A monthly or quarterly report is a great way to summarize a SOC’s performance and uncover insights for executive leadership. But as a security and risk manager or executive, what information should you request from the managers who report to you?
In this blog post, we’ll walk through a best-practice security operations center security report template for summary reporting.
The Problem
As an upper-level manager, you’re not in the trenches of the SOC on a daily basis. However, you have the crucial job of making decisions about cybersecurity and relaying information regarding cyber risk to your superiors, and you rely on SOC managers to provide you with that information.
There are often significant gaps between what the SOC knows and what it reports to leadership. According to EY, only 15% of organizations say their information security reporting fully meets their expectations, and only 17% report on areas for improvement.
The SOC is heavily dependent on executive buy-in. It’s vital for SOC leadership to communicate with you effectively so the most important (and most accessible) information can be passed up the chain of command, and meaningful changes can be made.
Security Operations Center Report Template
In addition to information that’s relevant to your organization’s specific concerns, an effective SOC report will contain the following sections:
Key Findings
Managers should summarize the most critical findings and action items from the report in non-technical language that executives and Board members can understand.
Key findings should also include at-a-glance insight into the organization’s security performance with clear metrics such as security ratings.
This information should be provided at the beginning of the report, where it’s most likely to be seen and read carefully.
Monitoring Summary
In this summary, managers should lay out an overview of what was monitored for the report, including the number and locations of monitored servers, workstations, and devices.
Don’t neglect to request information about what wasn’t monitored — it’s important to identify gaps in the SOC’s field of view, so that strategies can be implemented to close those gaps.
Incident Summary
Here managers should provide the total number of incidents detected and resolved, as well as more specific data, such as:
- Breakdown of incidents by type, target, and severity
- Mean time to detect (MTTD)
- Mean time to resolve (MTTR)
- Specific actions taken for each incident, such as log collection, quarantine, security patch installation, and password reset or other authentication system changes
Threat Summary
This section should outline the most severe threats faced by your organization in the past month or quarter, specify whether or not your organization anticipated them, and detail how they were approached by the SOC.
Information about emerging malware trends and recommended actions to prepare for those threats will also be helpful.
The threat summary is also where cybersecurity concerns should be put into context. The SOC manager needs to present information about common cyber attacks, using real incidents as examples.
As part of the threat summary, ask managers to respond to the following questions:
- What incidents have recently occurred in our industry?
- What kind of threat(s) will pose the most risk to our organization in the coming month/quarter?
- How does our organization compare to peers and competitors when it comes to mitigating risk?
Recommendations
This is a manager’s opportunity to advocate for the SOC, and request any additional resources that are necessary to improve performance. If the SOC manager provides concrete recommendations (and if possible, estimated costs), it will make your job easier as you make decisions and consult with your superiors about proposed changes.
These recommendations do not need to fall entirely within the SOC’s purview. Managers should consider how other departments can work together to promote a culture of cybersecurity awareness within the organization.
For example, a large percentage of malware enters organizations through phishing emails — a problem that requires employee training to correct. A SOC manager might recommend stricter enforcement of cybersecurity policies across all departments or cybersecurity workshops organized by learning and development in order to address this issue.
Additional Considerations
As they compose each section of the report, managers need to keep audience and purpose in mind so that upper-level managers, executives, and Board members can turn data into action. For maximum impact, reports should allow for both clarity and context.
Clarity
The majority of executives and Board members will have limited technical understanding, so clarity is key.
An effective report will use language that non-technical individuals can understand, and make use of synthesized metrics like security ratings in order to deliver complicated information in an easily digestible format. Wherever possible, non-critical information should be in the appendix, so as not to clog the body of the report with excess data that would make it harder to understand.
Context
It’s not effective to simply present data in a vacuum. In order to effectively communicate findings, context and analysis is required.
The report should compare cyber security KPIs with historical performance, the performance of peers and competitors, and progress toward stated objectives.
Managers should also aim to provide meaningful analysis — what does it mean to the business that these incidents occurred, or could occur in the future? Which incidents pose the biggest risk for revenue, customer trust, and legal costs?
When a report successfully illustrates the tangible impact of both actual and potential attacks, security leadership can make a more compelling case for allocating more resources to the SOC.
Closing the Knowledge Gap
Maintaining C-suite and Board buy-in can be challenging, and the quality of a report can make or break this vital line of communication. With an effective SOC summary report, you can improve decision making and communication up the chain — ultimately improving your organization’s overall cybersecurity.
Have more questions about cybersecurity reporting?
Download our Practical Guide to Risk-Based Cybersecurity Reporting
