Giving a SOC Direction with a Target Operating Model

My first research note at Gartner focused on SOC target operating model, or SOCTOM.  Create an SOC Target Operating Model to Drive Success provides high level guidance to security and risk management (SRM) leaders. It drives the importance of understanding the current operating model (COM) and defining where they want to be with a target operating model (TOM).

Our conversations with organizations about SOC efficiency, whether it’s a new SOC or an established one, often uncovers the same issues that spans verticals and geography.  The main issues being failures to communicate and lack of understanding relevant threats.

Some core guidance from the note:

“Communicating and aligning with business leaders, organizational peers, compliance requirements and partners will enable SRM leaders to reduce friction and increase operational effectiveness earlier in the SOC development cycle.”

“Understanding business needs is not the end of this collaboration with C-suite leadership. The leadership team must interpret the ongoing value the SOC is providing to the business. The CISO role is often the designated liaison between the security program and the executive leadership team, but who communicates is irrelevant. The data communicated is critical, and how it is communicated is even more vital to SOC reputation and validation. This is not just an SOC issue, but an overall security program problem that Gartner has addressed in numerous research undertakings to assist SRM leaders.”

“SRM leaders should leverage a formal framework to identify threats, such as ISO 27005:2018, CBEST Threat Modelling or Mitre Threat Susceptibility Analysis. Regardless of the threat-modeling framework or method used, the goal is to answer the question, “What threats is the organization up against?” Measuring threats to understand their nature has a direct impact on the invest components (e.g., people, processes and tools).”

I created a quick reference graphic that is accompanied by a detailed description in the research note for each cell in this matrix to assist SRM leaders with starting a SOCTOM. The Align, Invest and Measure components and their sub components all have a direct impact on each other.  For example, if you don’t understand YOUR relevant threat landscape, you are likely to miss on the right investments and alignment with the business.

There are several components of a SOCTOM that are covered by various Gartner research and the purpose of my note was not provide detailed guidance on each part, but rather to get SRM leaders thinking about current and future state and leverage the collective research we have.