Management thinker Peter Drucker famously said, “If you can’t measure it, you can’t improve it.”
Data-driven decision-making is a key factor in making informed business and management decisions. This type of decision-making is prevalent today in many types of settings. In the security field, leaders look to data to help make decisions about threats, safety, the effectiveness of the response, regulatory adherence, costs and staffing levels.
Management teams have been using data to make decisions for years. What's changed recently is the proliferation of data about almost everything. Organizations now utilize software and systems to complete nearly every task, and these systems are capturing data points throughout these activities.
Just look at the number of data points that are available when a security operations center (SOC) operator is responding to an alarm — these can include:
- When was the alarm triggered?
- What type of alarm was triggered?
- Where is the alarm point?
- When did an operator pick up the alarm to respond?
- Who was the operator?
- What actions did they take in response?
- Exactly when did these actions happen?
- What cameras did they view?
- Who did they dispatch?
- How long did it take to assess the situation?
- Did they open an investigation?
- Who was notified about this incident?
- How long did the entire event take to close?
- What post-event actions were required?
These are just a few of the data points that security might need to know to get a clear picture of this process. Security leaders can use data-driven decision-making to identify inefficiencies, quantitatively measure the success of security procedures, and encourage collaboration between teams.
In security, as the number of systems and data points explodes, how do teams identify the data points that actually make a difference — the ones that provide real insight into their operations? It’s challenging to standardize data across multiple siloed systems in order to get a consistent picture: without this, teams have parts of the picture in one language and other parts in other languages.
Steps to identify and normalize data
Step 1: Agree on the important questions
Get the key stakeholders from the security operation together — management, security technology, supervisors, operators from the SOC and investigations. Together, identify what types of questions and problems the team is looking to solve. Think big picture. Questions might include:
- How long does it take the security team to respond to events?
- Which events create the most activity but potentially distract from efficient responses to critical events (i.e. false positives)?
- How many alarms trigger an investigation?
- How many alarms trigger a dispatch?
- Which location creates the most serious incidents per month?
- Are there enough team members to cover the number of alarms the SOC receives?
Within each of these examples, there are obviously additional questions that may be raised. Identifying the bigger picture will help to identify which issues are most important. It's important to avoid discussing the “how” because this can quickly move the conversation into the mechanics of how to capture this data and distract from identifying the top-line problems that need to be resolved.
Step 2: Agree on the metrics that lead to answers
Once the team has decided on the questions, the next step is to agree on the type of data that will help answer these questions. Let's say that security is looking to answer the question, “How long does it take to respond to events?” The type of metrics that can help answer that question are:
- The average time it takes to pick up an alarm in the SOC today (in minutes and seconds)
- The average time it takes to respond to different types of alarms (i.e. time it takes to pick up an access control event versus a security assist event)
- The average number of alarms per hour/per day (number of alarms per hour/per day)
- The average number of alarm per location (number of alarms per building, per hour/per day)
Each of the metrics begins to paint a picture of how the team responds to security events. SOC leaders will notice that in order to answer the primary question, just capturing one key metric — for instance, “Average time it takes to pick up an alarm in the SOC today” only provides a surface-level insight into the performance of the team. Think about what additional metrics impact those numbers so that they can be used to make decisions.
Step 3: Centralize the data
This can be the most challenging step of any data-driven decision-making project. In this step, not only do security teams need to standardize the data, but they also need to centralize it so that later, they can easily access and visualize it for quick insights.
The most efficient way to do this is to standardize on a system that coordinates responses and investigations. SOCs need a system that can take alarms from a range of different systems and normalize these different formats into a consistent data structure. This effectively eliminates the difference in data from one system to another. It has the added benefit of building efficiency through standardization — eliminating high training costs and user errors that come with complex and bespoke approaches.
Step 4: Visualize the data
The final step is to provide a simple way for the various stakeholders to access and visualize this data. There are many visualization programs on the market, these can range from inbuilt reporting tools to Excel spreadsheets using pivot tables and graphs or data visualization programs. Each of these provides ways for teams to drill into different data. When comparing visualization tools, look for programs that provide the ability to:
- Present data in different formats. Sometimes a graph is the best way to see data, on other occasions it could be a table.
- Drill into data elements by clicking on data objects in a graph to dive deeper into the cause of that metric.
- Forecasting — look for systems that can highlight trends in the data set so that SOCs can quickly take action.
- Export data into standard formats — look for exports of raw data in .csv, Excel, or JSON formats