The State of the SOC in 2020
The New CISO - A podcast by Steve Moore - Giovedì
The American vs. European view on Insurance In first reviewing the report, we were struck by how Europe leads the rest of the globe in insurance to manage risk compared to the US. While the adoption rate of insurance is slowly growing in American companies, their European counterparts take precedence. This could be because European teams have a better understanding of how to use certain types of insurance, or that the European insurance markets and carriers better address cybersecurity risks than the US currently. Alternatively, this difference could boil down to not necessarily capabilities but to viewpoints on insurance. As Steve states, the American perspective is that insurance does not take the place of security programs. Perhaps this idea differs across the ocean. Who Leads in What Areas In studying the US, UK, Germany, Canada, and Australia, we mull over why certain countries dominate in various areas. In terms of possessing insurance itself and working with their privacy departments, Germany takes the lead—and significantly. Germany’s stats surpass that of Australia’s in possession by around 20%. For outsourcing, the UK and German dwarf the US. However, this piece of data may speak to another shifting trend—that more US companies are embracing outsourced security. We discuss why in the US in particular, we see that reach for autonomy in operations, even if it’s not the most beneficial system. Overconfidence? High percentages across the board show that many employers and employees feel fully confident in their ability to detect a threat. Is this a positive reflection on the industry or is it overconfidence? Does this perhaps relate to testing—adequate or not? We discuss what goes into confidence itself and the discrepancies between the perspective of the managers and the frontline workers. Attracting and Retaining Talent The difficulty with staffing can heavily influence the validity of the team. Being understaffed, significantly understaffed, or lacking staff with the right skills cropped up as a relatively common issue in many teams. We debate on what causes the issue of identifying talent and question if it connected to the absence of hiring standards. Low hiring standards may present as the obvious problem, but extremely high and inaccessible standards also generate equal issues. It can lead to a small number of job candidates—a pool in which the best person for the work has already been cut out due to innocuous details. On top of initial staffing is the idea of retaining top talent. The data revealed huge discrepancies between how leaders think they can retain talent and what skilled employees seek. While many managers believe the key is good pay, workers point to issues such as eliminating the mundane, poor leadership, or lack of communication. We also draw in additional points: how managers need to know their analysts by name, understand their areas of stress, and respecting them as simply human beings. The Undefined Career Path Another major inconsistency the report highlights was defining a career path for workers. In fact, when asked the question of one’s career trajectory, only 15% of employers valued it, while 64% of employees did. This is the biggest discrepancy in the report. A conversation needs to start to address this misunderstanding. Perhaps many CISOs don’t understand what SOCs do, or they think they do. Many employees want mentorship and guidance. If you invest in your frontline workers, they will better invest themselves in their work and in you. Unfortunately, mentorship in leaders is not always measured or rewarded—but maybe it should be? How do you measure your program? The report also brought to light how each...