Gartner Blog Network


Giving a SOC Direction with a Target Operating Model

by John Collins  |  February 4, 2020  |  Submit a Comment

My first research note at Gartner focused on SOC target operating model, or SOCTOM.  Create an SOC Target Operating Model to Drive Success provides high level guidance to security and risk management (SRM) leaders. It drives the importance of understanding the current operating model (COM) and defining where they want to be with a target operating model (TOM).

Our conversations with organizations about SOC efficiency, whether it’s a new SOC or an established one, often uncovers the same issues that spans verticals and geography.  The main issues being failures to communicate and lack of understanding relevant threats.

Some core guidance from the note:

“Communicating and aligning with business leaders, organizational peers, compliance requirements and partners will enable SRM leaders to reduce friction and increase operational effectiveness earlier in the SOC development cycle.”

“Understanding business needs is not the end of this collaboration with C-suite leadership. The leadership team must interpret the ongoing value the SOC is providing to the business. The CISO role is often the designated liaison between the security program and the executive leadership team, but who communicates is irrelevant. The data communicated is critical, and how it is communicated is even more vital to SOC reputation and validation. This is not just an SOC issue, but an overall security program problem that Gartner has addressed in numerous research undertakings to assist SRM leaders.”

“SRM leaders should leverage a formal framework to identify threats, such as ISO 27005:2018, CBEST Threat Modelling or Mitre Threat Susceptibility Analysis. Regardless of the threat-modeling framework or method used, the goal is to answer the question, “What threats is the organization up against?” Measuring threats to understand their nature has a direct impact on the invest components (e.g., people, processes and tools).”

I created a quick reference graphic that is accompanied by a detailed description in the research note for each cell in this matrix to assist SRM leaders with starting a SOCTOM. The Align, Invest and Measure components and their sub components all have a direct impact on each other.  For example, if you don’t understand YOUR relevant threat landscape, you are likely to miss on the right investments and alignment with the business.

 

There are several components of a SOCTOM that are covered by various Gartner research and the purpose of my note was not provide detailed guidance on each part, but rather to get SRM leaders thinking about current and future state and leverage the collective research we have.

Additional Resources

View Free, Relevant Gartner Research

Gartner's research helps you cut through the complexity and deliver the knowledge you need to make the right decisions quickly, and with confidence.

Read Free Gartner Research

Category: 

Tags: secops  soc  soctom  

John Collins
Sr Director Analyst I
1 year at Gartner
15 years IT Industry

John Henry Collins is a Sr Director Analyst. His work focuses on MSSP, MDR, SOC Operations and Threat Intelligence.Mr. Collins created and ran client beta testing for first security SaaS application at employer. He also built and led first-ever specialist security SaaS SE team at MSSP company.Mr. Collins overhauled security operation center for DHS component organization. He has also worked as incident response and on-premises security consultant, intrusion detection analyst, blue Team vulnerability tester, signals intelligence collector and advanced signals analyst.Read Full Bio




Leave a Reply

Your email address will not be published. Required fields are marked *

Comments or opinions expressed on this blog are those of the individual contributors only, and do not necessarily represent the views of Gartner, Inc. or its management. Readers may copy and redistribute blog postings on other blogs, or otherwise for private, non-commercial or journalistic purposes, with attribution to Gartner. This content may not be used for any other purposes in any other formats or media. The content on this blog is provided on an "as-is" basis. Gartner shall not be liable for any damages whatsoever arising out of the content or use of this blog.