Overview
In a recent episode of the State of Enterprise IT Security podcast, host Brad Bussie and guest Svetla Yankova discussed best practices for implementing Security Operations (SecOps) effectively. Their conversation revealed some surprising insights that challenge conventional wisdom in the field.
Watch to the Episode
The Human Element in an AI-Driven World
While many organizations are rushing to automate their security operations with AI and robotics, Yankova offers a contrarian view. She argues that a well-implemented SecOps strategy should actually allow humans to spend more time on high-fidelity alerts, not less.
"Good looks like the fact that you've modeled your environment and your risk and your drift so well, that humans can spend a lot of time on the very high fidelity things that come out," Yankova explains. This approach ensures that human expertise is applied where it's most valuable, rather than being overwhelmed by low-level alerts.
Elevating the Blue Team
Another key aspect of effective SecOps is the elevation of the blue team to "superstar status." Yankova emphasizes the importance of tight collaboration between red and blue teams, forming what's often called a purple team.
This collaboration allows for constant creative testing of the infrastructure, made possible by reduced toil and churn through "proper hygiene, modeling, help of automation, and technology."
Involving Business Owners
Perhaps most controversially, Yankova stresses the importance of involving business and application owners in the SecOps process. "Good looks like the fact that the application owners are tightly coupled with the SecOps teams to define what good looks like and to have this kind of shared accountability," she states.
This approach ensures that security isn't siloed away from the rest of the organization. Instead, it creates a shared understanding of risks and how applications are monitored.
Overcoming Fear and Building Understanding
Bussie wholeheartedly agrees with Yankova's perspective, particularly on business involvement. He notes that fear and lack of understanding often prevent non-security staff from engaging with security issues.
"People are afraid of things that they maybe don't necessarily understand. They're afraid of looking dumb or looking silly," Bussie observes. He urges everyone not to be afraid of security concepts and to seek a basic understanding.
The Role of Cybersecurity Practitioners
Bussie emphasizes that it's the job of cybersecurity practitioners to educate others on the "why" of security measures. "We get to figure out the how, and then we also go deeper into what it is we're doing," he explains.
This educational approach can help break down barriers between security teams and the rest of the organization, fostering a more holistic and effective SecOps implementation.
Key Takeaways for Effective SecOps Implementation:
- Focus on quality over quantity: Model your environment to allow humans to focus on high-fidelity alerts.
- Foster collaboration: Elevate blue teams and encourage tight collaboration with red teams.
- Involve business owners: Create shared accountability for security across the organization.
- Prioritize education: Help non-security staff understand the basics of cybersecurity.
- Embrace automation judiciously: Use technology to reduce toil, not to replace human expertise.
By following these best practices, organizations can create a more effective, efficient, and inclusive SecOps strategy that leverages both technological advancements and human expertise