Advancing the Security Operations Center (SOC): 4 Questions with Stephen Jones

As the complexity of cyber threats continues to grow and evolve, Security Operations Centers (SOCs) have become critical to protecting organizations. However, building out a SOC can be a complex and costly endeavor, and many organizations underestimate the importance of staffing and strategic planning. In this blog article, we interview Stephen Jones, Vice President of Cybersecurity at Dataprise, to explore four key questions related to SOC management, including staffing, threat intelligence, making managed security easier, and managing security audits. Jones shares his insights and experiences, providing valuable advice to those who are thinking about building or improving their SOC. 

Q. What advice could you give to others who are thinking about building out a SOC? 

A. Building out a SOC is a costly endeavor and the initial investment is often underestimated which means you have a partial, and in the worst cases, ineffective SOC. One of the key areas people often miss when planning a SOC is factoring in the human elements and overstaffing to allow your team to take PTO/Vacation as well as have time to pursue training/education. If you don’t account for these tolerances in staffing, you are guaranteed to burn out your staff and create a culture you don’t want.  

When it comes to SOC management, if you haven’t staffed properly as described above, your SOC management will spend their time in operations, in the weeds, with clients, and not actually managing the SOC. SOC’s require a fair amount of strategic thinking and planning to shift, grow, and mature in the ways that are required of it as the threat landscape and technologies change and evolve. Give your SOC management the resources that they need to let them focus on growing and driving the services and technologies. 

Q. How do you leverage threat intelligence in your practice, and what do you suggest others do when it comes to threat intel?

A. At Dataprise we leverage a paid global threat intelligence source to feed our tools. There are many free options, some that are good, and some that aren’t as good. We’ve had a good experience with our threat intelligence provider and have integrated it into our SIEM to enable automated threat enrichment.  

When we have an alert in the SIEM we have automation playbooks that enrich the alert by running the indicators through our Threat Intelligence capability. This adds a tremendous amount of context that is instantly available to our analysts, which helps speed decision-making and drastically reduces response time. 

Q. When it comes to security, what would make your life easier?

A. Managing security is made easier through clear, concise, and meaningful reporting that is tied directly to business outcomes. This level of reporting of KPIs and metrics helps leadership understand the business impact of the security decisions they make (or don’t make) and connects the security of the enterprise with the business’ requirements and needs. Without this link, you can’t fully understand what you need to protect, how best to protect it, and what to do when and if that protection fails.  

SOC leadership that is properly funded, adequately staffed, and able to focus on the strategic growth of the department can ensure that C-Suite leadership for the business is provided meaningful reporting that empowers them to make data-driven decisions. 

Q. How do you manage security audits with your customers? 

A. We have a service to provide a Security Gap Analysis that provides an in-depth assessment/audit of our client’s security posture and produces a lengthy report and roadmap for addressing any findings. We like to lead with this type of engagement for clients that are beginning their security journey, or those that do not have dedicated security resources in-house. This gives the client and Dataprise a solid baseline to work from.