Collaboration is a Hallmark of Successful Security Teams
The COVID-19 pandemic has changed forever how we work. Nearly three quarters (72%) of global knowledge workers prefer to continue working in a hybrid remote-office model moving forward, with only 12% wanting to return to the office full time and the remaining 16% wanting to work from home exclusively. Despite some rocky transitions and glitches, most organizations managed to make the switch surprisingly quickly and maintain, if not improve, productivity levels.
As we shift our mindsets and embrace a distributed workforce, we also have to rethink how to collaborate effectively. Security Operations Center (SOC) analysts and Incident Response (IR) team members can’t lean across the desk to compare data and analysis or walk down the hall to check in with a threat intel analyst. And managers of security teams can’t tap an analyst on the shoulder to assign them a task or get an update on an investigation.
Collaboration is a hallmark of successful security teams. But knowledge sharing and coordination have always presented challenges amidst the chaotic environment of security operations and investigations. Now every team needs a way to enable remote collaboration – a virtual cybersecurity situation room, if you will, that fuses together threat data, evidence and users. In this single shared environment, external threat data is augmented and enriched with internal data for context and scored for prioritization. Security analysts can access the intelligence they need to do their jobs as part of their workflow and can actively share learnings to deepen their understanding of threats and campaigns. As new data and learnings are added to the platform, intelligence is automatically reevaluated and reprioritized allowing teams to continue to focus on high-risk threats. Rather than conducting investigations independently and in parallel, which can lead to dead ends or key information falling through the cracks, analysts can directly communicate with each other. They can automatically see the work of others, understand how it impacts and can benefit their own work, and can quickly divvy up tasks to accelerate detection and response. Managers of all the security teams can see the analysis unfolding, which allows them to act when and how they need to, coordinating tasks between teams and monitoring timelines and results.
As security teams have navigated swiftly changing waters over the past several months, we’ve also seen an increase in collaboration with other parts of the organization and with external parties. The SANS 2021 Cyber Threat Intelligence Survey found that more groups are getting involved in defining intelligence requirements – executives and business units outside of cybersecurity, such as legal and compliance. This level of collaboration helps ensure that security teams are bringing in the right external data from sources they may not have considered before because they did not know they were relevant. It also signals that the industry is maturing, probably accelerated during the pandemic by a surge in threats and increased awareness and interest among company leaders to gain a better understanding of risk and how to mitigate it.
Another interesting survey finding is an increase in participation in Information Sharing and Analysis Centers (ISACs) to nearly 50%, with more value being derived this year from three specific areas: advocacy in the community for security, member meetups and events, and trainings and conferences. This may seem ironic given travel and meeting restrictions imposed since March of 2020, but points to an unintended consequence and why online events should continue to some degree as we move beyond the pandemic. Virtual meetings and events are easier and less costly for people to attend, so more learning, collaboration and information exchange is possible. Bringing into the platform industry-specific threat intelligence, focused on attacks and vulnerabilities specific to your industry, is much more relevant than generic data that include threats that target a specific sector you are not in.
The pandemic has changed many aspects of how we work. The changes that have been detrimental we will shed. But we have also seen changes that have been beneficial and on our roadmap for years, like better security operations collaboration. This is a positive impact of the pandemic – security team members and teams working better together, as well as more closely with other departments across the organization and with industry sharing groups. This is a change we must embrace to strengthen security in a more distributed world.