In collaboration with Siemplify, the Cyentia Institute recently released the Road to Security Operations Maturity study. It’s been a couple of years since we visited the topic of SecOps, so it was fun to get back into it during this project. As the name implies, the focus of this study was understanding where SecOps programs are on their journey toward maturity. What are the critical challenges? How are programs of different types and sizes addressing these challenges? Where are they finding success? What does success look like? We address questions like these and more in the report, which you can download from Siemplify here.
We cover a lot of ground in the report, and I won’t retread it all here. But I do want to highlight one particular aspect that I personally found interesting. Having some leadership experience in security operations from a previous professional life, I find the question of how SecOps teams organize for success both important and fascinating. There are many variations on how to structure teams, but two common models are based around either ‘tiers’ or ‘teams.’ The ‘tiered’ approach is embodied in the traditional three-level SOC, where analysts triage events and, if not closed out, hand them off to the next tier for further investigation. The ‘teams’ model mixes things up a bit (literally), by forming groups of analysts with varying specialties and experience. Some view the former as more efficient and the latter as more effective.
Surprisingly, our results showed that the prevalence of these models among organizations in our study was roughly even. I was aware of increasing momentum behind adopting this ‘teams’ approach, we did not expect to see it anywhere near on par with the more traditional ‘tiered’ SOC model. One theory is that Figure 8 shows the strong influence DevOps has had on SecOps of late. If small teams with at least one individual responsible for security are less likely to produce insecure products, perhaps teams with mixed roles can be more effective in the SOC as well. Overall though, respondents from both schools of thought reported having mature, successful programs. Are we seeing the big reveal of a widespread “SOC makeover,” or just more options for structuring the emerging broader-than-the-SOC notion of SecOps? Could it be that both models have their place, depending upon the goals and characteristics of the organization?
We hoped to determine which one of these models led to greater maturity, but the data had other plans. We saw no differences or advantages for one or the other models. Choosing teams of mixed levels and roles or constructing a tiered system seems to be largely based on various organizational characteristics and circumstances. The journey to maturity does seem to differ, though. Respondents within the ‘teams’ model seemed to emphasize improving people and processes, while those in the classic ‘tiers’ model talked more about optimizing and managing tools.
Do these results line up with your experiences? Is one SecOps structure inherently or always better than others, or does it depend on factors that vary from firm to firm? What are those factors? If you have thoughts on that, let us know on LinkedIn or Twitter (@cyentiainst).
And don’t forget to grab the full report here.