By Paul Yates

I had the incredible opportunity to facilitate a Peer-to-Peer session at RSAC 2017.  My session was called “Managing the Machine: Strategies for Effective SecOps Management.”  The session focused on common managerial techniques that can be applied by Security Operations managers to overcome the several challenges we face. 

I began the session by doing a few straw polls of the room to get an idea of who was there and why:

• What is your current role?  About 80% of the participants were Security Managers or Directors.  We had a few CISO’s and individual contributors as well.
• What are you looking to gain from this session?  Pretty much the whole room wanted to attend my session to learn, which isn’t surprising.  (I thought that some people may have wanted to come because they are facing a specific challenge and wanted help, but I was wrong) 

From there we spent about 10 minutes brainstorming Security Operation challenges.  To make the most of the remaining time, we did a straw poll to find out which were most important to the group as a whole.  The challenges faced by the majority of the group were:

• Getting the necessary budget and/or buy-in from the business
• Working through silos (internal IT and with the business)
• Dealing with “noise” from security technology 

For the remainder of the session, we had a group discussion on these three challenges and the different management strategies/approaches each of us use to overcome them.  Here are the biggest managerial techniques that arose from our discussion. 

Getting the necessary budget and/or buy-in from the business

This was easily the topic we spent most time talking about.  It was clear that everybody in the room is either facing this problem now or has faced it in the past.

• Align your security strategy to the strategy, mission and vision of your company.  Build a program that does more than “keep the CEO out of the news.”  Trying to convince executive leadership and the board of directors to invest more in Security isn’t enough.  Find out what’s important to them and their business – and build a Security program that helps them accomplish that.
• In general, IT budget will always be a battle, so get creative instead: work with peers to “piggyback” on their capital projects; find existing tools that can satisfy your needs; and consider open source. 

Working through silos (internal IT and with the business)

• Within IT – start by building relationships before going to other teams and asking them (making them?) do or fix something.  Security is commonly seen as the “muscle” – so use it for some good and help your colleagues fix a few of their problems.
• With the business – build relationships and get to know the business process that you’re dependent on.  Don’t let Security be a “black box” – get to know key players from departments you rely on, such as Finance, HR and Legal.
• Communicate, early and often.  Ask for (and listen to) input from the very start. 

Dealing with “noise” from security technology

• Operations Management 101 teaches there is only two ways to increase throughput (in this case throughput is the number of alerts handled by your team): increase capacity or decrease demand.  Capacity increases normally means adding more people to the team – which usually isn’t an option.  Another option is to partner with the right Managed Security Service Provider.  I personally prefer to look for ways to reduce demand (the number of alerts generated)– focus on decreasing the demand.  The could mean:
  • turning off noisy alerts
  • determining how many alerts your team can handle, and rationalizing which those should be
  • automating certain tasks (RESTful API, Python and Bash are your friend)
  • identify processes where Security may be a bottleneck, and empower other teams with self-service – a huge win-win (see previous section) 

In summary, it was obvious that most Security managers share similar challenges.