Gunther Cleijn: "Deploy highly skilled security specialists more efficiently"
Gunther Cleijn is Global CISO at NewCold, a company specializing in building and managing cold storage facilities worldwide. Like so many CISOs, he faces a severe shortage of security specialists. His solution: establish a zero-person SOC. It's a term we shouldn't take literally, but there's no doubt in Gunther Cleijn's mind that an organization can perform security processes with far fewer people. We spoke with the CISO, who is working hard to realize the zero-people SOC.
In your view, what is a zero-people SOC? Why should you want it?
"I'll start with that last question. As the person responsible for security, your job is to ensure reliable data and a trustworthy digital environment. You want to set up the most effective security organization possible, with optimal deployment of resources. These days that is often not easy to achieve with the resources available. Take a traditional SOC, which works based on ITIL processes. That way of working entails that highly trained people often have to deal with all kinds of basic reports, whereas you must challenge such professionals and deploy them on complex reports."
"Those basic notifications, I think you must handle with AI, machine learning. This is, in short, what I understand by zero people SOC, by which you aim to make optimal use of resources."
You shouldn't take the term literally, apparently, but how far do you go with it? Where do you put people, then?
"The path to zero people SOC once started with automating incident response, where the first step was automated so that tickets appeared. Then AI solutions were deployed to detect security issues and vulnerabilities. Now, we can use orchestration and automated response. These form a layer, as it were, over your security measures and ensure that they are all attuned to each other and can work together. Then you really are working at the next level!"
If you're going to work toward this, where do the investments fall? And how do you substantiate the ROI?
"Where you invest depends on the situation in a specific organization. For example, if you don't have data management in order, the investments in that area will. Also important is the question of what output you want from the systems: I believe those should be high-level findings that a specialized security engineer can dive into."
"About the ROI, you can say that with a zero-people SOC, you save the time of highly trained professionals, allowing them to deal with the cyber risk profile of the organization. They can think about risks from developments in the market or the world of cybercrime. It is not easy to translate that commitment into a hard ROI. I, therefore, prefer to speak of value."
What is the role of outsourcing in setting up a zero-people SOC? What do you let the market come up with?
"Unless you want to have everything in-house because you have to deal with laws and regulations, for example, it is better to leave tasks that someone else can do better to them. Think of red teaming, highly specialized work that no organization can do next to their line of business. Moreover, the butcher would then be judging his meat. In any case, I would outsource the control tasks."
"With automated orchestration and response, you're really next-leveling yourself"
"There are also providers that offer SOC-as-a-service. That is certainly an option. After all, it's not easy to build a SOC yourself. In any case, if you wanted to start with this now, I would not go for a complete SOC. And at least don't invest in the well-known big monitors. It's nice to show what the SOC does, but it's not necessary for anything. It should be so that people can also work from home."
There are also examples of organizations bringing the SOC back in-house to demonstrate its added value to the business.
"That can certainly be a consideration. You can also do this by sharing weekly event overviews, for example, with less and less detail as you get higher in the organization. By doing that, you also promote business engagement."
Many organizations today are working agile. What role does DevSecOps play? What is the link to a zero-people SOC?
"I think these are very similar and intertwined phenomena. Automating testing within your development iterations is a good example of that. It brings findings directly to the backlog. You can support this with one or two application security specialists to help teams get started. The knowledge of the security specialist should eventually transfer to the developer."