Is Your SOC Ready For a Crisis?

By Dan Gundry, National Control Room Sales Manager, Vistacom, Inc.

October is National Cyber Security Awareness Month which is an annual campaign to raise awareness about the importance of cybersecurity. With changes in technology, content, and the workforce itself, it is important to assess our cyber and physical security operations on a regular basis. Often overlooked, the Security Operations Center (SOC), aka the nucleus of our security response mechanism, is responsible for aggregating data, assessing that information, making informed decisions, and initiating response.

The following 5 questions are a good start to help review your current operations. Remember to assess the questions from both a blue sky (everything is normal) to a grey sky (critical incident) perspective.

1. Do you have access to all of the right data? Ask your team what is important for them to have access to for assessing and responding to situations. A few potential examples could include dashboards, threat analysis data, social media feeds, networking monitoring, building automation systems, weather, traffic, PSIM data, television, general computer applications, and more.
2.  How is information communicated with stakeholders? Do operators pick up the phone or radio to communicate a problem? How do they relay the right data to decision makers to help them assess a problem? Can remote users view that information in the field?
3. From where are incidents managed? Do stakeholders huddle around a single desk area to manage incidents, does everyone get on a conference call together, or do you have a dedicated crisis management space so a separate group can manage the critical incident while the SOC operators continue to manage the rest of the operation? Find ways to allow the operators to perform their core responsibilities without disruptions while others manage the emergency.
4. How do you create the Common Operational Picture (COP) within your SOC? Is everyone operating off the same information and how is it presented or visualized? Does the COP contain all the relevant data for a particular incident? Does it provide the right situational awareness for operators, analysts, managers, and other key stakeholders? How is it shared with others not located within the SOC?
5. Does your current workflow support the need for effective and efficient decision making? The first step to corrective action is understanding there is a deficiency and planning responsibly to resolve it. Your next step is to engage an expert who understands the intricacies of an SOC and has helped other organizations improve their workflow and responsiveness