How Positive SecOps Experiences Create Safer OrganizationsImproving SecOps experience can be the key to boosting productivity and retention By: Stacy Leidwinger, VP of Portfolio Marketing
Apple and Amazon dominate the retail space because they deliver competitively superior customer experiences. That’s because, when it comes down to it, customers don’t just buy a product or service. They also buy their subjective experience of that product or service.
Experience is such a powerful phenomenon that business experts also talk about the “employee experience.” Low-quality employee experience results in reduced engagement, low productivity, and high churn, while high-quality employee experience results in higher engagement, greater productivity, and lower churn.
Experience is also a success predictor in cybersecurity. This is true whether your technical staff includes in-house SecOps or IT people who interface with outsourced SecOps: If your technical staff have problematic SecOps experiences, their performance will suffer. Because of this, your organization may experience more turnover — a real problem in a market already experiencing skills scarcity — and ultimately less overall safety.
But if you consistently deliver positive SecOps experiences, on the other hand, you’ll make your organization materially safer and reduce your turnover pain.
A significantly improved SecOps experience is thus a game-changer when it comes to your success as a cybersecurity leader. But what exactly constitutes a game changing SecOps experience?
Experience factor #1: False positives
The most significant negative factor in any organization’s SecOps experience is the false positive. False positives comprise a far-too-large part of the alert-response work most organizations perform today. That’s a problem because it undermines your staff’s ability to quickly respond to genuine threats.
It doesn’t matter whether those false positives are generated by your own in-house SecOps team, or by a managed security services provider. False positives create tons of unnecessary work and induce alert fatigue — something no security leader wants their staff spending time managing.
It’s wise to factor in false positives when you’re making a buying decision. If an MDR partner costs 20% more than their closest competitor — but generates 30% fewer false positives — the higher cost is actually the far better buy for organizations who want to work smarter, not harder — and catch more genuine threats while they do so.
Just like saving money on a cheap smoke detector for your home isn’t worth the bad experience if it keeps going off at 3:00 AM, so it goes when it comes to minimizing false positives in your security environment.
Experience factor #2: Support
Another key factor that determines the quality of your team’s SecOps experience — whether in-house or coming from a service provider — is support.
Today’s attacks and the alerts they generate are equally complex. Gone are the days when you could count on a single alert from an endpoint to clue you in on a specific threat. Instead, today’s threat actors will typically leave relatively subtle “breadcrumbs” in all kinds of places: endpoints, networks, cloud, administrative activity in an application and more. In other words, today’s threats have moved beyond the endpoint, and in fact many of them have no endpoint indicators at all!
Few organizations possess the cybersecurity expertise to understand exactly what these dispersed alerts signify. Even fewer know the critical first steps to neutralize a threat once it’s identified. That’s why fast access to real cybersecurity expertise is essential.
Unfortunately, equally few security solution providers deliver on both sides of the support value equation. This is true whether they sell you their solution as software, as a service, or as some combination thereof. In many cases, your people get stuck talking to a first-level support tech who isn’t much help. In other cases, they can talk to an expert — but must wait too long to do so. And in some cases, your people wait a long time to talk to someone and that person winds up being of little help.
That’s why immediate access to authentic security expertise is central to your staff’s SecOps experience — and, by extension, to your ability to keep your organization safe. Alerts alone are not enough. Accurate alerting with minimal false positives is also insufficient. Your end-to-end detection and response experience, whether XDR or MDR, must include genuine real-world expertise on demand.
Experience factor #3: Results
Most people don’t often think of results as experience. But that’s what the end of an experience is: a result.
In the case of security, that result is important for two reasons. The first reason is that you want a positive result. You want to deal with the threat that caused the alert (or set of alerts) effectively and quickly. Speed is especially important, because threat risk is directly related to the length of time a threat actor can move around your environment undetected and undisturbed.
The second reason is also important: the result of a threat investigation and response is not just an end in itself. It’s also the means to getting the feedback moment that starts another cycle in the experiential loop.
Every result should serve one of two purposes. The result may be a learning experience that helps both your internal team and your external vendor-partners to continuously improve your collaborative efficacy. The result might also be positive reinforcement that provides empirical evidence to show that you’re becoming a more secure organization.
If you’re not consistently getting the results you seek — or if your results are not consistently providing the experiential feedback, you need to achieve continuous SecOps improvement — then you’re not getting the full potential economic value out of your SecOps spend.
SecOps decision-makers who consider the full picture beyond simply avoiding the latest attack understand the criticality of continuous improvement via optimized experience. And ultimately, they are better postured for defense in the long run, because eventually a smarter threat actor may show up and defeat the “good enough” XDR.
At Secureworks®, we can’t unknow what we’ve learned from thousands of engagements with organizations just like yours. Investments in a superior SecOps experience can pay off in lower risk, great operational efficiency, and less turnover pain. The “bottom line” will always matter. But the real bottom line: Choose a SecOps vendor that will turn your investments into net gains in the long term.
Download Modernize Your Security Operation Center with XDR e-book today to learn key growth trends SOCs are seeing and how XDR supports the needs of SOCs looking to swiftly modernize and mature.