In a recent episode of the State of Enterprise IT Security podcast, host Brad Bussie and guest Svetla Yankova discussed best practices for implementing Security Operations (SecOps) effectively. Their conversation revealed some surprising insights that challenge conventional wisdom in the field.
While many organizations are rushing to automate their security operations with AI and robotics, Yankova offers a contrarian view. She argues that a well-implemented SecOps strategy should actually allow humans to spend more time on high-fidelity alerts, not less.
"Good looks like the fact that you've modeled your environment and your risk and your drift so well, that humans can spend a lot of time on the very high fidelity things that come out," Yankova explains. This approach ensures that human expertise is applied where it's most valuable, rather than being overwhelmed by low-level alerts.
Another key aspect of effective SecOps is the elevation of the blue team to "superstar status." Yankova emphasizes the importance of tight collaboration between red and blue teams, forming what's often called a purple team.
This collaboration allows for constant creative testing of the infrastructure, made possible by reduced toil and churn through "proper hygiene, modeling, help of automation, and technology."
Perhaps most controversially, Yankova stresses the importance of involving business and application owners in the SecOps process. "Good looks like the fact that the application owners are tightly coupled with the SecOps teams to define what good looks like and to have this kind of shared accountability," she states.
This approach ensures that security isn't siloed away from the rest of the organization. Instead, it creates a shared understanding of risks and how applications are monitored.
Bussie wholeheartedly agrees with Yankova's perspective, particularly on business involvement. He notes that fear and lack of understanding often prevent non-security staff from engaging with security issues.
"People are afraid of things that they maybe don't necessarily understand. They're afraid of looking dumb or looking silly," Bussie observes. He urges everyone not to be afraid of security concepts and to seek a basic understanding.
Bussie emphasizes that it's the job of cybersecurity practitioners to educate others on the "why" of security measures. "We get to figure out the how, and then we also go deeper into what it is we're doing," he explains.
This educational approach can help break down barriers between security teams and the rest of the organization, fostering a more holistic and effective SecOps implementation.
By following these best practices, organizations can create a more effective, efficient, and inclusive SecOps strategy that leverages both technological advancements and human expertise