One of the first professional books I read was “The Checklist Manifesto” , a short book with powerful takeaways about how working to a checklist can bring value and safety. The book starts with the topic of Healthcare but broadens to include examples from all career paths.
Without giving away the best bits I’ll borrow a couple of the quotes from the book.
Without trying to compare the amazing work of emergency medical professionals to SOC analysts, there is some definite overlap here:
“… then you must add the difficulties of orchestrating them in the right sequence, with nothing dropped, leaving some room for improvisation, but not too much.”
“… at any point, we are as apt to harm, as we are to heal”
“…you have to get the knowledge right and then you have to make sure that the 178 daily tasks that follow are done correctly despite some monitor’s alarm going off”
“But however supremely specialized and trained we may have become, steps are still missed. Mistakes are still made”
Regarding implementing a simple checklist covering extremely basic and obvious steps:
“The results were so dramatic they weren’t sure whether to believe them (the checklist) prevented 43 infections, 8 deaths and saved two million dollars in costs”
And in general:
“Experts are up against two main difficulties […] fallibility of human memory and attention, especially when it comes to mundane matters […] (and) people can lull themselves into skipping steps even when they remember them”
10 years ago when I started working in a SOC environment, when clients had a small handful of tools, tickets were steady so I had real energy and focus to invest every time. These days it’s common to have a backlog so long that we rush and skip critical steps.
You can probably see where I’m going here. I’ve previously mentioned “Standardise” as a value of SOAR, but how would that look at different maturity stages?
- Not-yet-matured SOC: No formalised processes, or processes that are held in our memory
- Maturing SOC: Formalised processes are written down in a book somewhere (and only opened when the auditors visit) but actions are still done manually and from memory
- Mature SOC: Formalised processes that start automatically, in seconds, without exception, where every single step documented for audit, and have a standardised output with.
Just a thought.
 ISBN: 0805091742