The role of physical security teams has evolved a lot in recent years. From the tools being used to the capabilities and profile of those working in the industry, the changes security teams have undergone are a result of the increasing asks other functions of the organization are placing on them.
Today’s security teams are tasked to do more and more each day. This has largely been driven by external factors, such as the war in Ukraine, which has brought geopolitics back to the fore, and the intersection between security, ESG, and compliance risks. These shifts require new capabilities, new work products, and in some cases, fundamentally new ways of performing. The result? An increasing diversification in the responsibilities of security teams, new technology innovations to master, and an emphasis on not just the speed of information they share with decision-makers, but the accuracy and nuance behind it all.
At the heart of these changes is a requirement to think differently; widen a security-only mindset to a broader business-focused one. Today’s security leaders can’t just care about what is happening and where; they are also asked to deliver strategic insights to build a strategy, team, and set of technologies and capabilities that enable security operations to more flexibly respond. Three shifts as a physical security leader can help teams find successes in the face of these changes.
Shift 1: From the What to the Why
A few years ago, the industry put a huge emphasis on alerts. The more alerts, and faster, the better. While receiving an endless stream of pings provides the appearance of being informed on all of the globe’s disruptions and events, quantity is no longer king.
In today’s world, merely receiving alerts is insufficient. What’s crucial is the ability to rapidly contextualize and comprehend the implications of events for your organization. It’s about more than just being notified of occurrences; it’s about swiftly grasping the broader environment, trends, and discerning whether an event deviates from norms. Without this contextual understanding, how can you transform raw information into actionable intelligence to assess your readiness to respond appropriately?
Security teams must focus on the “So what?” and not just “What”. While it is important to know when an unusual event occurs, it is far more valuable to understand the relevance and repercussions of that event. In an age where information has gotten so democratized that everyone in your organization feels like they are a security intelligence professional because they receive alerts from the BBC, The Wall Street Journal or the New York Times in real time, organizations need to understand the domino effect an event might have to their business in a holistic, strategic, and tactical way. Often, it’s a second or third connection that is affected by the event. The security operation center might not be aware of the wide-reaching impact.
However, tools now exist to help the security industry quickly and accurately assess how a disruption might impact all aspects of an organization. Security Operation Center (SOC) leaders need to make sure all possible parties that could be impacted by a disruption are informed, connected, and working in collaboration. This requires creative and collaborative thinking along with strong business acumen.
Shift 2: The Power of Preparedness
While the industry has embraced a shift from purely reactive strategies to more proactive approaches, striking a balance is essential. As alluring as it may seem to fully preempt crises through foresight, the reality is no organization can predict and circumvent every future disruption. A solely proactive stance risks overconfidence. Conversely, being entirely reactive leaves an organization vulnerable. The best approach blends proactive measures to anticipate risks where possible, while maintaining strong reactive capabilities to address the inevitable unexpected disruptions.
At the head of being prepared are two main attributes:
- You can’t be proactive if you don’t have a solid understanding of the business at large. Without a full-picture view, contextualizing security events and their importance to the entirety of the business becomes hugely challenging. As does communication of these events. Not every event is a crisis, but a lot deserve analysis and a view of how it could build into something more in the future (think slow-rolling geopolitical events). Communicating what is happening now and how it could impact things in the future to leaders outside of security operations requires the team to understand what is driving the business at large and how to use things like the company’s strategic priorities to best position the impact. By the same token, choosing to report events as a “non-event” becomes equally important to the business: why you should care as much as why you should not.
- Technology, the second attribute, is rapidly changing and improving. While it might not be able to forecast every event on the horizon, the tools available to security operations centers can flag trends that give leaders a warning as to when problems are forthcoming. These indicators give SOCs the time to prepare and proactively make decisions to safeguard people, facilities, and more.
Improved technology, which can flag potential issues and layer in historical data is powerful. It becomes an even more reliable and valuable strategic tool when coupled with experts who can enhance this data with context, local knowledge, and operational understanding. The result gives teams the ability to forecast and present scenarios of what, where, and when the disruptions might occur.
Shift 3: Integration: From Checklists to Decision Workflows
Along with the shifting role of alerts, many other tools the industry has relied on are changing – the commoditization of alerting providers, the bombardment of sources in the information landscape, threat intel in the mainstream, and a movement to building integrated decision workflows.
Merely linking checklists to various chat tools is an inadequate approach for managing incidents or evolving situations. To effectively handle such scenarios, organizations need comprehensive technology solutions that can streamline and enhance the entire decision-making process. These solutions should be able to identify all stakeholders who need to be informed, clearly define their respective roles and responsibilities, and ultimately guide the specific actions and deliverables required. By leveraging the right technology, organizations can significantly improve not only the accuracy of their incident response processes, but also the overall quality of the decisions being made under challenging circumstances.
What does this mean?
- Rapid assessment of the event comes first. The greater connection between understanding the nature of the event, e.g., is it anomalous versus part of a general trend, is it of a magnitude greater than the past, is it in a location not normally impacted by these types of events, etc. – these are all important differentiators to identify. The key is in the details. If it matters, then it is time to decide what you do next.
- Assessment of its impact is next. If the event directly impacts the business according to various assessed scenarios, efficient decisions or actions are key to minimizing and mitigating the negatives.
- Determination of what to do next. This is when security operations must work in alignment with crisis management protocols and communicate plans to all stakeholders and leaders, alongside building a robust and simple decision matrix to avoid critical time lapses.
It is this point around the ‘decision’ that lies at the heart of optimizing workflows. Where most still get it wrong is that the workflow is based on work ‘stages’ and not grounded in the nature and materiality of the decision being made.
The Future
The security operations industry is quite different today and it will likely continue to evolve at a fast pace. With the speed at which technology changes and evolves, we are likely to be restating this phrase in the not-so-distant future. However, the good news is that the changes are for the better. Security operations have more options, more tools, and more reach than ever before. No longer are teams forced to manually read print newspapers and enter data into spreadsheets. Machines are powerful and, if used properly, are a great partner for SOCs.
These three shifts cover key elements that all SOCs should be keeping at the forefront of their efforts. One of them might just be a reason why operations avoid disruption or why employees remain safe despite disaster.
