threats – the underpinnings of such functions never stand still long enough for best-practice to be defined.
Security leaders, however, can agree on one thing. Designated a cost centre by the business, they remain under close scrutiny from the board. Shedding this moniker to earn a reputation as a business enablement function is important, something CISOs need to drive at a senior level using a number of softer, but no less important, skills.
Understand your target audience
Security leaders need to accept that the board is, at its heart, a corporate governance function. Unbothered by technical detail, their primary function is to ensure that the business operates in a repeatable, reliable and scalable manner.
Like any other function, to boards, security must achieve this within a pre-agreed cost. Unlike other functions, security achieves this by reducing risk. While tolerances, awareness and acceptance of security differs between boards, ultimately, CISOs who accept the SOCs operation as part of this wider financial equation, have a solid foundation.
Storytellers have more effective conversations
Use this understanding as the narrative frame for all conversations with the board going forward.
This means that while metrics and data are important, business context is non-negotiable. No CISO has a dataset convincing enough, in isolation, to convince senior stakeholders of the requisite value. Instead, threat data, incidents and metrics should level up to this one grand unifying theme. Everything must be couched in business terms.
There are a number of ways of achieving this. Most impactful is to highlight the financial savings made by stopping real, recent, incidents. For example, in a manufacturing business, calculate how a specific attack could have stopped factory production – literally put a total daily cost on the threat and multiply by the average remediation time. For B2C companies, this cost will largely accrue in terms of lost reputation and brand damage.
The business lens should not just be limited to SOC risk prevention, it can be used to work out the cost efficiencies driven by tooling – to help make a case for controls. Working out the amount of incidents which can be dealt with by automation, rather than people, for example.
These narrative devices should also be tailored to specific board members – learning who responds well to visuals, figures, or outcomes will help improve impact.
Transparency is key to trust
In the lion’s den and under pressure to provide assurances, it is easy for CISOs to get cornered into providing guarantees of the efficacy of their SOC. While a very human impulse, do not fall into this trap. Making promises at this point, only to be proven wrong by the inevitable breach, will only erode credibility.
Instead, build the confidence of your board by being honest about the fact that breaches are inevitable. Underline that SOC efficacy is a journey not a destination. A continuous chain of measurement, process iteration, tool enhancements and skills development which lowers, but never completely removes, risk. This message should be continually reinforced across the entire security team to ensure consistency.
Having clear lines of communication with the board on this will not only build reputation, but also help make a business case for investment in such improvements. This is even more so the case in small organisations with immature security functions, where honest, educational conversations will help shape security culture, from the top down.
A SOC may be measured on how people, process and technology perform – but it will only be allowed to thrive if something far more foundational is successful, communication. Only security leaders can ensure this.
With a clear understanding of the target audience, basic storytelling and transparency – it will no longer be seen as a cost centre, but a key business function.