Chapter 1: How Security Operations Are Changing

Cybersecurity is increasingly important for many organizations. It manifests itself as business risk. Security operations are a key security capability that organizations must implement to be effective in deterring and resolving the effects of cyber-attacks and minimize cybersecurity risk to their business. However, the role and mechanics of security operations is often misunderstood. That is why you are reading this book.

This book is written from a viewpoint on cybersecurity that, for some, turns matters on its head . I take the view that cybersecurity operations, when done well, drive security leadership, auditing, reporting, and risk reduction. This is not the common view on how organizations implement cybersecurity operations. The usual approach, sketched very briefly, is that organizations need executive commitment, funding, a cybersecurity program, often driven by audit results, and a raft of security policies and risk heat maps to be effective. Their job is then to drive this down into the business. The measurement of this is then done with maturity models and metrics.

This book will overturn that view. The viewpoint that I will develop and work out in this book is the following:

• Passing audits is the result of security operations done well. Audits do not drive improvement – making improvements in security operations drives improvement overall.
• Security operations vitally develop and enrich cybersecurity conversations at executive level mainly through the enhanced visibility they provide. Having a conversation about what happens on your network as opposed to what one reads about in the newspaper is inherently more powerful and convincing, especially if it can be backed up with evidence.
• The visibility and context provided by well-executed cybersecurity operations inherently changes the strategy and risk discussion, leading to better grounded risk and compliance programs.
• Building in the visibility and response components into applications and networks from the outset leads to better security architecture and changes the conversation from security being a blocker to security being an enabler of the business.
• If security operations are the core of an organization's cyber risk management, then the activities undertaken to resolve security incidents are at the heart of security operations. The viewpoint that I will take in this book, and that in my view defines agile security operations, is that effective incident response is the key measure when it comes to risk reduction from threats. In turn, the need to perform incident response then drives the rest of the security operations.

The operations piece of cybersecurity also needs funding, commitment, policies, and risk management. Doing cybersecurity operations well is not an excuse to get rid of these things. The difference is a radically changed conversation about their impact and use. Cybersecurity operations, done well, provide a vital context and enrichment to the executive and business conversation that will lead to a tight integration between cybersecurity and the business, reduce risk more effectively, and, in short, lead to an organization that is defensible from a tooling (technical), cultural (people), and management (process) perspective. The part between brackets is sometimes referred to as the people, process, and technology (PPT) framework.

The focus of this chapter is on the following:

• Understanding the role of security operations in risk management
• Defining security operations
• Understanding why security operations need to be agile

The chapter is structured as follows:

• Why security is hard
• Security incidents
• Security solutions in search of a problem
• The scope of security operations
• Where security operations turn agile