You’ve done it. Congratulations. You wrote an impressive business case, designed a SOC that was just right for your company and then you hired good people and trained them into a cohesive SOC that has become the security nerve center of your corporation. Regulators and auditors love you because you have all the data on all of the controls they care about most at your fingertips. Time to relax and just enjoy your good standing, right?
Business case; Six Sigma; Black Belt; customer service; body opponent bag; security industry
You’ve done it. Congratulations. You wrote an impressive business case, designed a SOC that was just right for your company and then you hired good people and trained them into a cohesive SOC that has become the security nerve center of your corporation. Regulators and auditors love you because you have all the data on all of the controls they care about most at your fingertips. Time to relax and just enjoy your good standing, right?
Wrong! Ok, that was an obvious trap but you’re still reading so we have that going for us. Now that you have your operation up and running you need to make sure that you don’t rest on your laurels. The down side of measuring anything is that management will always want improvement. The reality is that there will come a point when even if you do everything possible, you won’t be able to squeeze out any more. We think that is a long way off and should not be used as an excuse to try and so will your boss. What you need to do is show that you have evaluated all the aspects and that you can prove you have reached a point of diminishing returns.
What you want to do is make sure that you are ahead of the process that is so predictable, so don’t get surprised. Instead anticipate the requests and have a plan ready. There are always items that can be categorized as low hanging fruit. It may be an overused expression, but that’s likely because it seems to be a constant in business. Take any department in the company, and once you take a step back and spend time not just cranking on the day-to-day work product, but actually evaluating what could be improved, some obvious areas will stick out. It’s likely that people in that department have known for some time, but if you only have four people doing the work of five or six, it’s hard to find the time to figure out what needs to be improved, let alone how.
Once those areas are tackled, focus on your pain points. If your company does perform customer satisfaction surveys that include comments, then you should have the ammo you need. If not, perform one just for security. Make sure you actually keep it anonymous or you will lose trust before you even have a chance to build it. Not all improvements will save money, some just reduce make work or allow you to do more with less. Finance is very particular about what it calls hard savings, so don’t expect a lot of credit for cost avoidance, just make sure your boss understands the net benefit to the company.
When you have run out of suggestions from inside your department and other employee concerns, then use your company’s resources. If your company is a Six Sigma or Lean shop, find a Black Belt and ask for an evaluation. If that resource is not available, consider getting a consultant, or better yet, get training in some form of management system. Six Sigma is perhaps the most well known, but they are certainly not the only game in town. Do your research and find a methodology that works for you.
If you reach a pace where you have convinced your upper management that you have exhausted improvement potential in your department, look to take on additional workload. When it comes to onboarding, most companies waste a lot of time, which delays people’s start time or at a minimum, makes them ineffective while they wait for their technology and credentials. Each company is different, but if you have a SOC, it is likely that you own the provisioning and de-provisioning of physical access. If a full evaluation takes place that covers the entire process, from a headcount being approved in the budget process, all the way to a new worker becoming fully productive, most corporate or shared services departments have been involved. If the pressure is on, volunteer to spearhead a project to assess the entire process from end to end and come up with recommendations for reducing the overall time and fixing problems that exist with the process.
When you are on the quest for improvement, make sure that you and especially your staff don’t get improvement fatigue. Make sure to let your folks know when they are doing a good job and never forget to celebrate milestones. Security departments often see the worst of their company’s employees and certainly the worst from society. You have to be able to blow off steam in a healthy way that will not result in a call to HR or a car accident.
The only constant is change. Just as you must evolve and learn new skills over time or become a dinosaur, a SOC must also change over time to ensure that it remains a relevant and valuable asset to the company. A SOC is just a place where security work gets done for the company and as such it relies on technology and people. Both of these will fail from time to time. You may have heard that it takes 17 positive interactions to make up for a negative one. I don’t doubt the ratio, but I do know that this ceases to be true if the negative interaction is truly an epic fail.
As with many things in life, consistency is the key. Your staff need to perform their tasks with precision and each interaction with a customer needs to be polite and most importantly, helpful. Getting to this point will take some time, but once achieved, you must work even harder to maintain. The concept of continuous improvement is not new, but there are an infinite number of ways to approach it. In Chapters 16 and 17 we covered customer service and metrics, respectively. Your customers will tell you what is important to them about security, but they will rarely tell anyone else. It is up to you to take that feedback and present it to the heads of the business units along with your plan on how you will improve on the areas that have received the worst feedback. Make sure to read carefully through the verbatim comments. Remember, these customers are employees. Many have been with the company for 20 plus years and while they are not security experts, they do know what they need to support their objectives. They also know the buildings they office and how it is used and misused by other employees better than you.
One mistake you should avoid is trying to tackle too many improvements at one time. Remember, the regular job of the SOC is challenging enough and if you have taken on additional tasks to show the value of the SOC, chances are your staff will not be bored. I recommend no more than three areas of focus and if possible only one, especially if there is a lot of dissatisfaction with the area that needs improvement. Don’t just rely on a satisfaction score and a few verbatim comments when you are completing your improvement plan. Go out and meet with your key customers and conduct more in-depth interviews. Ask them straight out what they consider to be an acceptable level of performance.
Let’s take something as basic as how long it takes to answer a call on average. By analyzing your trended data over time, you will know when your peak call times occur. Hopefully when it’s slow, you aren’t getting complaints about length of time to answer a call. Don’t make assumptions about what your company’s employees want. We did initially at one company and we were wrong. We felt it better to resolve each call to its completion, which lead to people calling in and listening to the phone ring for longer than they felt was reasonable. They felt it was better to have the line answered and notified that they would be put on hold that having the phone ring until a person was available. Company’s cultures vary, but at Xcel, they knew we were busy, but they would rather have hold music and a phone ringing and not know if or when we would answer. That doesn’t mean that they wanted to be on hold forever, in fact they were very clear about how long they were willing to wait on hold as well. But with that data, we were able to change how the SCOs handled calls. Of course we had a system in place that we got from our own customer call center that gave us detailed metrics about the time to answer, the length of time on hold, the length of time per call, and how long a person waited before they hung up.
We will caution you not to try and make operational changes based on outliers. Some of those may be very vocal, but you are there to serve the entire company, not one or two people. That is unless they are in your direct chain of command, then you might want to consider it. It also helps when you share the information back with your customers. They may have no idea for instance that you only have two people answering calls during the day and your call volume for an average dayshift is 640 calls.
Also, make sure to let your customers know that you worked on the thing they cared about the most and that you either achieved the target or at the very least that you made improvement in the area. It is far better to only commit to improving one area and then really nailing it, than to overpromise and fall short. Most of security is how people feel about it. The more competent you appear, the better.
The worst case is that you commit to improving an area and you fail. Failure happens. It never stops sucking, but it will happen sooner or later. The worst thing you can do is to get defensive. Security is not always the most popular department in a company. There are those that will do what they can to cause grief or drama. The best approach to take when you have failed to achieve improvement in an area is to conduct a transparent review of everything that occurred to find the root cause or causes. This is not an effort to make excuses, but something happened to derail the improvement project, and you need to understand what. Once you have your answer, you need to openly share it and own it. You also need to have a plan for addressing the roadblocks and taking another crack at it. If it was a resource issue, you should have the metrics and supporting data needed to submit a business case to close the gap. It could be a technical issue or lack of engagement from another department or perhaps your staff is overtasked. You data should back up your conclusions.
Your detractors may want to take the opportunity to make the SOC look bad for whatever reason, but if you approach it right, you may in fact be able to use the initial failure as a way to get a business case approved for additional resources. Of course, if you take this approach and get whatever resource you asked for, you then need to deliver. If you feel you’ve exhausted even those type of opportunities, make sure that you have your business case ready with up-to-date information that justifies your existence and clearly proves that you are the lowest cost provider, because sooner or later, someone will come asking.
Morale is an important part of any department. You’ve built trust with the rest of the company, but you need to make sure that you also have built in that trust and respect at the SOC department level. There is a fine line between working effectively and overworking. At one company, we had a couple of rough months where several changes were occurring across the company and employees would call our SOC to take out their frustrations due to various reasons that sometimes was not even security-related on the operators who would be left angry, demoralized, and frustrated. We had a team meeting and as management said all the right things, but it became clear that while temporary, it was going to suck for the SCOs a while at least until the corporation’s morale improved. We decided to bring in a body opponent bag (BOB) as our anger management specialist. We went out and purchased a BOB, which is a punching bag in the shape of a man’s torso and head on a stand filled with water to keep it from falling over. When a particularly nasty call came in, the operators would handle it as best they could, making sure to remain professional. Then they would get up from their workstation, declare that they were going to have a counseling session with BOB, then walk over and give BOB a good solid punch or two or three or four to relieve their frustration. BOB got a lot of use in the first month and then less over time, but the gesture was appreciated for much longer and it was a constant reminder that we really did get what we were asking them to do and that at times it just plain sucked. Sometimes they will need to vent and you will need to listen. Being a security console operator is not an easy job at times. Remember that.
So, the moral of the story is, take care of your SOC staff because they are the sole reason that your SOC will succeed or fail. Take care of your people. Don’t allow energy vampires and negative personalities to destroy the team morale of your SOC. Keep those post orders, and procedures up to date because your staff will rely on those to do the job. Provide them with the tools and training they need to complete their mission with each shift they work. Train them constantly, challenge them regularly, counsel them as needed, treat them kindly daily, give them opportunities to grow professionally, and remember to reward them when they are deserving because you are their leader. Remember to thank them for all their hard work and dedication on a regular basis. If you do all of that for your staff, your SOC will be a companywide success and a continuing integral part of the fabric of your organization that management will be proud of.
The authors of this book hope you have learned some valuable lessons or gained some good ideas or tips from this writing that you will be able to incorporate into your existing or future SOC. We ask that if you learn some new ideas along your SOC journey, please share them with us at securityopsctr@charter.net and your peers in the security industry to make as all better within our profession. We wish you and your SOC staff nothing but the best.