This article was compiled based on the guidance of security leaders at Fortune 500 companies. It is the second in a series on security technology and ROI. If you have additional suggestions to make, we invite you to share them with us here.
“What’s the ROI on that?”
Because security budget is often owned by different business units, and because security programs do not generate revenue, security teams often face recurring budgetary pressure and are asked to justify spend.
A common operating picture can play a unique role in the hierarchy of security spend. That’s because it acts as a single source of truth for alerts, alarms and all the critical events that potentially impact your enterprise. As a result, it provides crucial insights into other budget line items.
Put differently: a common operating picture can help your security team understand and quantify the return they are getting from investments into threat intelligence, PSIM systems, and other technologies. The right common operating picture can also help quantify operator/analyst output, showcasing the value of a hard-working security team.
This article will examine how a leading edge common operating picture plays a crucial role in measuring the return on investments in security technology.
Key Attributes of Common Operating Picture
The Features Your Common Operating Picture Needs to Demonstrate ROI
A common operating picture with the right capabilities can help you demonstrate ROI. Here we will discuss a few features that relate directly to ROI determinations. This is largely a question of how the common operating picture captures data and helps you ‘connect the dots’ between risks, responses, impacts, and outcomes.
Integrate risk intelligence and other physical security data, in context
Data and metrics are fundamental to any ROI discussion. That’s why your common operating picture should integrate a wide variety of data relevant to physical security teams. This includes: subscription and OSINT risk intelligence; fixed and in-motion assets; employee locations; alerts and alarms; and many more. The more types of data your common operating can ingest, the more detailed your ROI picture can be.
Company asset data should also include key contextual information. This includes information such as facility type and any restricted areas; number of employees; office manager and contact information; an executive’s travel itinerary. Anything that facilitates situational awareness and quick decision-making is useful contextual information.
Filter out ‘noise’ so analysts and operators can respond to true threats
The objective of integrating data is not to flood the security operations center with too much information. The point here is to display risk intelligence and asset information in a way that improves speed to recognition and response time. Your common operating picture should be able to filter risk intelligence based on type, severity, proximity, and other factors. The faster a security analyst or operator can correctly respond to risk, the faster potential impacts from that risk can be mitigated.
Triage and respond with streamlined workflow
A common operating picture should empower users to respond to any type of critical event – within the application. This feature provides an immediate time-saving benefit: an operator can swiftly take action without switching systems or screens. The response or individual steps may vary depending on the type of event, (e.g., a natural disaster vs. a forced entry). That’s why your common operating picture should provide workflow that can be configured to different types of events – for instance, by including SOPs or the steps that must be taken. The goal is to include the correct workflow steps without adding unnecessary ‘clicks.’
Document team response to alerts and incidents
This capability is crucial because it captures the responses and other actions taken by the security team, whether onsite or located remotely in the SOC. This information should be logged and timestamped to understand how long specific responses, investigations, or other activities take. The information can then be used for a variety of purposes, including performance benchmarking, staffing decisions, after-action reviews, and others.
Including risk and response data in communications and reports
A common operating picture should deliver maximum utility at every step. This means leveraging the information associated with alerts, assets, and actions. Risk intelligence contains a variety of information, such as a summary of what happened and where the event occurred. Operator responses include key steps or remediations taken, personnel contacted, impacts, and other valuable information. This information should automatically populate communications and reports, eliminating the need to copy and paste between systems.
Automated reporting and analytics
Your common operating picture should generate branded reports automatically. More specifically it should provide configurable reports suitable for audits, the Board of Directors, and the organization as a whole. Your common operating picture should provide key analytics to help you run your security operations better and demonstrate the value of your security operations to executive leadership. Automating these processes saves valuable time and keeps security team members focused on protecting the organization.
Measure and report on relationships between the data
The features listed above are powerful on their own. This effect is amplified when your common operating picture identifies relationships between alerts, assets, and actions. This is what ultimately helps you quantify the return on other investments in security technology and programs.
A common operating picture should empower security teams to address questions such as: