I have my opinion on this but wanted to see what others think.
Specifically speaking of a SOC case management system, who should have access to the raw case information? Obviously the SOC Aanalysts and the Manager should, but who else? Should Audit, the CISO, the CISA?
Case management can be a powerful mechanism for collecting, analyzing, and even distributing information linked to incidents leading to more effective and efficient triage. Giving the intimate details of an incident’s life cycle can in my opinion cut both ways.
It can potentially stimulate the C-Suites awareness to what is actually happening within the environment ultimately leading to support for additional technologies, staffing, even dollars. If they are educated on how exposed the organization is then they will have raw context on what it actually takes to thwart well-crafted targeted attacks.
On the other hand, what SOC Manager out there wants “the higher ups” dissecting their incident response process? Often, there is a gap between the strategic vision of executives and actual real-world experiences seen by the analysts in the trenches. The SOC Manager is stuck in the middle trying to bridge that gap. Is case management that bridge or a medium for blame?
In my opinion, I think there can be a healthy balance of what is shared and what is kept on the ground level. I think both the C-Suite and SOC Managers can all agree that vulnerabilities are out there and extremely expensive to remediate. That’s why collaboration is so important across the playing field. Find out what is important to upper management, use appropriate case management as an educational forum to unify the overall vision for risk mitigation. This has the potential to change the way the team thinks about the nature of cyber risks and how it can affect the overall health and wellness of the business.