Skip to content


  • Add this article to your LinkedIn page
  • Add this article to your Twitter feed
  • Add this article to your Facebook page
  • Email this article
  • View or print a PDF of this page
  • Share further
  • Add this article to your Pinterest board
  • Add this article to your Google page
  • Share this article on Reddit
  • Share this article on StumbleUpon
  • Bookmark this page

Is my SOC making any difference?

Information security breaches keep happening. Many of them we don't see, but those we do vary significantly in their apparent goals and the attack methodology - depending on the nature of the organisation and service being attacked. And how you react to them depends very much on your business priorities – whether your focus is on defending critical information assets, preventing financial crime or protecting reputation. So your risk depends very much on your business.

Despite this, cyber security is often perceived as a technology thing, oriented around boundaries, controls and monitoring that are essentially the same for everyone. How can you tailor your cyber security investment to the specific needs of your business and your risk appetite?

I believe this starts in the security operations centre (SOC), which for most is the heart of their cyber response capability. It means making sure you have the right threat intelligence, you are gathering the right event data, applying the right analytics, prioritising the right incidents and responding in the right way. Most importantly, your SOC team needs to have the right mindset and understanding of the business context. The threats that matter for an online payment processor will be very different from a nuclear power operator. Ultimately, if your security analysts don't understand the business they are trying to protect, they will be chasing the wrong threats and all the money you have spent on tools such as Security Information and Event Management (SIEM) will have been wasted.

We help protect your organisation's most important assets against cyber threats

Find out more

The use of 'security scenarios' can really help to focus your SOC on the threats that really matter to your business, help them recognise the really serious incidents when then occur, and make sure they respond quickly and appropriately. When I'm with clients, I use three simple steps to define a set of security scenarios:

  1. What incidents have hit you in the past?
  2. What incidents have hit your peers and competitors?
  3. What else do you think could go wrong in the future?

By assessing the impact of these scenarios and the difficulty of detecting them, it is straightforward to prioritise them and determine where your SOC should focus to make the biggest difference to your business risk. You can then determine the event data and analytics you need to bring in to your SOC, and the play books to triage and contain potential incidents. You can also make sure you are spending your money where it will deliver the best return, in terms of risk reduction.

This approach is already helping to protect one of the UK's most important defence businesses and has dramatically improved the effectiveness of their SOC. Could it help ensure your SOC is actually making a difference?

Contact the author

Contact the digital team


By using this website, you accept the use of cookies. For more information on how to manage cookies, please read our privacy policy.