How Banks Can Identify Gaps in Their SOC Teams’ Capabilities
Fanning recommends that banks bring in a third-party assessor to do benchmarking against a control set to measure their SOCs’ maturity in certain security areas. This can help the institution understand where it functions well and where it may need some help. In some cases, the bank may be able to compare its benchmarks to that of industry peers who have opted in to confidentially share their own scores.
Penetration testing and red teaming are other important exercises for discovering weaknesses in an organization’s security posture.
“It’s real testing from an attacker’s perspective to understand if the controls and the assumptions you have are actually working,” says Fanning. “I really encourage staffing in-house pen testing and red teams while also bringing in external assessors for a neutral view into your organization.”
READ MORE: Customized security operations center training elevates cyber skills.
An in-house team should be doing routine pen testing to ensure the security strategy is working the way it should against new and existing threats. These teams should have their own objectives and goals throughout the entire fiscal year.
“They should have a defined area of their infrastructure that they plan to attack this month or this quarter,” adds Fanning.
He suggests that assessments from external experts should occur on a quarterly or biannual basis, which means that banks and SOC teams need to plan the budget and time for that. It’s important to plan testing and assessments well in advance because these engagements can create disruption to the organization in several different ways.
“One, they could break something and if that happens, you want to be prepared. You don’t want that to be a surprise,” says Fanning. “Two, they could find something incredibly critical requiring you to halt business operations to fix.”
KEEP READING: How to transform your security with modern solutions.
When Should a Bank Reskill or Restructure Its SOC Team?
From a foundational level, banks should have core documentation, run books and repeatable processes for their security operations and response.
“When an alert fires, your SOC team should know that they’re going to follow these specific steps every single time,” Fanning explains. “If that doesn’t exist, then you know there are definitely some problems that might require reskilling or reprioritization.”
As SOCs trend more toward automation, Fanning says team members will need to be assessed for a new set of capabilities. For example, security operations engineers should have a level of fluency in automation and programming.
“Or if they can’t do the automation themselves, they should be able to recognize that a task needs to be automated,” he adds. “Not every SOC analyst recognizes that they might walk through the same repetitive manual steps and processes. They might not recognize the fact that they need to automate.”
He recommends that organizational leaders take a step back and dig into how much manual work SOC analysts are doing that’s creating churn for the team. That’s where they’ll find automation opportunities. “Lastly, ask yourself the question, do the people on the SOC team have the skill set to implement the automation that I see as outstanding?” says Fanning.
Click the banner below to keep reading stories from our new publication BizTech: Financial Services.
