Data is central to the security profession. Its role is to keep organizations safe and resilient. But, in order to do it well, security teams need access to timely and good quality data to ensure that they have the situational awareness required to do their jobs. Part of this is clearly defining how data will be captured, for example in a portal. But, getting the data is only step one. From there, security teams need to categorize and make sense of the data to turn it into actionable intelligence.
To help determine the best path to simplification, we asked members of Resolver’s Incident Management Implementation Team to provide their tips and tricks for getting the most out of security data.
1. Keep it simple for the front-line user
It’s common that some security professionals spend more time cleaning up and correcting the data that was entered than they spend on any other aspect of their job. It’s safe to say report writing is usually the last thing anyone wants to do. In one implementation, Resolver customer’s front-line users had a lot of required fields to fill out, so when it came time to create the report, they did the bare minimum, so they quickly get it done and move on.
Front-line buy-in is also critical
There is a high turnover rate in front-line users, and for the most part, security is not their primary function. As such, they are going to receive very little training on how to enter an incident. It’s often faster for users to take raw, but good, quality inputs from users and codify it themselves. To improve the quality of data, keep inputs to a minimum and use more simple language to ask questions about the who, what, where, when, and why, and to implement open narrative fields as much as possible.
Here are a few extra tips:
- Get to the why. Incident input users need to be able to comfortably enter the data they’re seeking, but they also have to understand why they’re inputting this information. When people don’t understand why something is important, they are less likely to spend time on it.
- As noted above, the solution should be as simple as possible. But, when that’s not possible, ensure that there is precise documentation (ideally available in the input system.)
- Review data entry with the front-line. There needs to be a feedback mechanism where you review the fields that are being ignored or completed incorrectly. Each error is a teachable moment.
– Graeme Haggerty, Solution Consultant
2. Capture data the same way business is done
This might seem simple, but it comes up often. Security teams capture data in one way, but then translate it into different categories when they report to management. Most often, this happens because the security team is trying to capture a much greater level of detail. While there may be good reasons for this, there is a tradeoff that the team should be aware of. When adding additional levels of granularity, be explicit about the value that this level of detail is going to provide and the anticipated business impact.
Start at the End
When thinking about the data to capture, start by thinking first of what the report will look like. If all 1,000 incidents aren’t going to be reported on (this isn’t a joke — this happens all the time!) then why put 1,000 incident categories into the system? If the data is going to be reported, why track it? Every bit of data entered into the system has a cost in effort and data quality. The more that is tracked and the more detail asked for, the more likely it is that users will make mistakes or skip sections all together.
– Melissa Davis, Solution Consultant
3. Get executive buy in
Ensure that alignment with the executive team on the specific definitions within the system. For example, tracking losses and recoveries can be very time consuming. It is extremely valuable data, but if the executive team does not agree with how losses are being measured, buy-in for business decisions will become much more challenging. Spending time to get aligned on what the numbers mean is very important and often overlooked.
– Dale Yushchyshyn, Solution Architect
4. Rethink the data
Corporate security reporting is based on a combination of factors (incident type, severity, location, etc.) Often when we are migrating data from legacy systems we find that multiple factors have been jammed into a single field and that lookups and drop-down lists are overworked. This makes effective reporting nearly impossible.
This is common in legacy solutions because they are not very flexible and often needed to be worked around. Thankfully, this is no long the case for most modern systems. In newer solutions, users should be able to add fields and classifications to keep this separate.
Thinking about or currently implementing a new solution? We highly recommend taking some time to rethink the classification scheme (consultants can help!) to better map data to the desired reporting output.
-Jay Andrada, Solution Consultant
5. Simplify and Streamline
When it comes to security data one thing remains true, the cleaner the data, the more accurate the reporting. Without accurate reporting, security teams will struggle to make data-driven decisions that they are confident in.