Shifting to Work-from-Home: Lessons Learned as a SOC Manager
5 min Read
In the recent months, IT and security teams have turned on a dime to support their organizations and get employees settled into working from home full-time. At the center of this shift are the SOC managers, who are there to ensure that operations and processes are in place to not only protect company data but also help employees stay productive. In a recent webcast, Code42’s Senior Manager of Security Engineering and Operations, Cory Ranschau, and Sumo Logic’s Security Operations Center Manager, Roland Palmer, shared their perspectives on how their roles and security operations have evolved in our new work-from-home world.
Read on for a summary of their conversation — or for more details, watch their webcast recording.
How has the SOC manager role changed or evolved during the pandemic?
When employees started working from home, the SOC managers saw their roles expand to support new hours and workflows. Cory explained that in the past, employees who worked from home occasionally saved certain tasks for when they were in the physical office. Now, with employees working from home indefinitely, the security team has to deal with different workflows. They have to understand what users are trying to accomplish and what the new baselines in activity look like. For example, as employees try to balance their professional and personal lives, normal working hours now extend after children’s bedtimes. This means technical teams have to be on call to help when issues arise. To provide that extra help, Code42 introduced The Virtual Help Desk — a place where employees can go to get IT support by simply popping into a Zoom meeting, just like they would stop by the desk in the office.
Both panelists pointed out that in the absence of a centralized office setting, they have to be very clear in the communications they send to their own teams as well as to the wider organization when issues bubble up. Cory explained that one of the challenges for the Code42 security ops team has been with communications. For instance, what is the most effective way to actively workshop problems together now that teammates are no longer sitting right next to each other? Roland pointed out that his team has put even more focus on operations, deploying technology to handle what once would have been taken care of with an in-person conversation. “Stuff that we typically wouldn’t be as concerned with, like when chat or Google Drive goes down, now needs our immediate attention. It’s significantly impactful to the business when it’s down because we don’t have that in-office correspondence where we could just walk over to someone’s desk.”
In making the shift to work-from-home, what have some of the new and emerging processes that you have adopted?
Business Continuity Plans For Roland, the focus fell on changes to business continuity planning. His team fine-tuned how they would document new processes and successes, and execute their business continuity plan if another large-scale incident occurs in the future. In addition, the Sumo Logic team has revisited policies and procedures that were office-specific, and evaluated how they apply to a remote workforce. They have to ensure compliance not just in this “new normal,” but consider how policies would be applied in the future. “There are several layers to this that we could dive into, but all processes, procedure plans and considerations have to be revisited to make sure that we’re operating like we should be.”
Vendor Management When it comes to managing vendors, Cory cautioned not to get too focused on immediate needs at the expense of the vendor selection process. When selecting vendors, you still need to be thorough and diligent even though the urgency to select a vendor – any vendor – is very high right now. With more free trials and offers being extended, the team has seen an influx in new vendor requests. He explained, “I have to do vendor analysis on 35 free tools all of a sudden. I (have to determine if) the tool is something that we’re buying just because (of a promotional offer); if we want to try it just because we think it’s cool during the pandemic; or if it’s something that we actually need to run (in our environment) long term?”
Collaboration Tools The increased use of collaboration tools has also been a focus. Both panelists stressed the importance of having tools to log activity or file movements. Cory noted, “We make sure we have a really strong identity and access management process for users and figure out how to onboard and set them up correctly from the get-go. Then, in some cases, we also look through the platforms at an administrative level to try to find what security controls we can implement. Can we turn on controls at a global level to prevent users from flipping things on? What makes the most sense for the organization and how can you actually do that in a way that doesn’t break the collaboration tool or prevent it from working? We obviously want users to collaborate – which is part of the culture we’re in – so we’re really trying to make sure that we can meet users where they’re at and keep the applications working.”
What have you learned from things that didn’t go as planned?
Roland said, “Document lessons learned in real time while it’s happening. Write them down because you’ll forget – it’ll be a passing thought . . .Reserve your seat at the table. Everyone’s paying attention to IT and security because we are the facilitators for work-from-home. Continue to remind those making decisions that during this time it was IT and security that pushed this (work-from-home) initiative because that’s what we’re designed for.”
Cory added that the Code42 team has shifted gears quickly and continues to adapt to changes as they occur. “It’s okay to be vulnerable and not have the answer as long as you’re committed to trying to innovate and improve on it, and get the answer for tomorrow.” He ended by talking about the importance of communication not just within our organizations, but within the security community. Share ideas and information with professional networks — this will help security teams adapt and learn together.
Strictly Necessary Cookies
Strictly Necessary Cookie should be enabled at all times so that we can save your preferences for cookie settings.
If you disable this cookie, we will not be able to save your preferences. This means that every time you visit this website you will need to enable or disable cookies again.