I’m often asked what “good looks like” in the modern SecOps space. By that people usually mean, what are the incremental improvements we can make to What-We’re-Already-Doing? I don’t like answering that question, because What-We’re-Already-Doing is part of the problem.
The more important question is, what paradigms are fundamentally changing the SecOps space, and how are world-class security orgs responding to them?
There are many ways to answer that question, but here is one to consider: Does your SecOps team spend more time doing prevention engineering, or detection and response engineering? In 2025, it needs to be the former.
Traditional SecOps is a Detect & Respond function, which is inherently event-driven and reactive.
Performance optimisation in this world is about shrinking the gaps between event occurrence, detection, and response. I’m not saying this isn’t important…in an Assume Failure world, it means there will inevitably be something to detect and respond to, so you’d better be good at it.
Nevertheless, this is on the output side of the funnel. It’s the equivalent of trying to drive in London by looking only in the rear-view mirror; everything you can see has already happened. Given the speed + multi-modal nature of modern, sophisticated cyber attacks, this approach is no longer fit for purpose.
SOCs stuck in this mental model have a tacit belief that if they can just shrink the gap enough between event occurrence, detection, and response, they will be less overwhelmed and more effective. It feels true, but it isn’t true. We’ve been around this mountain 2 or 3 times before in the last 15 years, each time buoyed by the promise of some new tech (SIEM!) or operating model (offensive security!) which never delivers.
The only way to drastically reduce cyber events on the output side of the funnel is to address them on the input side, before they become problems.
To do that you will need to join up all exposure and posture-relevant capabilities into a cohesive proactive, preventative security function. The usual counter is, “But cross-organisational, proactive, preventative security is hard, sits across different teams and toolsets, and isn’t a SecOps responsibility”.
I know. That’s the paradigm change.
The structures and mindsets entrenched in our orgs charts, operating models, and cyber-cultural lore are built to cater for a reactive, event-driven, detect and respond world. Unless those systemic structures and mindsets change, we will continue applying leverage to parameters that cannot and will not change our outcomes. It isn’t keeping up now and it will keep up less and less as time goes on.
To paraphrase a quote attributed to Einstein: we cannot solve our problems with the same thinking we used to create them.