Gartner Blog Network


Remote SecOps

by John Collins  |  March 24, 2020  |  Submit a Comment

The current threat landscape has pushed us as a society to a place WAY outside our comfort zone. I’m not talking just about the cyber security threat landscape. It’s March 2020 and everyone knows what is going on outside our digital bubble. Organizations have been forced into work arrangements many managers don’t feel comfortable with and it thrust workers into an unknown by working from home and having to keep their house in check while doing their job. For those of you in this new work from home setup and are concerned about noise in the background while on calls or video conference, trust me, those of who have been home desk jockeys for years are way over that sort of thing!  Most of us know our colleague’s dog’s name and can recognize the bark coming through the matrix.

This new normal, however temporary it may be, poses an interesting discussion for security operation teams. Historically, SOC personnel are considered essential and required to be onsite to do their job.  After all, cyber security is critically important to the business and their clients which makes it a top priority during budget decisions and hiring, right? 😉  Seriously though, protecting SOC personnel and their families during a global crisis is what security and risk management leaders do and concessions must be made to protect staff while still serving, and getting paid!

Now, imagine a security team working from their home, anywhere in the world around the clock and without the comforts of a windowless room littered with 50″ monitors no one looks at except during executive tours. What is this heresy I speak of? It’s 2020 and it is what all the cool kids are doing. Listen, the 1970 government intelligence agency idea of a SOC is over in most regards, and thankful it is because NSA corrupted my soul with lack of sunlight and exposure to operation centers kept at 50 degrees on 12 hour shifts. If you looked behind the curtains of some MSSP and MDR vendors, their threat hunters and many of their SOC personnel are working remote around the planet and in attire you would prefer to not see them in. Think about it, we have more availability of high bandwidth to urban and rural areas, multi-factor authentication methods, SaaS based tools, the cloud. Technology and infrastructure improvements have facilitated the ability to migrate to a new SecOps model, one that encourages and enables more remote operations. This is not a bad thing for numerous reasons, such as:

  • Great perk for some staff
  • Attracting more SecOps candidates to fill vacancies
  • Reduced leased work space
  • Allows for targeting security talent in lower cost of living areas
  • Enhance BCP/DR when correctly architected
  • Provides opportunity for around the clock SecOps coverage without the need for shift work

Obviously there will still be a need for SecOps personnel to be onsite occasionally for internal meetings with business unit peers, incident response engagements (let’s hope less occasionally) and the company holiday party. There are also those individuals who just prefer to be in the office versus working at home, for whatever reason. I’ve found it best not to ask why and just avoid the awkward silence after they explain their reasons. Have 1:1 discussions with your SOC personnel and see what their preference is for work arrangements. If you find yourself in a position where talent is hard to find or very expensive in your region, remote SecOps is a viable solution to solve your problem.

Collaboration. You will need to ensure it is strong and highly available if you go the remote SecOps route. Organizations tend to leverage a tool like Slack, MatterMost, Discord (handy for simultaneous WoW raids and SecOps chat) and sometimes Microsoft Teams. Many threat detection and response and SOAR tools on the market offer out of the box integration with these collaboration tools to enhance user experience. This makes complete sense if you think about the demographics and tendencies of SecOps analysts. A large portion of the Level 1-3 SecOps workforce are Millennials with some younger Xennials (never heard of this) and older Gen Z mixed in. They are all known for their heavy use of technology. Maybe the problem isn’t so much a talent shortage but rather us not presenting the opportunities in way that meets expectations and standards of 2020.

Finally, as a SecOps leader you can still maintain control even if your little patch of ground hogs are not popping up randomly in their cubicle farm. Gartner has published research notes on how to maintain control of a remote work force to help guide leaders on this journey. These require a Gartner subscription with correct entitlements:

 

Additional Resources

View Free, Relevant Gartner Research

Gartner's research helps you cut through the complexity and deliver the knowledge you need to make the right decisions quickly, and with confidence.

Read Free Gartner Research

Category: 

John Collins
Sr Director Analyst I
1 year at Gartner
15 years IT Industry

John Henry Collins is a Sr Director Analyst. His work focuses on MSSP, MDR, SOC Operations and Threat Intelligence.Mr. Collins created and ran client beta testing for first security SaaS application at employer. He also built and led first-ever specialist security SaaS SE team at MSSP company.Mr. Collins overhauled security operation center for DHS component organization. He has also worked as incident response and on-premises security consultant, intrusion detection analyst, blue Team vulnerability tester, signals intelligence collector and advanced signals analyst.Read Full Bio




Leave a Reply

Your email address will not be published. Required fields are marked *

Comments or opinions expressed on this blog are those of the individual contributors only, and do not necessarily represent the views of Gartner, Inc. or its management. Readers may copy and redistribute blog postings on other blogs, or otherwise for private, non-commercial or journalistic purposes, with attribution to Gartner. This content may not be used for any other purposes in any other formats or media. The content on this blog is provided on an "as-is" basis. Gartner shall not be liable for any damages whatsoever arising out of the content or use of this blog.