The information security landscape has shifted tremendously over the past decade. Information security threats have been increasing exponentially both in numbers as well as complexity. To give an indication of the above, Figure 1.1 shows the number of US, federal agency accounted incidents, reported to the United States Computer Emergency Readiness Team for fiscal years 2006 -2014 (U.S. Government Accountability Office, 2015).
Information Security Operations Centers (ISOCs), more commonly referred to as Security Operations Centers (SOCs), are considered a response to the rapidly expanding threat landscape. As early as 1975, SOCs were adopted by the military sector and have undergone fundamental changes in their functionality, capabilities and form since then (Hewlett-Packard, 2013).
The current SOC generation was initially conceptualized by Bidou (2005). In his words, a “Security Operation(s) Center is a generic term describing part or all of a platform whose purpose is to provide detection and reaction services to security incidents” (Bidou, 2005, p. 1). A SOC is where the whole of an enterprise’s information systems is supervised, assessed, and defended. This is performed by utilizing a combination of people, processes, and technology. Within a SOC, threat related incidents are identified, analyzed, communicated, acted upon, and reported (Li, Hsieh, & Lin, 2013).
Nonetheless, business decision makers are in need of a solid foundation, underpinned both by academic knowledge and real-world based insights, upon which the discussion on whether investing in a SOC is rational and justified can be based. The lack of such a business perspective can be – at least partly – attributed, to the highly technical nature of SOC implementations which cannot be easily linked to C-level executives’ goals (Fitzgerald, 2011).
As Walker (2012, p. 17) succinctly puts it “the lack of a common basis for discussion between security professionals and business decision makers is exacerbated by the generally low level of business.