A common operating picture can play a unique role in the hierarchy of security budget. It acts as a single source of truth for alerts and alarms and all the critical events that potentially impact your enterprise. As a result, it provides crucial insights into other budget line items.A common operating picture can help your security team understand and quantify the return they are getting from investments into threat intelligence, PSIM systems, and other technologies. The right common operating picture can also help quantify operator/analyst output, showcasing the value of a hard-working security team.
Key Attributes of Common Operating Picture
Integrate Risk Intelligence and Physical Security Data
Data and metrics are fundamental to any ROI discussion. That’s why your common operating picture should integrate a wide variety of data relevant to physical security teams, such as, risk intelligence, fixed and in-motion assets, employee locations, alerts, alarms, etc. The more types of data your common operating can ingest, the more detailed your ROI picture can be.
Company asset data should also include key contextual information. This includes information such as facility type and any restricted areas, number of employees, office manager contact information- anything that facilitates situational awareness and quick decision-making is useful contextual information.
Focus on Actionable Risk Intelligence
The objective of integrating data is not to flood the security operations center with too much information. Display risk intelligence and asset information in a way that improves speed to recognition and response time. Your common operating picture should be able to filter risk intelligence based on type, severity, proximity, and other factors. The faster a security analyst or operator can correctly respond to risk, the faster potential impacts from that risk can be mitigated.
Triage and Respond with Streamlined Workflow
A common operating picture should empower users to respond to any type of critical event within the application. This allows for an immediate time-saving benefit - an operator can swiftly take action without switching systems or screens. The response or individual steps may vary depending on the type of event (e.g., a natural disaster vs. a forced entry). That’s why your common operating picture should provide a workflow that can be configured to different types of events – for instance, by including SOPs or the steps that must be taken. The goal is to include the correct workflow steps without adding unnecessary ‘clicks.’
Document Team Response to Alerts and Incidents
This capability is crucial because it captures the responses and other actions taken by the security team, whether onsite or located remotely in the SOC. This information should be logged and timestamped to understand how long specific responses, investigations, or other activities take. The information can then be used for a variety of purposes, including performance benchmarking, staffing decisions, after-action reviews, and others.
Include Risk and Response Data in Situation Reports
A common operating picture should deliver maximum utility at every step. This means leveraging the information associated with alerts, assets, and actions. Risk intelligence contains a variety of information, such as a summary of what happened and where the event occurred. Operator responses include key steps or remediations taken, personnel contacted, impacts, and other valuable information. This information should automatically populate communications and reports, eliminating the need to copy and paste between systems.
Automated Reporting and Analytics
Your common operating picture should generate branded reports automatically, provide key analytics to help you run your security operations better, and demonstrate the value of your security operations to executive leadership. Automating these processes saves valuable time and keeps security team members focused on protecting the organization.
Measure and Report on Relationships between the Data
The features listed above are powerful on their own. This effect is amplified when your common operating picture identifies relationships between alerts, assets, and actions. This is what ultimately helps you quantify the return on other investments in security technology and programs.
A common operating picture should empower security teams to address questions such as:
- How many different alerts did we receive over a given timeframe? What types of alerts occurred most frequently? How many alerts came from each provider?
- What were the most common risks faced by our organization? When risks were identified, how did security respond, and what was the result?
- How many offices were impacted by natural disasters, and how severe were the impacts? Were employees notified and evacuated?
- How quickly do operators respond to different types of incidents – and does that vary between shifts? What steps were taken, and were those compliant with company SOPs and policies?
What about ROI for the Common Operating Picture Itself
As discussed above, a common operating picture can provide insights into security investments that are otherwise challenging or impossible to identify. But the right common operating picture also delivers its own positive ROI in the form of faster responses, saved time, improved productivity, and a deeper understanding of how physical security risks impact the organization.
Discover how TopoONE by Crisis24 can deliver a single pane of glass solution for your integrated risk management and security needs.
