- There is an onslaught of security data – generating information in different formats, storing it in different places, and forwarding it to different locations.
- The organization lacks a dedicated enterprise security team. There is limited resourcing available to begin or mature a security operations center.
- Many organizations are developing ad hoc security capabilities that result in operational inefficiencies, the misalignment of resources, and the misuse of security technology investments.
- It is difficult to communicate the value of a security operations program when trying to secure organizational buy-in to gain the appropriate resourcing.
- There is limited communication between security functions due to a centralized security operations organizational structure.
Our Advice
Critical Insight
- Security operations is no longer a center, but a process. The need for a physical security hub has evolved into the virtual fusion of prevention, detection, analysis, and response efforts. When all four functions operate as a unified process, your organization will be able to proactively combat changes in the threat landscape.
- Functional threat intelligence is a prerequisite for effective security operations – without it, security operations will be inefficient and redundant. Eliminate false positives by contextualizing threat data, aligning intelligence with business objectives, and building processes to satisfy those objectives.
- If you are not communicating, you are not secure. Collaboration eliminates siloed decisions by connecting people, processes, and technologies. You leave less room for error, consume fewer resources, and improve operational efficiency with a transparent security operations process.
Impact and Result
- A unified security operations process actively transforms security events and threat information into actionable intelligence, driving security prevention, detection, analysis, and response processes, addressing the increasing sophistication of cyberthreats, and guiding continuous improvement.
- This blueprint will walk through the steps of developing a flexible and systematic security operations program relevant to your organization.
Member Testimonials
After each Info-Tech experience, we ask our members to quantify the real-time savings, monetary impact, and project improvements our research helped them achieve. See our top member experiences for this blueprint and what our clients have to say.
10.0/10
Overall Impact
$78,749
Average $ Saved
28
Average Days Saved
Client
Experience
Impact
$ Saved
Days Saved
Wellpath
Workshop
10/10
$31,499
5
Ministry of Industry, Innovation, Science and Technology
Guided Implementation
10/10
$125K
50
Sedgwick Cms
Workshop
9/10
N/A
N/A
Australian Catholic University
Guided Implementation
9/10
N/A
N/A
Workshop: Develop a Security Operations Strategy
Workshops offer an easy way to accelerate your project. If you are unable to do the project yourself, and a Guided Implementation isn't enough, we offer low-cost delivery of our project workshops. We take you through every phase of your project and ensure that you have a roadmap in place to complete your project successfully.
Module 1: Assess Operational Requirements
The Purpose
- Determine current prevention, detection, analysis, and response capabilities, operational inefficiencies, and opportunities for improvement.
Key Benefits Achieved
- Determine why you need a sound security operations program.
- Understand Info-Tech’s threat collaboration environment.
- Evaluate your current security operation’s functions and capabilities.
Activities
Outputs
Understand the benefits of refining your security operations program.
Gauge your current prevention, detection, analysis, and response capabilities.
- Security Operations Preliminary Maturity Assessment Tool
Module 2: Develop Maturity Initiatives
The Purpose
- Begin developing and prioritizing gap initiatives in order to achieve the optimal state of operations.
Key Benefits Achieved
- Establish your goals, obligations, scope, and boundaries.
- Assess your current state and define a target state.
- Develop and prioritize gap initiatives.
- Define the cost, effort, alignment, and security benefits of each initiative.
- Develop a security strategy operational roadmap.
Activities
Outputs
Assess your current security goals, obligations, and scope.
- Information Security Strategy Requirements Gathering Tool
Design your ideal target state.
Prioritize gap initiatives.
- Security Operations Maturity Assessment Tool
Module 3: Define Operational Interdependencies
The Purpose
- Identify opportunities for collaboration.
- Formalize your operational process flows.
- Develop a comprehensive and actionable measurement program.
Key Benefits Achieved
- Understand the current security operations process flow.
- Define the security operations stakeholders and their respective deliverables.
- Formalize an internal information-sharing and collaboration plan.
Activities
Outputs
Identify opportunities for collaboration.
- Security Operations RACI & Program Plan Tool
Formalize a security operations collaboration plan.
- Security Operations Collaboration Plan
Define operational roles and responsibilities.
- Security Operations Cadence Schedule Template
Develop a comprehensive measurement program.
- Security Operations Metrics Summary
INFO-TECH RESEARCH GROUP
Develop a Security Operations Strategy
Transition from a security operations center to a threat collaboration environment.
Info-Tech Research Group, Inc. is a global leader in providing IT research and advice. Info-Tech’s products and services combine actionable insight and relevant advice with ready-to-use tools and templates that cover the full spectrum of IT concerns.
© 1997-2017 Info-Tech Research Group Inc.
ANALYST PERSPECTIVE
“A reactive security operations program is no longer an option. The increasing sophistication of threats demands a streamlined yet adaptable mitigation and remediation process. Protect your assets by preparing for the inevitable; unify your prevention, detection, analysis, and response efforts and provide assurance to your stakeholders that you are making information security a top priority.”
Edward Gray,
Consulting Analyst, Security, Risk & Compliance
Info-Tech Research Group
Our understanding of the problem
This Research Is Designed For:
|
This Research Will Help You:
|
This Research Will Also Assist:
|
This Research Will Help Them
|
Executive summary
Situation
- Current security practices are disjointed, operating independently with a wide variety of processes and tools to conduct incident response, network defense, and threat analysis. These disparate mitigations leave organizations vulnerable to the increasing number of malicious events.
- Threat management has become resource intensive, requiring continuous monitoring, collection, and analysis of massive volumes of security event data, while juggling business, compliance, and consumer obligations.
Complication
- There is an onslaught of security data – generating information in different formats, storing it in different places, and forwarding it to different locations.
- The organization lacks a dedicated enterprise security team. There is limited resourcing available to begin or mature a security operations center.
- Many organizations are developing ad hoc security capabilities that result in operational inefficiencies, the misalignment of resources, and the misuse of their security technology investments.
- It is difficult to communicate the value of a security operations program when trying to secure organizational buy-in to gain the appropriate resourcing.
- There is limited communication between security functions due to a centralized security operations organizational structure.
Resolution
- A unified security operations process actively transforms security events and threat information into actionable intelligence, driving security prevention, detection, analysis, and response processes, addressing the increasing sophistication of cyberthreats, and guiding continuous improvement.
- This blueprint will walk through the steps of developing a flexible and systematic security operations program relevant to your organization.
Info-Tech Insight
- Security operations is no longer a center, but a process. The need for a physical security hub has evolved into the virtual fusion of prevention, detection, analysis, and response efforts. When all four functions operate as a unified process, your organization will be able to proactively combat changes in the threat landscape.
- Functional threat intelligence is a prerequisite for effective security operations – without it, security operations will be inefficient and redundant. Eliminate false positives by contextualizing threat data, aligning intelligence with business objectives, and building processes to satisfy those objectives.
- If you are not communicating, you are not secure. Collaboration eliminates siloed decisions by connecting people, processes, and technologies. You leave less room for error, consume fewer resources, and improve operational efficiency with a transparent security operations process.
Data breaches are resulting in major costs across industries
![]() Average data breach costs per compromised record hit an all-time high of $217 (in 2015); $74 is direct cost (e.g. legal fees, technology investment) and $143 is indirect cost (e.g. abnormal customer churn). (Source: Ponemon Institute, “2015 Cost of Data Breach Study: United States”) |
![]() ![]() ![]() ![]() ![]() (Source: The Network, “ Cisco 2017 Security Capabilities Benchmark Study”) |
Persistent issues
- Organizational barriers separating prevention, detection, analysis, and response efforts.
Siloed operations limit collaboration and internal knowledge sharing. - Lack of knowledgeable security staff.
Human capital is transferrable between roles and functions and must be cross-trained to wear multiple hats. - Failure to evaluate and improve security operations.
The effectiveness of operations must be frequently measured and (re)assessed through an iterative system of continuous improvement. - Lack of standardization.
Pre-established use cases and policies outlining tier-1 operational efforts will eliminate ad hoc remediation efforts and streamline operations. - Failure to acknowledge the auditor as a customer.
Many compliance and regulatory obligations require organizations to have comprehensive documentation of their security operations practices.
60% Of organizations say security operation teams have little understanding of each other’s requirements.
40% Of executives report that poor coordination leads to excessive labor and IT operational costs.
38-100% Increase in efficiency after closing operational gaps with collaboration.
(Source: Forbes, “The Game Plan for Closing the SecOps Gap”)
The solution
![]() |
“Empower a few administrators with the best information to enable fast, automated responses.” Insufficient security personnel resourcing has been identified as the most prevalent challenge in security operations… When an emergency security incident strikes, weak collaboration and poor coordination among critical business functions will magnify inefficiencies in the incident response (IR) process, impacting the organization’s ability to minimize damage and downtime. The solution: optimize your SOC. Info-Tech has seen SOCs with five analysts outperform SOCs with 25 analysts through tools and process optimization. Sources: |
Maintain a holistic security operations program
Legacy security operations centers (SOCs) fail to address gaps between data sources, network controls, and human capital. There is limited visibility and collaboration between departments, resulting in siloed decisions that do not support the best interests of the organization. | ||
![]() Security operations is part of what Info-Tech calls a threat collaboration environment, where members must actively collaborate to address cyberthreats affecting the organization’s brand, business operations, and technology infrastructure on a daily basis. |
Prevent: Defense in depth is the best approach to protect against unknown and unpredictable attacks. Diligent patching and vulnerability management, endpoint protection, and strong human-centric security (amongst other tactics) are essential. | Detect: There are two types of companies – those who have been breached and know it and those who have been breached and don’t know it. Ensure that monitoring, logging, and event detection tools are in place and appropriate to your organizational needs |
Analyze: Raw data without interpretation cannot improve security and is a waste of time, money, and effort. Establish a tiered operational process that not only enriches data but also provides visibility into your threat landscape. | Respond: Organizations can’t rely on an ad hoc response anymore – don’t wait until a state of panic. Formalize your response processes in a detailed incident runbook in order to reduce incident remediation time and effort. |
Info-Tech’s security operations blueprint ties together various initiatives
![]() |
Vulnerability Management
Vulnerability management revolves around the identification, prioritization, and remediation of vulnerabilities. Vulnerability management teams hunt to identify which vulnerabilities need patching and remediating. |
Deliverables
|
![]() |
Threat Intelligence
Threat intelligence addresses the collection, analysis, and dissemination of external threat data. Analysts act as liaisons to their peers, publishing actionable threat alerts, reports, and briefings. Threat intelligence proactively monitors and identifies whether threat indicators are impacting your organization. |
|
![]() |
Operations
Security operations include the real-time monitoring and analysis of events based on the correlation of internal and external data sources. This also includes incident escalation based on impact. Analysts are constantly tuning and tweaking rules and reporting thresholds to further help identify which indicators are most impactful during the analysis phase of operations. |
|
![]() Develop and Implement a Security Incident Management Program |
Incident Response
Effective and efficient management of incidents involves a formal process of analysis, containment, eradication, recovery, and post-incident activities. IR teams coordinate root-cause analysis and incident gathering while facilitating post-incident lessons learned. Incident response can provide valuable threat data that ties specific indicators to threat actors or campaigns. |
|
This blueprint will…
…better protect your organization with an interdependent and collaborative security operations program.
Phase 01Assess your operational requirements. |
Phase 02Optimize and further mature your security operations processes |
Phase 3aDevelop the process flow and specific interaction points between functions |
Phase 3bTest your current capabilities with a table top exercise |
Briefly assess your current prevention, detection, analysis, and response capabilities.
Highlight operational weak spots that should be addressed before progressing. |
Develop a prioritized list of security-focused operational initiatives.
Conduct a holistic analysis of your operational capabilities. |
Define the operational interaction points between security-focused operational departments.
Document the results in comprehensive operational interaction agreement. |
Test your operational processes with Info-Tech’s security operations table-top exercise. |
Info-Tech integrates several best practices to create a best-of-breed security framework
![]() |
![]() |
Benefits of a collaborative and integrated operations program
Effective security operations management will help you do the following:
|
ImpactShort term:
Long term:
|
Understand the cost of not having a suitable security operations program
A practical approach, justifying the value of security operations, is to identify the assets at risk and calculate the cost to the company should the information assets be compromised (i.e. assess the damage an attacker could do to the business).
Cost Structure | Cost Estimation ($) for SMB (Small and medium-sized business) |
Cost Estimation ($) for LE (Large enterprise) |
|
Security controls | Technology investment: software, hardware, facility, maintenance, etc.
Cost of process implementation: incident response, CMBD, problem management, etc. Cost of resource: salary, training, recruiting, etc. |
$0-300K/year | $200K-2M/year |
Security incidents (if no security control is in place) |
Explicit cost:
|
$15K-650K/year | $270K-11M/year |
Workshop Overview
Contact your account representative or email Workshops@InfoTech.com for more information.
Workshop Day 1 | Workshop Day 2 | Workshop Day 3 | Workshop Day 4 | Workshop Day 5 | |
Activities |
|
|
|
|
|
Deliverables |
|
|
|
All Final Deliverables |
Develop a Security Operations Strategy
PHASE 1
Assess Operational Requirements
1Assess Operational Requirements |
2Develop Maturity Initiatives |
3Define Interdependencies |
This step will walk you through the following activities:
- Determine why you need a sound security operations program.
- Understand Info-Tech’s threat collaboration environment.
- Evaluate your current security operation’s functions and capabilities.
Outcomes of this step
- A defined scope and motive for completing this project.
- Insight into your current security operations capabilities.
- A prioritized list of security operations initiatives based on maturity level.
Info-Tech Insight
Security operations is no longer a center, but a process. The need for a physical security hub has evolved into the virtual fusion of prevention, detection, analysis, and response efforts. When all four functions operate as a unified process, your organization will be able to proactively combat changes in the threat landscape.
Warm-up exercise: Why build a security operations program?
Estimated time to completion: 30 minutes
Discussion: Why are we pursuing this project?What are the objectives for optimizing and developing sound security operations? Stakeholders Required:
Resources Required
|
|
Info-Tech Best Practice
Don’t develop a security operations program with the objective of zero incidents. This reliance on prevention results in over-engineered security solutions that cost more than the assets being protected.
Decentralizing the SOC: Security as a function
Before you begin, remember that no two security operation programs are the same. While the end goal may be similar, the threat landscape, risk tolerance, and organizational requirements will differ from any other SOC. Determine what your DNA looks like before you begin to protect it.
Security operations must provide several fundamental functions:
|
![]() At its core, a security operations program is responsible for the prevention, detection, analysis, and response of security events. |
Optimized security operations can seamlessly integrate threat and incident management processes with monitoring and compliance workflows and resources. This integration unlocks efficiency.
Understand the levels of security operations
Take the time to map out what you need and where you should go. Security operations has to be more than just monitoring events – there must be a structured program.
Foundational | ![]() |
Operational | ![]() |
Strategic |
|
|
|
||
——Security Operations Capabilities—–› |
Understand security operations: Establish a unified threat collaboration environment
![]() | Security operations is part of what Info-Tech calls a threat collaboration environment, where members must actively collaborate to address threats impacting the organization’s brand, operations, and technology infrastructure.
Info-Tech Best PracticeEnsure that information flows freely throughout the threat collaboration environment – each function should serve to feed and enhance the next. | |||||
![]() | ||||||
![]() | ||||||
![]() Develop and Implement a Security Incident Management Program |
The threat collaboration environment is comprised of three core elements
Info-Tech Insight
The value of a SOC can be achieved with fewer prerequisites than you think. While it is difficult to cut back on process and technology requirements, human capital is transferrable between roles and functions and can be cross-trained to satisfy operational gaps.
![]() |
People. Effective human capital is fundamental to establishing an efficient security operations program, and if enabled correctly, can be the driving factor behind successful process optimization. Ensure you address several critical human capital components:
|
Processes. Formal and informal mechanisms that bridge security throughout the collaboration environment and organization at large. Ask yourself:
|
|
Technology. The composition of all infrastructure, systems, controls, and tools that enable processes and people to operate and collaborate more efficiently. Determine:
|
Conduct a preliminary maturity assessment before tackling this project
![]() | ![]() At a high level, assess your organization’s operational maturity in each of the threat collaboration environment functions. Determine whether the foundational processes exist in order to mature and streamline your security operations. |
![]() | |
![]() | |
![]() Develop and Implement a Security Incident Management Program |
Assess the current maturity of your security operations program
Prioritize the component most important to the development of your security operations program. |
![]() |
|
![]() |
||
Each “security capability” covers a component of the overarching “security function.” | Assign a current and target maturity score to each respective security capability. (Note: The CMMI maturity scores are further explained on the following slide.) | Document any/all comments for future Info-Tech analyst discussions. |
Assign each security capability a reflective and desired maturity score.
Your current and target state maturity will be determined using the capability maturity model integration (CMMI) scale. Ensure that all participants understand the 1-5 scale.![]() |
Ad Hoc | ||
1 | ![]() |
Initial/Ad Hoc: Activity is not well defined and is ad hoc, e.g. no formal roles or responsibilities exist, de facto standards are followed on an individual-by-individual basis. | |
2 | ![]() |
Developing: Activity is established and there is moderate adherence to its execution, e.g. while no formal policies have been documented, content management is occurring implicitly or on an individual-by-individual basis. | |
3 | ![]() |
Defined: Activity is formally established, documented, repeatable, and integrated with other phases of the process, e.g. roles and responsibilities have been defined and documented in an accessible policy, however, metrics are not actively monitored and managed. | |
4 | ![]() |
Managed and Measurable: Activity execution is tracked by gathering qualitative and quantitative feedback, e.g. metrics have been established to monitor the effectiveness of tier-1 SOC analysts. | |
5 | ![]() |
Optimized: Qualitative and quantitative feedback is used to continually improve the execution of the activity, e.g. the organization is an industry leader in the respective field; research and development efforts are allocated in order to continuously explore more efficient methods of accomplishing the task at hand. | |
Optimized |
Notes: Info-Tech seldom sees a client achieve a CMMI score of 4 or 5. To achieve a state of optimization there must be a subsequent trade-off elsewhere. As such, we recommend that organizations strive for a CMMI score of 3 or 4.
Ensure that your threat collaboration environment is of a sufficient maturity before progressing
![]() |
Review the report cards for each of the respective threat collaboration environment functions.
|
Are you ready to move on to the next phase?
Self-Assessment Questions
- Have you clearly defined the rationale for refining your security operations program?
- Have you clearly defined and prioritized the goals and outcomes of optimizing your security operations program?
- Have you assessed your respective people, process, and technological capabilities?
- Have you completed the Security Operations Preliminary Maturity Assessment Tool?
- Were all threat collaboration environment functions of a sufficient maturity level?
Develop a Security Operations Strategy
PHASE 2
Develop Maturity Initiatives
1Assess Operational Requirements | 2Develop Maturity Initiatives | 3Define Interdependencies |
This step will walk you through the following activities:
- Establish your goals, obligations, scope, and boundaries.
- Assess your current state and define a target state.
- Develop and prioritize gap initiatives.
- Define cost, effort, alignment, and security benefit of each initiative.
- Develop a security strategy operational roadmap.
Outcomes of this step
- A formalized understanding of your business, customer, and regulatory obligations.
- A comprehensive current and target state assessment.
- A succinct and consolidated list of gap initiatives that will collectively achieve your target state.
- A formally documented set of estimated priority variables (cost, effort, business alignment).
- A fully prioritized security roadmap that is in alignment with business goals and informed by the organization’s needs and limitations.
Info-Tech Insight
Functional threat intelligence is a prerequisite for effective security operations – without it, security operations will be inefficient and redundant. Eliminate false positives by contextualizing threat data, aligning intelligence with business objectives, and building processes to satisfy those objectives
Align your security operations program with corporate goals and obligations
A common challenge for security leaders is learning to express their initiatives in terms that are meaningful to business executives.
Frame the importance of your security operations program to Oftentimes resourcing and funding is dependent on the |
Corporate goals and objectives can be categorized into three major buckets:
|
Info-Tech Best Practice
Developing a security operations strategy is a proactive activity that enables you to get in front of any upcoming business projects or industry trends rather than having to respond reactively later on. Consider as many foreseeable variables as possible!
Determine your security operations program scope and boundaries
It is important to define all security-related areas of responsibility. Upon completion you should clearly understand what you are trying to secure.
Ask yourself:
|
The organizational scope and boundaries and can be categorized into four major buckets:
|
This also includes what is not within scope. For some outsourced services or locations you may not be responsible for security. For some business departments you may not have control of security processes. Ensure that it is made explicit at the outset, what will be included and what will be excluded from security considerations.
Reference Info-Tech’s security strategy: goals, obligations, and scope activities
Explicitly understanding how security aligns with the core business mission is critical for having a strategic plan and fulfilling the role of business enabler.
Download and complete the information security goals, obligations and scope activities (Section 1.3) within the Info-Tech security strategy research publication. If previously completed, take the time to review your results. GOALS and OBLIGATIONS
|
Goals & Obligations
![]() |
PROGRAM SCOPE & BOUNDARIES
If a well-defined corporate strategy does not exist, these questions can help pinpoint objectives:
|
Program Scope & Boundaries
![]() |
INFO-TECH OPPORTUNITY
For more information on how to complete the goals & obligations activity please reference Section 1.3 of Info-Tech’s Build an Information Security Strategy blueprint.
Complete the Information Security Requirements Gathering Tool
On tab 1. Goals and Obligations:
|
![]() |
On tab 2. Scope and Boundaries:
|
![]() |
For the purpose of this security operations initiative please IGNORE the risk tolerance activities on tab 3. |
Info-Tech Best Practice
A common challenge for security leaders is expressing their initiatives in terms that are meaningful to business executives. This exercise helps make explicit the link between what the business cares about and what security is trying to do.
Conduct a comprehensive security operations maturity assessment
The following slides will walk you through the process below.
Define your current and target state
Self-assess your current security operations capabilities and determine your intended state. |
Create your gap initiatives
Determine the operational processes that must be completed in order to achieve the target state. |
Prioritize your initiatives
Define your prioritization criteria (cost, effort, alignment, security benefit) based on your organization |
Build a Gantt chart for your upcoming initiatives
The final output will be a Gantt to action your prioritized initiatives |
Info-Tech Insight
Progressive improvements provide the most value to IT and your organization. Leaping from pre-foundation to complete optimization is an ineffective goal. Systematic improvements to your security performance delivers value to your organization, each step along the way.
Optimize your security operations workflow
Info-Tech consulted various industry experts and consolidated their optimization advice.
Dashboards: Centralized visibility, threat analytics, and orchestration enable faster threat detection with fewer resources. |
Adding more controls to a network never increases resiliency. Identify technological overlaps and eliminate unnecessary costs. |
Automation: There is shortfall in human capital in contrast to the required tools and processes. Automate the more trivial processes. |
SOCs with 900 employees are just as efficient as those with 35-40. There is an evident tipping point in marginal value. |
There are no plug-and-play technological solutions – each is accompanied by a growing pain and an affiliated human capital cost. |
Planning: Narrow the scope of operations to focus on protecting assets of value. |
Cross-train employees throughout different silos. Enable them to wear multiple hats. |
Practice: None of the processes happen in a vacuum. Make the most of tabletop exercises and other training exercises. |
Define appropriate use cases and explicitly state threat escalation protocol. Focus on automating the tier-1 analyst role. |
Self-assess your current-state capabilities and determine the appropriate target state
1. Review:
The heading in blue is the security domain, light blue is the subdomain and white is the specific control. |
2. Determine and Record:
Ask participants to identify your organization’s current maturity level for each control. Next, determine a target maturity level that meets the requirements of the area (requirements should reflect the goals and obligations defined earlier). |
3.
In small groups, have participants answer “what is required to achieve the target state?” Not all current/target state gaps will require additional description, explanation, or an associated imitative. You can generate one initiative that may apply to multiple line items. |
Info-Tech Best Practice
When customizing your gap initiatives consider your organizational requirements and scope while remaining realistic. Below is an example of lofty vs. realistic initiatives:
Lofty: Perform thorough, manual security analysis. Realistic: Leverage our SIEM platform to perform more automated security analysis through the use of log information.
Consolidate related gap initiatives to simplify and streamline your roadmap
Identify areas of commonality between gap initiative in order to effectively and efficiently implement your new initiatives.
Steps:- After reviewing and documenting initiatives for each security control, begin sorting controls by commonality, where resources can be shared, or similar end goals and actions. Begin by copying all initiatives from tab 2. Current State Assessment into tab 5. Initiative List of the Security Operations Maturity Assessment Tool and then consolidating them.
- Review grouped initiatives and identify specific initiatives should be broken out and defined separately.
- Record your consolidated gap initiatives in the Security Operations Maturity Assessment Tool, tab 6. Initiative Prioritization.
Initiatives | Consolidated Initiatives | ||
Document data classification and handling in AUP | —› | Document data classification and handling in AUP | Keep urgent or exceptional initiatives separate so they can be addressed appropriately. |
Document removable media in AUP | —› | Define and document an Acceptable Use Policy | Other similar or related initiatives can be consolidated into one item. |
Document BYOD and mobile devices in AUP | —› | ||
Document company assets in Acceptable Use Policy (AUP) | —› |
Understand your organizational maturity gap
After inputting your current and target scores and defining your gap initiatives in tab 2, review tab 3. Current Maturity and tab 4. Maturity Gap in Info-Tech’s Security Operations Maturity Assessment Tool. Automatically built charts and tables provide a clear visualization of your current maturity. Presenting these figures to stakeholders and management can help visually draw attention to high-priority areas and contextualize the gap initiatives for which you will be seeking support. |
![]() |
Info-Tech Best Practice
Communicate the value of future security projects to stakeholders by copying relevant charts and tables into an executive stakeholder communication presentation (ask an Info-Tech representative for further information).
Define cost, effort, alignment, and security benefit
Define low, medium, and high resource allocation, and other variables for your gap initiatives in the Concept of Operations Maturity Assessment Tool. These variables include:
| ![]() Info-Tech Best PracticeWhen considering these parameters, aim to use already existing resource allocations. For example, if there is a dollar value that would require you to seek approval for an expense, this might be the difference between a medium and a high cost category. |
Define cost, effort, alignment, and security benefit
| ![]() Info-Tech Best PracticeMake sure you consider the value of AND/OR. For either alignment with business or security benefit, the use of AND/OR can become useful thresholds to rank similar importance but different value initiatives. Example: with alignment with business, an initiative can indirectly support a key compliance requirement OR meet a key corporate goal. |
Info-Tech Insight
You cannot do everything – and you probably wouldn’t want to. Make educated decisions about which projects are most important and why.
Apply your variable criteria to your initiatives
Identify easy-win tasks and high-value projects worth fighting for. | ||
Categorize the InitiativeSelect the gap initiative type from the down list. Each category (Must, Should, Could, and Won’t) is considered to be an “execution wave.” There is also a specific order of operations within each wave. Based on dependencies and order of importance, you will execute on some “must-do” items before others. |
Assign CriteriaFor each gap initiative, evaluate it based on your previously defined parameters for each variable.
|
Overall Cost/Effort RatingAn automatically generated score between 0 and 12. The higher the score attached to the initiative, the more effort required. The must-do, low-scoring items are quick wins and must be prioritized first. |

A financial services organization defined its target security state and created an execution plan
CASE STUDY |
Industry: Financial Services | Source: Info-Tech Research Group |
Framework Components | |||||||||||||||||||||||||||||
Security Domains & Accompanied Initiatives
(A portion of completed domains and initiatives) |
CSC began by creating over 100 gap initiatives across Info-Tech’s seven security domains. | ||||||||||||||||||||||||||||
Current-State Assessment | Context & Leadership | Compliance, Audit & Review | Security Prevention | ||||||||||||||||||||||||||
Gap Initiatives Created | 12
Initiatives |
14
Initiatives |
45
Initiatives |
||||||||||||||||||||||||||
Gap Initiative Prioritization |
|
CSC’s defined low, medium, and high for cost and staffing are specific to the organization.
CSC then consolidated its initiatives to create less than 60 concise tasks. *Initiatives and variables have been changed or modified to maintain anonymity |
Review your prioritized security roadmap
Review the final Gantt chart to review the expected start and end dates for your security initiatives as part of your roadmap.
In the Gantt chart, go through each wave in sequence and determine the planned start date and planned duration for each gap initiative. As you populate the planned start dates, take into consideration the resource constraints or dependencies for each project. Go back and revise the granular execution wave to resolve any conflicts you find.
![]() |
|
Review considerations
|
This is a living management document
|
Consult an Info-Tech Analyst
To accelerate this project, engage your IT team in an Info-Tech workshop with an Info-Tech analyst team. | |||||||
Onsite workshops offer an easy way to accelerate your project. If a Guided Implementation isn’t enough, we offer low-cost onsite delivery of our project workshops. We take you through every phase of your project and ensure that you have a roadmap in place to successfully complete your project. |
|
||||||
If you are not communicating, then you are not secure. |
Call 1-888-670-8889 or email workshops@infotech.com for more information.
Are you ready to move on to the next phase?
Self-Assessment Questions
- Have you identified your organization’s corporate goals along with your obligations?
- Have you defined the scope and boundaries of your security program?
- Have you determined your organization’s risk tolerance level?
- Have you considered threat types your organization may face?
- Are the above answers documented in the Security Requirements Gathering Tool?
- Have you defined your maturity for both your current and target state?
- Do you have clearly defined initiatives that would bridge the gap between your current and target state?
- Are each of the initiatives independent, specific, and relevant to the associated control?
- Have you indicated any dependencies between your initiatives?
- Have you consolidated your gap initiatives?
- Have you defined the parameters for each of the prioritization variables (cost, effort, alignment, and security benefit)?
- Have you applied prioritization parameters to each consolidated initiative?
- Have you recorded your final prioritized roadmap in the Gantt chart tab?
- Have you reviewed your final Gantt chart to ensure it aligns to your security requirements?
Develop a Security Operations Strategy
PHASE 3
Define Operational Interdependencies
1Assess Operational Requirements | 2Develop Maturity Initiatives | 3Define Interdependencies |
This step will walk you through the following activities:
- Understand the current security operations process flow.
- Define the security operations stakeholders and their respective deliverables.
- Formalize an internal information sharing and collaboration plan.
Outcomes of this step
- A formalized security operations interaction agreement.
- A security operations service and product catalog.
- A structured operations collection plan.
Info-Tech Insight
If you are not communicating, you are not secure. Collaboration eliminates siloed decisions by connecting people, processes, and technologies. You leave less room for error, consume fewer resources, and improve operational efficiency with a transparent security operations process.
Tie everything together with collaboration
If you are not communicating, you are not secure. Collaboration eliminates siloed decisions by connecting people, processes, and technologies. You leave less room for error, consume fewer resources, and improve operational efficiency with a transparent security operations process.
Define Strategic Needs and Requirements | Participate in Information Sharing | Communicate Clearly |
|
|
|
Info-Tech Best Practice
Simple collaborative activities, such as a biweekly meeting, can unite prevention, detection, analysis, and response teams to help prevent siloed decision making.
Understand the security operations process flow
Process standardization and automation is critical to the effectiveness of security operations.
Document your security operations’ capabilities and tasks
![]() |
|||
Document your security operations’ functional capabilities and operational tasks to satisfy each capability. | What resources will you leverage to complete the specific task/capability? Identify your internal and external collection sources to satisfy the individual requirement. | Identify the affiliated product, service, or output generated from the task/capability. | Determine your escalation protocol. Who are the stakeholders you will be sharing this information with? |
Capabilities
The major responsibilities of a specific function. These are the high-level processes that are expected to be completed by the affiliated employees and/or stakeholders. |
Tasks
The specific and granular tasks that need to be completed in order to satisfy a portion of or the entire capability. |
Download Info-Tech’s Security Operations RACI Chart & Program Plan.
Convert your results into actionable process flowcharts
Map each functional task or capability into a visual process-flow diagram.
|
![]() |
Title: Output #1
Download Info-Tech’s Security Operations RACI Chart & Program Plan.
Formalize the opportunities for collaboration within your security operations program
Security Operations Collaboration Plan
Security operations provides a single pane of glass through which the threat collaboration environment can manage its operations.
How to customize
The security operations interaction agreement identifies opportunities for optimization through collaboration and cross-training. The document is composed of several components:
|
![]() |
Info-Tech Best Practice
Understand the operational cut-off points. While collaboration is encouraged, understand when the onus shifts to the rest of the threat collaboration environment.
Assign responsibilities for the threat management process
Security Operations RACI Chart & Program Plan
Formally documenting roles and responsibilities helps to hold those accountable and creates awareness as to everyone’s involvement in various tasks.
How to customize
|
![]() Download Info-Tech’s Security Operations RACI Chart & Program Plan. |
Identify security operations consumers and their respective needs and requirements
Ensure your security operations program is constantly working toward satisfying a consumer need or requirement.
Internal Consumers | External Consumers |
|
Note: Your organization might not be the final target, but it could be a primary path for attackers. If you exist as a third-party partner to another organization, your responsibility in your technology ecosystem extends beyond your own product or service offerings.
|
Info-Tech Best Practice
“In order to support a healthy constituency, network operations and security operations should be viewed as equal partners, rather than one subordinate to the other.” (Mitre world-class CISO)
Define the stakeholders, their respective outputs, and the underlying need
Security Operations Program Service & Product Catalog
Create an informal security operations program service and product catalog. Work your way backwards – map each deliverable to the respective stakeholders and functions.
Action/Output | ![]() |
Frequency | ![]() |
Stakeholders/Function | |
Document the key services and outputs produced by the security operations program. For example:
|
Define the frequency for which each deliverable or service is produced or conducted. Leverage this activity to establish a state of accountability within your threat collaboration environment. | Identify the stakeholders or groups affiliated with each output. Remember to include potential MSSPs.
|
|||
Remember to include any target-state outputs or services identified in the maturity assessment. | Use this exercise as an opportunity to organize your security operations outputs and services. |
Info-Tech Best Practice
Develop a central web/knowledge portal that is easily accessible throughout the threat collaboration environment.
Internal information sharing helps to focus operational efforts
Organizations must share information internally and through secure external information sharing and analysis centers (ISACs).
Ensure information is shared in a format that relates to the particular end user. Internal consumers fall into two categories:
- Strategic Users — Intelligence enables strategic stakeholders to better understand security trends, minimize risk, and make more educated and informed decisions. The strategic intelligence user often lacks technical security knowledge; bridge the communication gap between security and non-technical decision makers by clearly communicating the underlying value and benefits.
- Operational Users — Operational users integrate information and indicators directly into their daily operations and as a result have more in-depth knowledge of the technical terms. Reports help to identify escalated alerts that are part of a bigger campaign, provide attribution and context to attacks, identify systems that have been compromised, block malicious URLs or malware signatures in firewalls, IDPS systems, and other gateway products, identify patches, reduce the number of incidents, etc.
Collaboration includes the exchange of:
|
Collaboration can be achieved through:
|
Isolation prevents businesses from learning from each others’ mistakes and/or successes. |
Define the routine of your security operations program in a detailed cadence schedule
Security Operations Program Cadence Schedule Template
Design your meetings around your security operations program’s outputs and capabilities
How to customize
Don’t operate in a silo. Formalize a cadence schedule to develop a state of accountability, share information across the organization, and discuss relevant trends. A detailed cadence schedule should include the following:
|
![]() |
Info-Tech Best Practice
Schedule regular meetings composed of key members from different working groups to discuss concerns, share goals, and communicate operational processes pertaining to their specific roles.
Apply a strategic lens to your security operations program
Frame the importance of optimizing the security operations program to align with that of the decision makers’ overarching strategy.
Strategies
- Bridge the communication gap between security and non-technical decision makers. Communicate concisely in business-friendly terms.
- Quantify the ROI for the given project.
- Educate stakeholders – if stakeholders do not understand what a security operations program encompasses, it will be hard for them to champion the initiative.
- Communicate the implications, value, and benefits of a security operations program.
- Frame the opportunity as a competitive advantage, e.g. proactive security measures as a client acquisition strategy.
- Address the increasing prevalence of threat actors. Use objective data to demonstrate the impact, e.g. through case studies, recent media headlines, or statistics.
(Source: iSIGHT, “ Definitive Guide to Threat Intelligence”)
Info-Tech Best Practice
Refrain from using scare tactics such as fear, uncertainty, and doubt (FUD). While this may be a short-term solution, it limits the longevity of your operations as senior management is not truly invested in the initiative.
Example: Align your strategic needs with that of management.
Identify assets of value, current weak security measures, and potential adversaries. Demonstrate how an optimized security operations program can mitigate those threats.
Develop a comprehensive measurement program to evaluate the effectiveness of your security operations
There are three types of metrics pertaining to security operations: | ||
1) Operations-focusedOperations-focused metrics are typically communicated through a centralized visualization such as a dashboard. These metrics guide operational efforts, identifying operational and control weak points while ensuring the appropriate actions are taken to fix them. Examples include, but are not limited to:
|
2) Business-focusedThe evaluation of operational success from a business perspective. Example metrics include:
|
3) Initiative-focusedThe measurement of security operations project progress. These are frequently represented as time, resource, or cost-based metrics. Note: Remember to measure end-user feedback. Asking stakeholders about their current expectations via a formal survey is the most effective way to kick-start the continuous improvement process. |
Info-Tech Best PracticeOperational metrics have limited value beyond security operations – when communicating to management, focus on metrics that are actionable from a business perspective. | Download Info-Tech’s Security Operations Metrics Summary Document. | ![]() |
Identify the triggers for continual improvement
Continual Improvement
- Audits: Check for performance requirements in order to pass major audits.
- Assessments: Variances in efficiency or effectiveness of metrics when compared to the industry standard.
- Process maturity: Opportunity to increase efficiency of services and processes.
- Management reviews: Routine reviews that reveal gaps.
- Technology advances: For example, new security architecture/controls have been released.
- Regulations: Compliance to new or changed regulations.
- New staff or technology: Disruptive technology or new skills that allow for improvement.
Conduct tabletop exercises with Info-Tech’s onsite workshop
Assess your security operations capabilities
Leverage Info-Tech’s Security Operations Tabletop Exercise to guide simulations to validate your operational procedures. How to customize
|
![]() This tabletop exercise is available through an onsite workshop as we can help establish and design a tabletop capability for your organization. |
Are you ready to implement your security operations program?
Self-Assessment Questions
- Is there a formalized security operations collaboration plan?
- Are all key stakeholders documented and acknowledged?
- Have you defined your strategic needs and requirements in a formalized collection plan?
- Is there an established channel for management to communicate needs and requirements to the security operation leaders?
- Are all program outputs documented and communicated?
- Is there an accessible, centralized portal or dashboard that actively aggregates and communicates key information?
- Is there a formalized threat escalation protocol in order to facilitate both internal and external information sharing?
- Does your organization actively participate in external information sharing through the use of ISACs?
- Does your organization actively produce reports, alerts, products, etc. that feed into and influence the output of other functions’ operations?
- Have you assigned program responsibilities in a detailed RACI chart?
- Is there a structured cadence schedule for key stakeholders to actively communicate and share information?
- Have you developed a structured measurement program on a per function basis?
- Now that you have constructed your ideal security operations program strategy, revisit the question “Are you answering all of your objectives?”
Summary
Insights
|
![]() |
Best Practices
|
Protect your organization with an interdependent and collaborative security operations program. |
Bibliography
“2016 State of Cybersecurity in Small & Medium-Sized Businesses (SMB).” Ponemon Institute, June 2016. Web. 10 Nov. 2016.
Ahmad, Shakeel et al. “10 Tips to Improve Your Security Incident Readiness and Response.” RSA, n.d. Web. 12 Nov. 2016.
Anderson, Brandie. “ Building, Maturing & Rocking a Security Operations Center.” Hewlett Packard, n.d. Web. 4 Nov. 2016.
Barnum, Sean. “Standardizing cyber threat intelligence information with the structured threat information expression.” STIX, n.d. Web. 03 Oct. 2016.
Bidou, Renaud. “Security Operation Center Concepts & Implementation.” IV2-Technologies, n.d. Web. 20 Nov. 2016.
Bradley, Susan. “Cyber threat intelligence summit.” SANS Institute InfoSec Reading Room, n.d. Web. 03 Oct. 2016.
“Building a Security Operations Center.” DEF CON Communications, Inc., 2015. Web. 14 Nov. 2016.
“Building a Successful Security Operations Center.” ArcSight, 2015. Web. 21 Nov. 2016.
“Building an Intelligence-Driven Security Operations Center.” RSA, June 2014. Web. 25 Nov. 2016.
Caltagirone, Sergio, Andrew Pendergast, and Christopher Betz. “Diamond Model of Intrusion Analysis,” Center for Cyber Threat Intelligence and Threat Research, 5 July 2013. Web. 25 Aug. 2016.
“Cisco 2017 Annual Cybersecurity Report: Chief Security Officers Reveal True Cost of Breaches and the Actions Organizations Are Taking.” The Network. Cisco, 31 Jan. 2017. Web. 11 Nov. 2017.
“CITP Training and Education.” Carnegie Mellon University, 2015. Web. 03 Oct. 2016.
“Creating and Maintaining a SOC.” Intel Security, n.d. Web. 14 Nov. 2016.
“Cyber Defense.” Mandiant, 2015. Web. 10 Nov. 2016.
“Cyber Security Operations Center (CSOC).” Northrop Grumman, 2014. Web. 14 Nov. 2016.
Danyliw, Roman. “Observations of Successful Cyber Security Operations.” Carnegie Mellon, 12 Dec. 2016. Web. 14 Dec. 2016.
“Designing and Building Security Operations Center.” SearchSecurity. TechTarget, Mar. 2016. Web. 14 Dec. 2016.
EY. “Managed SOC.” EY, 2015. Web. 14 Nov. 2016.
Fishbach, Nicholas. “How to Build and Run a Security Operations Center.” Securite.org, n.d. Web. 20 Nov. 2016.
“Framework for improving critical infrastructure cybersecurity.” National Institute of Standards and Technology, 12 Feb. 2014. Web.
Friedman, John, and Mark Bouchard. “Definitive Guide to Cyber Threat Intelligence.” iSIGHT, 2015. Web. 1 June 2015.
Goldfarb, Joshua. “The Security Operations Hierarchy of Needs.” Securityweek.com, 10 Sept. 2015. Web. 14 Dec. 2016.
“How Collaboration Can Optimize Security Operations.” Intel, n.d. Web. 2 Nov. 2016.
Hslatman. “Awesome threat intelligence.” GitHub, 16 Aug. 2016. Web. 03 Oct. 2016.
“Implementation Framework – Collection Management.” Carnegie Mellon University, 2015. Web.
“Implementation Framework – Cyber Threat Prioritization.” Carnegie Mellon University, 03 Oct. 2016. Web. 03 Oct. 2016.
“Intelligent Security Operations Center.” IBM, 25 Feb. 2015. Web. 15 Nov. 2016.
Joshi Follow , Abhishek. “Best Practices for Security Operations Center.” LinkedIn, 01 Nov. 2015. Web. 14 Nov. 2016.
Joshi. “Best Practices for a Security Operations Center.” Cybrary, 18 Sept. 2015. Web. 14 Dec. 2016.
Kelley, Diana and Ron Moritz. “Best Practices for Building a Security Operations Center.” Information Security Today, 2006. Web. 10 Nov. 2016.
Killcrece, Georgia, Klaus-Peter Kossakowski, Robin Ruefle, and Mark Zajicek. ”Organizational Models for Computer Security Incident Response Teams (CSIRTs).” Carnegie Mellon Software Engineering Institute, Dec. 2003. Carnegie Mellon. Web. 10 Nov. 2016.
Kindervag , John. “SOC 2.0: Three Key Steps toward the Next-generation Security Operations Center.” SearchSecurity. TechTarget, Dec. 2010. Web. 14 Dec. 2016.
Kvochko, Elena. “Designing the Next Generation Cyber Security Operations Center.” Forbes Magazine, 14 Mar. 2016. Web. 14 Dec. 2016.
Lambert, P. “ Security Operations Center: Not Just for Huge Enterprises.” TechRepublic, 31 Jan. 2013. Web. 10 Nov. 2016.
Lecky, M. and D. Millier. “Re-Thinking Security Operations.” SecTor Security Education Conference. Toronto, 2014.
Lee, Michael. “Three Elements That Every Advanced Security Operations Center Needs.” CSO | The Resource for Data Security Executives, n.d. Web. 16 Nov. 2016.
Linch, David and Jason Bergstrom. “Building a Culture of Continuous Improvement in an Age of Disruption.” Deloitte LLP, 2014.
Lynch, Steve. “Security Operations Center.” InfoSec Institute, 14 May 2015. Web. 14 Dec. 2016.
Macgregor, Rob. “Diamonds or chains – cyber security updates.” PwC, n.d. Web. 03 Oct. 2016.
“Make Your Security Operations Center (SOC) More Efficient.” Making Your Data Center Energy Efficient (2011): 213-48. Intel Security. Web. 20 Nov. 2016.
Makryllos, Gordon. “The Six Pillars of Security Operations.” CSO | The Resource for Data Security Executives, n.d. Web. 14 Nov. 2016.
Marchany, R. “ Building a Security Operations Center.” Virginia Tech, 2015. Web. 8 Nov. 2016.
Marty, Raffael. “Dashboards in the Security Operations Center (SOC).” Security Bloggers Network, 15 Jan. 2016. Web. 14 Nov. 2016.
Minu, Adolphus. “Discovering the Value of Knowledge Portal.” IBM, n.d. Web. 1 Nov. 2016.
Muniz, J., G. McIntyre, and N. AlFardan. “Introduction to Security Operations and the SOC.” Security Operations Center: Building, Operating, and Maintaining your SOC. Cisco Press, 29 Oct. 2015. Web. 14 Nov. 2016.
Muniz, Joseph and Gary McIntyre. “ Security Operations Center.” Cisco, Nov. 2015. Web. 14 Nov. 2016.
Muniz, Joseph. “5 Steps to Building and Operating an Effective Security Operations Center (SOC).” Cisco, 15 Dec. 2015. Web. 14 Dec. 2016.
Nathans, David. Designing and Building a Security Operations Center. Syngress, 2015. Print.
National Institute of Standards and Technology. “SP 800-61 Revision 2: Computer Security Incident Handling Guide.” 2012. Web.
National Institute of Standards and Technology. “SP 800-83 Revision 1.” 2013. Web.
National Institute of Standards and Technology. “SP 800-86: Guide to Integrating Forensic Techniques into Incident Response.” 2006. Web.
F5 Networks. “F5 Security Operations Center.” F5 Networks, 2014. Web. 10 Nov. 2016.
“Next Generation Security Operations Center.” DTS Solution, n.d. Web. 20 Nov. 2016.
“Optimizing Security Operations.” Intel, 2015. Web. 4 Nov. 2016.
Paganini, Pierluigi. “What Is a SOC ( Security Operations Center)?” Security Affairs, 24 May 2016. Web. 14 Dec. 2016.
Ponemon Institute LLC. “Cyber Security Incident Response: Are we as prepared as we think?” Ponemon, 2014. Web.
Ponemon Institute LLC. “The Importance of Cyber Threat Intelligence to a Strong Security Posture.” Ponemon, Mar. 2015. Web. 17 Aug. 2016.
Poputa-Clean, Paul. “Automated defense – using threat intelligence to augment.” SANS Institute InfoSec Reading Room, 15 Jan. 2015. Web.
Quintagroup. “Knowledge Management Portal Solution.” Quintagroup, n.d. Web.
Rasche, G. “Guidelines for Planning an Integrated Security Operations Center.” EPRI, Dec. 2013. Web. 25 Nov. 2016.
Rehman, R. “What It Really Takes to Stand up a SOC.” Rafeeq Rehman – Personal Blog, 27 Aug. 2015. Web. 14 Dec. 2016.
Rothke, Ben. “Designing and Building Security Operations Center.” RSA Conference, 2015. Web. 14 Nov. 2016.
Ruks, Martyn and David Chismon. “Threat Intelligence: Collecting, Analysing, Evaluating.” MWR Infosecurity, 2015. Web. 24 Aug. 2016.
Sadamatsu, Takayoshi. “Practice within Fujitsu of Security Operations Center.” Fujitsu, July 2016. Web. 15 Nov. 2016.
Sanders, Chris. “Three Useful SOC Dashboards.” Chris Sanders, 24 Oct. 2016. Web. 14 Nov. 2016.
SANS Institute. “Incident Handler's Handbook.” 2011. Web.
Schilling, Jeff. “5 Pitfalls to Avoid When Running Your SOC.” Dark Reading, 18 Dec. 2014. Web. 14 Nov. 2016.
Schinagl, Stef, Keith Schoon, and Ronald Paans. “A Framework for Designing a Security Operations Centre (SOC).” 2015 48th Hawaii International Conference on System Sciences. Computer.org, 2015. Web. 20 Nov. 2016.
“Security – Next Gen SOC or SOF.” InfoSecAlways.com, 31 Dec. 2013. Web. 14 Nov. 2016.
“Security Operations Center Dashboard.” Enterprise Dashboard Digest, n.d. Web. 14 Dec. 2016.
“Security Operations Center Optimization Services.” AT&T, 2015. Web. 5 Nov. 2016.
“Security Operations Centers — Helping You Get Ahead of Cybercrime Contents.” EY, 2014. Web. 6 Nov. 2016.
Sheikh, Shah. “DTS Solution - Building a SOC (Security Operations Center).” LinkedIn, 4 May 2013. Web. 20 Nov. 2016.
Soto, Carlos. “ Security Operations Center (SOC) 101.” Tom's IT Pro, 28 Oct. 2015. Web. 14 Dec. 2016.
“Standardizing and Automating Security Operations.” National Institute of Standards and Technology, 3 Sept. 2006. Web.
“Strategy Considerations for Building a Security Operations Center.” IBM, Dec. 2013. Web. 5 Nov. 2016.
“Summary of Key Findings.” Carnegie Mellon University, 03 Oct. 2016. Web. 03 Oct. 2016.
“Sustainable Security Operations.” Intel, 2016. Web. 20 Nov. 2016.
“The Cost of Malware Containment.” Ponemon Institute, Jan. 2015. Web.
“The Game Plan for Closing the SecOps Gap.” BMC. Forbes Magazine, Jan. 2016. Web. 10 Jan. 2017.
Veerappa Srinivas, Babu. “Security Operations Centre (SOC) in a Utility Organization.” GIAC, 17 Sept. 2014. Web. 5 Nov. 2016.
Wang, John. “Anatomy of a Security Operations Center.” NASA, 2015. Web. 2 Nov. 2016.
Weiss, Errol. “Statement for the Record.” House Financial Services Committee, 1 June 2012. Web. 12 Nov. 2016.
Wilson, Tim. “SOC 2.0: A Crystal-Ball Glimpse of the Next-Generation Security Operations Center.” Dark Reading, 22 Nov. 2010. Web. 10 Nov. 2016.
Zimmerman, Carson. “Ten Strategies of a World-Class Cybersecurity Operations Center.” Mitre, 2014. Web. 24 Aug. 2016.