This is the second in a three-part blog series from Bitdefender on how we have built principles of operational excellence (OE) into our managed detection and response (MDR) service. This second blog describes how Bitdefender applied OE principles in the design and development of our MDR service and how others can do the same.
Part 2 – Developing operational excellence in MDR
In part 1 of this blog series, we discussed how the MDR industry lacks standardization and how this causes huge variances in the quality of MDR services available. We also described how principles of Operational Excellence (OE) can and should be applied to MDR services to ensure consistency and repeatability of processes and outcomes. This enables organizations to measure the value of their MDR service and ensures greater efficiency and effectiveness – specifically, the ability to identify and respond to threats faster, increase security automation and achieve scale.
In this blog, we will detail how Bitdefender developed its MDR service from the ground-up with OE principles in mind, and how others can do the same.
When discussing OE, it’s common for people to focus on a specific approach or framework. Popular ones include Six Sigma and Lean, though there are many others. At Bitdefender, we look at OE from a holistic point of view. Rather than limiting ourselves to one model, we approach OE as a number of different tools, techniques and methodologies that all work together as an interconnected system to create transformational improvements. Bitdefender employs an entire team dedicated specifically to operational excellence and identifying how we can apply the principles cross-functionally to all different areas of our business. This enables us to not only operate more efficiently and effectively, but also ensures that our services and products are built to be resilient against the ever-changing threat landscape.
Step 1 – Strategic planning
Whether developing an MDR service or looking to improve the in-house cybersecurity operations within your organization, applying OE principles begins with strategic planning. The first step is to work through a variety of organizational maturity models to understand what your core cybersecurity capabilities are, what technologies, skills and processes you have in place today, identify where you want to be, and how you can get there. This process provides a comprehensive understanding of your existing state and enables you to create a roadmap of what needs to be done to reach your goals and desired business outcomes.
Organizations should not only work through cybersecurity maturity models, such as those provided by ISACA or NIST, but also broader organizational maturity models that apply to other areas of the business. This can reveal dependencies that may impact cybersecurity operations, or adjacent capabilities you may not have realized existed in the organization. In some cases, a security operations center (SOC) may not be able to respond to threats as quickly as desired because it is limited by dependencies on other teams or processes in the company. Eliminating those dependencies or identifying ways to leverage adjacent capabilities can help accelerate response time.
When developing a strategic plan, ask yourself “What is the desired outcome?” What are your desired business goals? What are the customer experiences you want to deliver? What does the customer want and need? When developing our MDR service, we considered not only our business goals, but also our customers’ business needs and goals. We look for the unspoken needs of our customers and then designed our service to meet them.
The strategic planning phase is also where we consider organizational design. In our first blog we discussed the limitations of the Squad Model in cybersecurity operations and how it can hinder an MDR services’ ability to scale. During the strategic planning phase, you must consider everything from a holistic point of view so you can identify where those limitations or gaps might exist and develop better organizational models or processes to overcome them. Consider not only the organizational design, but also the handoff between processes, tools, techniques and people. Examine the entire operation and how it will all fit together. This will enable you to identify and understand what points in the process can be automated and which should be manual hand-offs.
It’s important to not skip the strategic planning step. Too often organizations want to jump right in, adopting the latest cybersecurity technologies, but they fail to plan for the related dependencies and needed capabilities that come with these solutions. The most advanced cybersecurity solution won’t help if an organization doesn’t have the right processes in place or the skill sets necessary for optimizing and continually managing it. Maturity modeling enables an organization to understand where they stand currently and where they need to go. It enables them to set expectations for investments in different areas of the business in order to achieve those goals. It also establishes a baseline to measure progress against.
Step 2 - Carrying out the strategic plan
Once the strategic plan is developed and you know the goals and outcomes you’re working toward, the next step is to put all the operating mechanisms into place. This is where process management, and performance management enter the picture. To begin, you must think strategically about what key performance indicators (KPIs) will be needed to measure the effectiveness of processes and the performance of the MDR service.
Every organization will have different KPIs based on their particular needs. Every environment is different, all business’ goals are different, every threat is different, and every MDR services’ approach to detection and remediation will be different. However, at a high-level, any MDR service should be able to measure the value of their program against KPIs that tie back to efficiency, effectiveness, cost, and whether the service is delivering what customers truly want and need.
Regardless of what KPIs are used, when carrying out your strategic plan, it’s not enough to simply report KPIs. Look for trends in the data. Ask why a particular trend is going up or down, what is the root cause, and do you have the right processes in place to address it? These insights will tell you much more about the state of security than simply measuring the number of incidents identified or time to response. When designing with OE principles in mind, you must ask yourself whether you have standardized, repeatable and scalable processes in place that enable you to achieve your KPIs or improve the situation if needed.
Step 3 – Measurement and feedback
Once you’ve started implementing your strategic plan, the next step is to start measuring your processes for effectiveness and efficiency. This is where the KPIs come in to play as diagnostic metrics, and measurement should be an ongoing process. The KPIs will help identify where there are bottlenecks and what are the most time-consuming parts of the process. Use them to pressure test your processes, create new baselines, and collect data to see where you might be having difficulties and adjust.
When it comes to cybersecurity, no news is good news. But when all is quiet, the challenge arises that CISOs and other executives do not see the value of the MDR service. The ability to tie KPI measurements back to efficiency, effectiveness and cost is key to demonstrating value to the C-Suite. You must tie the MDR processes back to what is meaningful to the customer and stakeholders.
Though the data from the KPIs provides diagnostic information and feedback that processes are working as they should, it is not the only type of feedback an MDR service should rely on. Net promoter scores (NPS), customer surveys and employee surveys can all provide valuable feedback about the efficiency and effectiveness of the service. As an MDR provider, we take these feedback channels very seriously and use them to drive improvements in our organization and service. Doing this helps enable a cycle of continuous improvement.
Step 4 - Continuous Improvement
With measurements and feedback in hand, you’re now able to enter into a cycle of continuous improvement. Following OE principles, we use the diagnostic data of the KPIs and feedback from customers, partners and employees to adjust or implement new processes, make improvements and monitor for results.
One of the most effective ways to make significant improvements quickly is to use the Pareto analysis (sometimes referred to as the 80/20 rule) to identify the top few initiatives that will create the greatest gains. This enables us to focus our efforts on those quick hits or “low hanging fruit” that can achieve significant results, such as reduced response time, new efficiencies or greater innovation. Aim to identify the transformational initiatives (either technological or organizational changes) that will make a big difference in driving efficiency and effectiveness.
Finally, it’s important to remember that operational excellence is more than just a business strategy. It must become a fundamental part of the organization’s DNA, woven through every aspect of the business’ culture. Part of the continuous improvement cycle includes developing a high-performance work team where people are always looking for ways to make improvements. It can not be a one-time initiative. Rather, organizations must develop a culture of constantly evaluating the way you do things and identifying opportunities to improve. As this culture begins to spread throughout the organization, that is when you will start to see truly transformational gains and the customer outcomes you seek.
Coming up in Part 3…
Applying principles of operational excellence to an MDR service not only builds resiliency into the service, but also delivers better customer outcomes. In part 3 of this blog series, we’ll detail how OE principles are woven throughout the day-to-day operations of our MDR service and how that benefits our customers.
Learn more about the MDR market and its dynamics with the 2021 Gartner Market Guide for Managed Detection and Response Services complimentary report.