We supported the build of many Security Operations Centre’s (SOC) throughout 2021. So, we thought it may be beneficial to highlight some of the key learning points for SOC leaders looking to build new or grow out existing teams.
We will cover key lessons learnt, from inception to go-live.
The SOC of today must be sufficiently equipped to defend against the ever-changing threat landscape.
This not only includes the sophisticated tools and processes they arm themselves with but the personnel who use them. The deck is clearly stacked against the defenders. All that is needed to uncover sensitive information or backdoors is a single opening. In contrast, the defenders must secure against every potential attack vector.
Therefore, it is paramount to build your team correctly and get it right first time.
Throughout 2021 there were many important findings when building a SOC, with one key standout. Mindset.
The ability to think critically and out of the box is a skill that is hard to come by. An analyst that may not be top of the charts when it comes to tools known or networking knowledge but has fanatic soft skills will offer something more valuable. It is not all about technical skills. After all, you can teach a ballerina cyber security, but you may find it hard to find the inquisitive nature which really supports a “blue teamer” and by extension…your SOC.
How many people do you need? Again, multiple factors can determine this.
Quality over quantity is a somewhat cliché statement, however it could not be more relevant here. There is a finite amount of talent in our industry which makes staffing a SOC a colossal challenge. Equipping a skilled, small team with the right set of tools is infinitely more efficient than a larger team consisting of average analysts using the same tooling.
Does the team lead need to be technical or, most notably, a people manager?
Our findings have made us believe that the former is the ideal starting point; a technical level 3 analyst doubles as the team lead. They will be happy to stay technical while managing the strategy and incident processes. So there is no need to hire both a people manager and a SOC Lead. (Depending on budget and growth plans)
When do you need them to start?
If there is an urgent requirement from clients to get the SOC operational straight away, before the first analysts have landed, you have already lost the battle. Rushing to bring in personnel will only lead to bad fit hires and employees who are overworked in the first 2-3 months of their role.
The opposite also applies, are you bringing in people to sit on their hands for the first 3 months? A considerable balance needs to be struck and a realistic understanding of pipeline/ workload needs to be determined. Measure how many end users your potential clients have and decide the right balance.
What skill sets do you need?
Now, there are a million and one tools out in the wild west that is cyber space.
A smidge of flexibility needs to be exercised when looking at skillsets. You will NOT find the perfect candidate with 100% of the tools you are planning to use, so be openminded.
There also must be an understanding that as analysts become more experienced, they seek out the industry leading tools to work on, so plan your offering carefully when thinking about who you will attract. Again, this reverts back to our opening paragraph, you can have all the tools, but you still won’t be fully protected, so the right analysts in your team are vital.
Can 24/7 protection lead to burnout?
The last big hurdle to overcome is your decision to offer your clients full 24/7 protection. This is an area that we cannot comment massively on as ultimately it is a business decision with many factors.
The only thing we can comment on is the effect it can have on analysts. Burnout is a huge factor in why analysts seek a new role, preventing burnout will aid retention and could save you 2-3 hires per year.
There must be clear progression away from shift work, this could be 1 year down the line where analysts can specialise in a certain area in the business or become a lead. These are typically not shift positions, especially when it comes to senior tier 2 or tier 3 analysts.
A few days could be dedicated each month to allow the analysts to focus on areas other than alert monitoring, leaving them to develop an area they are passionate about, such as automation or proactive hunting.
In the long run this will produce more skilled and less mentally taxed employees.
Logistics & Commercials
Let’s be honest, COVID-19 has changed peoples mindset when it comes to how, where and when they want to work. This is especially true when it comes to our industry as most responsibilities can be fulfilled at home wired up through a VPN or another secure connection.
With this in mind, where you ‘build’ you SOC is an important factor to consider.
If you decide on a primarily on-site SOC you’ll need to focus on the UK hubs like London, Bristol, Manchester etc. In comparison, a hybrid/remote stance gives more flexibility in your hires and enables you to utilise the whole UK market.
Keep in mind your competitors are offering fully remote work.
Building a salary model
Salary benchmarking is a tricky subject. SOCs are usually created with stringent budgets, so being able to identify how your competitors are compensating their staff is a big bonus. In our opinion, a tier-based system is the most ideal, with something akin to the below:
Tier 1 Security Analyst
Tier 2 Security Analyst
Tier 3 Security Analyst
Creating these clear tiers allows you to band correctly while still being flexible. The layout also gives clear progression for your analysts which is a huge factor in retention, which we will go over in our next series.
In summary, we have discussed the first steps that all MSSP’s and end user business should take when building their first SOC. The above points can also be used when reviewing an existing SOC and how you are going to expand effectively.
Look out for Part 2, where we will be discussing how to recruit and retain staff enabling you to create the perfect SOC service.