Put ROCs before SOCs, Qualys tells public sector
The security operations centrehas served public sector cyber teams well over the years but is fundamentally a reactive tool and now needs to be superseded by something else in order to address not just alerts about in-progress security events but the underlying risks that lead to them, all in the service of ‘doing’ cyber more efficiently and, crucially, cheaper.
This is the view of Qualys CEO Sumedh Thakar, who, speaking at an event for federal government IT leaders hosted in the Washington DC suburbs at the end of May, defined the new-generation SOC as a ROC, where the letter R stands for risk.
Thakar said that things needed to change in the cyber security world. “Continuing in the way that we have where we would scan every week or two and those scans were dumped somewhere on a hard drive somewhere and then someone goes and triages those manually and then you try to fix everything that comes your way – that approach is not really a success,” he said. “Continuing that approach is just not in the future.”
He urged CISOs to stop putting so much effort into attack surface management and refocus on risk surface management, where risk management is defined as the mitigation of risk – or transfer of it to someone else – for the most plausible losses that could affect the organisation.
It is not possible to get risk down to zero, so it is important to figure out how to address the most plausible factors and address those instead.
For a company the most plausible loss will likely be a dollar revenue or profit figure. However, public sector organisations have it tough because they have a very different perspective on what ‘loss’ looks like beyond the financial cost.
For example, they could and should be more worried about the safety of the general public or frontline personnel, national security, critical infrastructure security, economic stability, or public health, said Thakar, referencing attacks such as the infamous Colonial Pipeline incident, which paralysed petrol stations across a swathe of the US in 2022.
“For most agencies it is really about aligning factors to what is the potential disruption to the mission, to the programme, that currently is important,” he said.
Translating this into action for public sector buyers – wherever they may be located – Jonathan Trull, CISO and senior vice president of security solution architecture, and Mayuresh Ektare, vice president of product management at Qualys, said they wanted to help public sector CISOs make the most of the limited resources they have available to them in the face of a mountain of security data
“Our larger customers are having to deal with not a million findings, but hundreds of millions of findings on a daily basis. It is not humanly possible to go and patch or mitigate them all. This is where the concept of a risk operation centre is absolutely needed,” said Ektare.
“You’ve got a limited number of resources at your disposal – how do you point them in the right direction so that you can actually reduce the risk that matters to your agencies the most.”
Ektare described running an ROC as being a “peacetime” activity for defenders, comparing it to an SOC which is more akin to a wartime situation room.
Trull, who spent 12 years working in cyber roles for the state of Colorado, rising to the post of CISO, said: “If this was a capability I’d have had back in the day … an ability to continuously aggregatenormalise, whatever standard they were using, because we didn’t dictate – it was very much you decide what tooling you want and you use that tooling effectively. But what I needed was an accurate picture to advise the governor and the legislature what risks we’re facing on a monthly basis – that wasn’t available.
“If you’re a customer a lot of this is built and in the solution, so in these federated environments in which you’re trying to gain control I can’t think of a better option than looking at this concept of an ROC,” he said.
about risk management
Data risk management identifies, assesses and mitigates threats to organisational data, safeguarding sensitive information from unauthorised access.
Knowing the types of risks businesses commonly face and their applicability to your company is a first step toward effective risk management.
Every facet of business operations is exposed to risks, requiring a risk management team that's composed of a diverse mix of corporate executives and managers.
#put #rocs #before #socs #qualys
Put ROCs before SOCs, Qualys tells public sector
The security operations centrehas served public sector cyber teams well over the years but is fundamentally a reactive tool and now needs to be superseded by something else in order to address not just alerts about in-progress security events but the underlying risks that lead to them, all in the service of ‘doing’ cyber more efficiently and, crucially, cheaper.
This is the view of Qualys CEO Sumedh Thakar, who, speaking at an event for federal government IT leaders hosted in the Washington DC suburbs at the end of May, defined the new-generation SOC as a ROC, where the letter R stands for risk.
Thakar said that things needed to change in the cyber security world. “Continuing in the way that we have where we would scan every week or two and those scans were dumped somewhere on a hard drive somewhere and then someone goes and triages those manually and then you try to fix everything that comes your way – that approach is not really a success,” he said. “Continuing that approach is just not in the future.”
He urged CISOs to stop putting so much effort into attack surface management and refocus on risk surface management, where risk management is defined as the mitigation of risk – or transfer of it to someone else – for the most plausible losses that could affect the organisation.
It is not possible to get risk down to zero, so it is important to figure out how to address the most plausible factors and address those instead.
For a company the most plausible loss will likely be a dollar revenue or profit figure. However, public sector organisations have it tough because they have a very different perspective on what ‘loss’ looks like beyond the financial cost.
For example, they could and should be more worried about the safety of the general public or frontline personnel, national security, critical infrastructure security, economic stability, or public health, said Thakar, referencing attacks such as the infamous Colonial Pipeline incident, which paralysed petrol stations across a swathe of the US in 2022.
“For most agencies it is really about aligning factors to what is the potential disruption to the mission, to the programme, that currently is important,” he said.
Translating this into action for public sector buyers – wherever they may be located – Jonathan Trull, CISO and senior vice president of security solution architecture, and Mayuresh Ektare, vice president of product management at Qualys, said they wanted to help public sector CISOs make the most of the limited resources they have available to them in the face of a mountain of security data
“Our larger customers are having to deal with not a million findings, but hundreds of millions of findings on a daily basis. It is not humanly possible to go and patch or mitigate them all. This is where the concept of a risk operation centre is absolutely needed,” said Ektare.
“You’ve got a limited number of resources at your disposal – how do you point them in the right direction so that you can actually reduce the risk that matters to your agencies the most.”
Ektare described running an ROC as being a “peacetime” activity for defenders, comparing it to an SOC which is more akin to a wartime situation room.
Trull, who spent 12 years working in cyber roles for the state of Colorado, rising to the post of CISO, said: “If this was a capability I’d have had back in the day … an ability to continuously aggregatenormalise, whatever standard they were using, because we didn’t dictate – it was very much you decide what tooling you want and you use that tooling effectively. But what I needed was an accurate picture to advise the governor and the legislature what risks we’re facing on a monthly basis – that wasn’t available.
“If you’re a customer a lot of this is built and in the solution, so in these federated environments in which you’re trying to gain control I can’t think of a better option than looking at this concept of an ROC,” he said.
about risk management
Data risk management identifies, assesses and mitigates threats to organisational data, safeguarding sensitive information from unauthorised access.
Knowing the types of risks businesses commonly face and their applicability to your company is a first step toward effective risk management.
Every facet of business operations is exposed to risks, requiring a risk management team that's composed of a diverse mix of corporate executives and managers.
#put #rocs #before #socs #qualys