In today's interconnected and digitised world, organisations face significant challenges in protecting their digital assets from cyber threats. The ever-increasing lack of cyber talent, coupled with the speed and complexity of cyberattacks, demands a transformative approach to security operations.
Enter the concept of a Converged Security Operations Centre (SOC), which combines organisational know-how with expert cyber skills to effectively monitor, detect, and respond to cyber breaches. A Converged SOC helps organisations manage the multiple speed to value-based complexities organisations face as well as leverage a strategic mix of managed services and internal talent to enhance their cybersecurity posture.
The growing threat environment
Cyberattacks are becoming increasingly sophisticated, fast-paced, and relentless. Threat actors are becoming more sophisticated all the time and are employing advanced techniques to breach defences, exploit vulnerabilities, and extract sensitive information. The threat they pose has become even more potent as a result of the rise and increased availability of large language AI models.
While these new AI tools undoubtedly have their benefits their employment by cyber criminals is creating new challenges for already overburdened cybersecurity teams. AI is now being used for everything from password cracking, enhanced hacking, deep fake creation, ransomware, payment gateway fraud, business email compromise and much more.
Acute talent shortage
Organisations are also facing difficulties when it comes to staffing their cybersecurity teams. The demand for skilled cybersecurity professionals far exceeds the available supply, making it challenging to hire and retain qualified individuals. According to the World Economic Forum Future of Jobs 2023 report, cybersecurity is among the most in demand skills at present and there is a shortage of 3.4 million cybersecurity experts to support the needs of the global economy¹.
That talent gap creates vulnerabilities and delays in incident response, leaving organisations exposed to potential breaches. It is also driving organisations to outsource more labour-intensive cybersecurity operations. Organisations need to ensure that scarce IT and cyber talent is not engaged in low level and demotivating mundane tasks and is focused instead on threat response and delivering value adding insights.
Vastly increased complexity
Adding to the challenge is the increasingly complex environments in which modern organisations operate. Modern enterprises rely on multiple third-party providers to deliver key services, and this creates its own security issues.
It would not be unusual to find a large organisation having its desktop estate managed by one vendor, its servers by another, while they are both maintained at an infrastructure layer by a third vendor. And then you might find that the incident response capabilities across that infrastructure is managed by yet another team which could be internal or external or a hybrid of both.
The complexity doesn’t end there. Large organisations will also have enterprise resource planning, payroll and HR, and finance systems which may be managed by multiple different vendors who also provide security capability.
And that is before you start to look at an organisation’s physical estate. It is highly likely that multiple vendors will also be responsible for building services such as energy management systems, fire and intruder alarms, heating and ventilation and so on. The software that runs these systems also represent points of vulnerability for organisations. Indeed, one of the most damaging breaches in the US retail sector had an air-conditioning system as the point of entry for the hackers.
The question for many organisations is who is looking after security on these systems. If it is the vendors’ responsibility how is that integrated into the organisation’s overall cyber security framework?
Rather than having a single cybersecurity vendor offering a Security Operations Centre (SOC) service, organisations might have eight or more vendors supporting technology infrastructure and applications and a variety of other assets and services.
So how does a vast, broad and complex organisation with a large number of existing security contracts created through organic growth or acquisitions ensure that if a cyber incident takes place, it can respond properly? How do they ensure that the multitudes of contracts and services procured from different functions can create a unified incident response capability? That is where the concept of the Converged SOC comes in.
Converged SOC: A 360-degree view
A Converged SOC does not seek to replace or replicate these disparate vendors and services. Instead, it provides an oversight layer which enables a proactive and comprehensive approach to cybersecurity. It empowers organisations to take greater control of their cyber defences and enables more rapid and coordinated responses to threats and breaches, thereby increasing cyber resilience.
In the classic SOC model, the vendor provides an all or nothing service with very limited options for customisation. Indeed, any attempt at true customisation tends to be financially prohibitive. Any attempt to get a single SOC provider to provide all of the threat monitoring and response services required by a complex organisation is doomed to failure.
What is required is a model that converges oversight of all the SOC and other security services provided internally and by external vendors into a single entity. To actualise the concept of a Converged SOC, a practical step involves evaluating your current operational procedures within the context of this unified Security Operations Center. The composition of this team, whether it is insourced, outsourced or co-sourced, should be tailored to align with the organisation's threat profile and exposure landscape.
It has one single purpose, “unified end-to-end cyber response, at speed.”
Its core function is to ensure that the organisation is prepared for any cyber incident which occurs in any area, be that in IT or OT, or indeed in a third or even fourth party where data is stored, or applications are run.
In the current model, incident response tends to be handled within separate siloed areas within an organisation. However, there is absolutely no guarantee that an incident is not going to have a rapid expansion or result in multiple attacks across the organisation. The perpetrators might be attempting to access the building management system, but there may also be attack vectors into desktops and network ports.