Building a Culture of Security Awareness: How to Use Performance Metrics to Communicate SOC Effectiveness Throughout Your Org

It’s no secret that as the security landscape becomes increasingly complex, resources are becoming harder and harder to find. Team members with high-tech skills and experience are both difficult to hire and retain, as security threats overwhelm them and dampen morale. CISOs have to prioritize detection, analysis, and coordinated responses, all while managing expectations within the organization and advocating for their priorities.

In order for security operations to be successful, the entire organization needs to prioritize them. Communicating the importance of security operations and their impact is part of everything from ensuring compliance on basic security measures throughout the organization to validating budgets for the security org. Measuring efficiencies in your security operations center (SOC) can mean the difference between success and failure.

However, knowing which SOC performance metrics to report isn’t always straightforward, as you have to suss out the vanity metrics from the ones that truly make an impact—as well as know which metrics can be best understood within your organization. To help you address this, we’ve broken it down into three questions you can use to determine what to report to your organization and how to measure your impact.

1. What problems are you solving for?

It may seem obvious, but the No. 1 question to ask yourself is, “What is my security team doing?” You need the ability to present a clear value proposition to your broader organization and be prepared to state what the ROI of your team truly is (HINT: the return is avoided cost). This means understanding the security team’s place in driving toward the organization’s broader goals, including sales, expansion, and technology budgeting.

The most important function of a security team is to respond quickly and efficiently to threats so the organization can remain secure. However, there are a number of internal problems that teams face that need to be accounted for—most notably the overwhelming number of alerts that analysts receive during a given time. Analysts often get so bogged down in unnecessary alerts, false positives, or benign issues that they start to ignore alerts in general, which can turn into a huge security risk if a truly critical alert is missed.

By identifying common time-wasting alerts and creating a process to suppress them, your team can free up analysts’ time to address truly critical threats. From there, you can assign priority to alerts and provide enough information in a push notification for analysts to determine how to react to an alert when it comes in. Analysts can spend less time wading through false positives or benign alerts and more time investigating critical alerts, which means they can shut down attacks faster and more efficiently.

Related: [Blog] How Our SIEM Tool, InsightIDR, Provides Actionable Security Alerts.

With these SOC performance metrics defined, you can show the value of the work the teamC is doing, as well as improvements in time to warning of attacks, where training is necessary, and where more resources are needed.

2. How much does the organization need to know?

Whittling down the amount of information that you receive can be a daunting task. There are dozens of metrics that aren’t useful, even if they are awe-inspiring or make your department sound good. You may be tempted to use metrics like time to response, which sounds great but doesn’t tell the full story of your team’s success.

This is where knowing your organization comes in handy. Even if you know that time to response or other metrics are important, what matters to your C-suite is probably much more simple. Focus on SOC performance metrics that tell a straightforward story, such as the following:

• Incidents that caused business interruption
• Quick incident response actions that helped avoid business interruption
• Incidents that can be avoided by technology investment/adoption
• Incidents that can be avoided from process improvement
• Vulnerabilities that became incidents

3. How often can the organization be informed?

If employees at all levels are regularly informed of the security team’s successes and why they matter to the company, they’ll be much more likely to participate in the greater security conversation. It’s a good idea to set up a regular newsletter to be sent to stakeholders at all levels to report on internal investigations, vulnerability scanning, asset discovery, security tips and tricks, and what your team has been up to. This will create a familiarity with the subject, so that when your team makes a major finding or report, employees will be prepared to take it seriously.

It will also make it easier for you to create an annual report by compiling information from regular newsletters to paint a broader picture of the security posture at your organization.

CISOs and other executives need regular access to these SOC performance metrics in order to make informed decisions for the team and for the organization as a whole. It’s a good idea to create a dashboard that provides you an overview of these metrics, as well as the ability to drill down into them and produce reports at given intervals.