| 6 min read
| Nov 14, 2018
| by Mase Issa

How to get the most out of your upcoming SOC tour: making your provider uncomfortable

Yes, you read that right. This is an article about how to make us uncomfortable. If you’re in the market for an MDR or managed security services provider or looking to keep tabs on your existing provider, visiting their security operations center (SOC) can be a good way to get a sense for what you’re really buying. Even the most technically advanced providers with great platforms (ahem) have people as part of their solution. The SOC floor is where the people and technology meet to provide – or fail to provide – value.

Providers plan for these kinds of visits, and if you go by their default agenda you can expect to see pew-pew maps, talk with smart folks and basically get a more detailed version of the party line. We thought it would be interesting to tell you how to throw a wrench into the works – you can even use that wrench on us – with the end result of getting more useful feedback and a better perspective on what the life of a customer is really like.

Start with their customers

If you’re planning a visit to a managed security provider’s SOC and you haven’t talked to any of their customers yet, stop planning your trip right now. The very best way to get a sense for what it’s really like to be a customer is … wait for it … to talk to a customer. We’ll be following up with a few pithy tidbits on conducting customer reference calls. For now, suffice it to say you’ll get a higher fidelity picture of customer life by talking to customers. During a SOC visit, you’ll likely be shown what the provider wants you to see by default (and yes, if you let us set the agenda we’ll do the same thing). What we, at Expel, want you to see may be different than our competitors, but it will still be what we want you to see, not what you want to see. You shouldn’t let us do that.

Step 1: Prepare

You’re investing all this time, so maybe you should do a little prep. Let’s skip the “think about your requirements, write them down, review them” nonsense. You already know that. Here are a few things that will make your life better if you can do them ahead of time:

  • Think about what we need to do to make you happy. No, seriously. Don’t say “we want to reduce our risk.” Of course you do. Be selfish. How do you want to spend your time during the day? What annoying work do you want out of your way? What thing should I, as a provider, never do, or you will curse my soul and haunt me forever? Let me say this again: be selfish. There are other things you want to get done besides the mundane day-to-day of security operations. What would make you and your team happy? Yes, you can say “security” and “happy” in the same sentence. I just did. QED.
  • What do you want to pay? Know that up front. Discuss it with your provider before you commit to a visit. It’s the easiest way to tell if you’re wasting your time.
  • When are you buying? This helps both of us. If a provider doesn’t know when you’re really going to buy, get ready to be annoyed at all the times you want to be left alone. It doesn’t have to be precise, just close. “Probably Q4 this year, maybe Q1 next.” Perfect, I have expectations, I can modify my behavior so I don’t piss you off.
  • Who is making the decision? They should probably be at the tour. If they’re not, why not? We’re going to ask you if the decision maker will be in the room before we schedule the visit. “Yes” means we’re both going to get to an answer about doing business together faster. Random fact: a fast “no” is second in value only to a fast “yes.” “Maybe” kinda sucks, quite frankly. We’ll waste less of your time with “no” or “yes” … and we both know you don’t have enough time as it is. Your job is hard. Harder than ours, frankly.
  • As for the agenda, we’d suggest skipping things you can do elsewhere if you’re looking to maximize your time. Do things you can only do at the vendor’s facility. Craft an agenda that lets you peek in nooks and crannies. Whatever it is you want to hear about, the interesting part is who delivers the information, and how they do it.
  • You’ll definitely want to see some deliverables. These, obviously have to be scrubbed, so asking in advance is important. In addition to asking for deliverables, ask to see what it looks like when something goes wrong. Because something will go wrong. Anyone who says different is lying.
  • Keep an ace up your sleeve. You’ll need to ask for some things ahead of time to ensure you get them (example: getting a CISO’s time is hard, as you probably know, so if you don’t ask ahead of time when you’re building your agenda you may not get it). But there are lots of other things that should be easy … and if they aren’t, that tells you something. I’ve got a specific ace to suggest to you below.

Step 2: Showtime!

The big day arrives and off you go. Huzzah. Whatever the agenda is – see the SOC, talk to the CISO, do a demo, talk about roadmap – pay attention to how the content is presented and who presents. That’s often more telling than the content itself. The same goes for the environment it’s presented in. Here’re some things to watch out for:

  • Welcome to the executive briefing center: Don’t get me wrong, EBC’s can be impressive facilities, and they certainly have great snacks. However, if I want to know what I’m buying I want to see the halls and walls where work is done. You can get a sense for the energy of a workplace just by walking around. Do you only get to see the visitor break room, or are you pouring your coffee next to the engineers and analysts building the solutions you’ll be buying? Is everyone energized, or do they look like they just filled in six additional copies of their TPS report that morning?
  • I’ll get back to you: Is a real subject matter expert talking to you about your agenda interest areas, or is it a briefer whose primary job is managing customer and sales prospect visits to the SOC? If it’s an executive, is it a real decision maker or someone with an impressive title that isn’t really involved in running the business? Don’t get me wrong, “I don’t know, I’ll have to get back to you” is a way better answer than someone faking it when you have questions or want decisions, but keep track of the trend. It will tell you how close your presenters live to where the rubber meets the road, and therefore how good a proxy they are for the solution you’re buying.
  • Let me bring up my slides: OMFG not another PowerPoint deck! Yes, some clip art can be useful, but pay attention to whether presenters use other media to help you understand what it’s like to be a customer. Whiteboards for technical discussions, conversations in front of demo screens (or cleansed live screens), energetic dialogue around a table instead of a dry presentation that’s obviously canned – these indicate you may be getting a truer look into the provider’s reality than if you’re watching a video or a rote-memorized presentation. Does talking to any of the provider’s staff feel like talking to your own team? How you feel after those dialogues tells you something.
  • Here’s our roadmap: OK, a vendor’s plans for the future are well and good … and necessary. However, consider asking about what was built in the past. “In the past 12 months, what third-party integrations have you done? Which features did you release? Why?” You know how you ask about work history when you’re hiring someone? There’s a reason for that – past behavior is a great predictor for future action. Can they answer it? Will they answer it? Again, this tells you a great deal in a very short period of time.
  • Why are you here: If you get access to a few presenters you can often tell a great deal by asking a few questions of each of them. “Why do you work here?” is a great one. Ask it a few times. Triangulate the truth by comparing answers from different staff. You’ll get a sense for the excitement, energy and pride the provider’s team has … or doesn’t have.
  • Play the ace: Time to ask for something off script. When touring the SOC ask if you can spend a bit of time with a shift analyst – someone on the pointy end of the spear whose responsibility is providing service, 24x7. “Um, no you can’t,” tells you something. If you can talk to one, have a conversation to find out what it’s really like to work at the provider. Do you leave the conversation wanting to hire them?

In short, get up close and make them uncomfortable

Visiting your current … or would be … managed security provider can be a telling experience. It’s a big time investment, but it can often be the best way to separate fact from fiction and see what you’re buying first hand In addition to the mechanical requirements (See the SOC? Check. Get the security program presentation? Also check. See the roadmap? Sigh … check …), think about evaluating the truth in between the lines. Make the provider uncomfortable, get close to where the action happens. The snacks won’t be as good, but it will tell you way more than polished presentations in fancy conference rooms.


7 habits of highly effective SOCs

Before I talk about effective SOCs that run like well-oiled machines, let’s get one thing straight. SOC isn’t a dirty word. But I totally understand the negative connotation and that’s exactly why I’m writing this post. Alert fatigue is real,…
Read More