A New SOC Strategy in Light of Skills Shortage

A New SOC Strategy in Light of Skills Shortage Encompass Health CSO Mitch Thomas on Building an 'Autonomous' SOC) • July 30, 2018     15 Minutes   

A move to a "more autonomous" security operations center is helping Encompass Health cope with a shortage of skilled cybersecurity workers while improving its response to cyber threats, says Mitch Thomas, chief security officer.

"We're impacted by finding security talent - it's a shortage not just here in the Birmingham [Alabama] area, but across the country," he says in an interview with Information Security Media Group. "In Birmingham, it's even more of a challenge to find people with basic skills to read the [cyber] tea leaves - and then to retain the talent."

In addition, managing a 24x7 SOC can be costly, he says.

"The threats don't take vacations; they don't stay within business hours. We have to function around the clock at our highest efficiency all the time," he says. "In the last three years, we pretty much doubled our security spend here ... It's a real arms race against the threats, and something we're really challenged with sustaining."

Outside Help

To help address these and other challenges, Encompass Health has been implementing artificial intelligence and machine learning technology from security vendor JASK.

"It helps optimize our SOC efforts through automated response to the majority of daily incidents that we have," Thomas says. "Off-loading that would be a huge savings and reduce the need to maintain a highly skilled workforce."

As a result of automating certain SOC functions, Thomas says, "the security folks that I do keep I'm able to pay a little better salary, and they can manage those things from a higher level and help us analyze our data and provide predicted analysis as opposed to the traditional defense-response."

Responding More Quickly

Thomas summarizes why automating certain SOC functions makes sense for his organization: "If we remove all the remedial attack profile activities that tier-1 [analysts] deal with, like phishing, malware, SQL injections, port scans ... and offload all the tier-1 'tea-leaf reading' capabilities to a team of experts that we know can build and automate these attack profiles, then we stand a much better chance of winning this game. We can respond within seconds as opposed to minutes or hours on these events as they come in."

In the interview (see audio link below photo), Thomas also discusses:

Cyber threat hunting challenges; The most worrisome cyberthreats; Other top cybersecurity challenges and priorities.

Thomas is chief security officer at Encompass Health, a provider of post-acute healthcare services. He has more than 25 years of business, security, engineering and IT experience. Thomas is also a military reserve officer currently functioning as the U.S. Cyber Command's Joint Operations Center battle captain. His previous positions include vice president of security operations at Epsilon, CTO at Trans-Tel Central and Air Force Cyber Command's senior duty officer and chief of mission systems division. Thomas also has served with the U.S. Air Force and defense contractors in IT and cybersecurity programs within the operational and intelligence communities.