What makes a good security workflow great
The term “Workflow” gets thrown around quite a bit in security, most commonly used within the context of security operations, incident detection and response.
Here’s the thing:
Nobody owns your workflows but you. You create them. You manage and iterate on them. You report on them.
There are no shortcuts.
It’s a series of repeatable steps with the goal of completing work that’s iterated over long periods of time.
It’s how YOU get work done.
So when I hear a team attempting to take on an automation (SOAR) project discussing with a SOAR Vendor how to “accelerate maturity with automation” and the very first ask from the security team is :
“We don’t have any defined workflows, how about you give us your stock playbooks and we'll see what we can automate.”
So what you’re saying is :
- You don’t understand what you work on
- You don’t know how you work and its corresponding steps
- The work you do know about you’re unable to measure how much time you spend on it
- You lack prioritization
- Without prioritization you’re ok with losing control to some vendor to tell you what work to do and what’s worthy of your time and effort to automate
Regardless if it’s SOAR, Managed Network Detection, Managed EDR, Managed SIEM, Managed Vuln Management, etc. It’s still your work and your workflows.
You can’t shortcut maturity even with all the tools and managed services the security industry has to offer.
All that work will eventually land on your lap and if you don’t own and understand those workflows then you'll always be unprepared, disorganized and overwhelmed.
I write about the not-so-obvious in cybersecurity to help you pave your own way in the field.
Join the growing readership of cybersecurity professionals for free.
No spam. Ever. Unsubscribe anytime.
