The Changing Role of the Modern SOC
Security Operation Centers (SOCs) aren’t what they used to be — basements crowded with network traffic analysts who rarely saw the light of day. Remote and hybrid work patterns, the diffusion of office locations and advancements made in remote monitoring and management tools have forever changed the face of the SOC.
Further, the demand to keep operations working around the clock with less staff means teams SOC must be more efficient than ever. And they must be more involved with the business and what it is trying to achieve.
A.N. Ananth, Chief Strategy Officer and Resident Cybersecurity Evangelist at Netsurion and co-creator of Netsurion’s open XDR platform, believes SOCs are warranted for medium to large organizations at a minimum. But while small organizations need them, too, the function tends to be outsourced.
“The SOC monitors and secures the IT assets, cloud-based systems, and the remote or in-house employees of the business,” said Ananth. The network is so critical that losing it negatively impacts a business in a major way.”
Running a SOC without running the SOC team into the ground
If a SOC operates 24/7, it will need at least 12 people to ensure they all keep reasonable schedules, can have time off and can be trained on the latest technologies and security strategies. Beyond that, SOCs with more resources can incorporate threat intelligence, threat hunting and automation and become proactive about potential threats. Thus, the skill sets required within a SOC will vary. Some will include top-notch threat hunters who can get to the bottom of an incursion, while others may only be able to recognize potential threat content and send an alert. There is also a need for basic monitoring duties, as well as a manager to run the SOC and someone who can interface well with other departments and clients.
“The advantage of working in a SOC is that it allows some degree of specialization and a career growth path for individuals,” said Ananth. “The SOCs that succeed really understand what the business is, what risks are appropriate, what users are doing, what sorts of applications are in play and what is important to keep things running.”
The remote SOC trend is accelerating, and it’s a boon for young professionals
The trend towards remote or hybrid rather than centralized SOCs has been slowly evolving for years, but the COVID-19 pandemic accelerated it. SOC duties can be done remotely without losing much or exerting too much impact on contracted service level agreements (SLAs). This trend also opened the door to a much wider recruitment pool. With IT resources, especially skilled cybersecurity personnel, being in such short supply, SOCs could pick up employees nationwide or even globally.
What should you learn next?
What should you learn next?
Of course, this brings a new set of challenges related to distance, time zones, schedules, the division of duties and overall management.
SOC positions are in high demand. Where are the qualified candidates?
Like many other sectors of the cybersecurity industry, remote SOCs often hit a barrier in finding the right resources. Despite a surfeit of qualified people looking for work, HR departments frequently need more candidates. Professionals with many certifications and skills sometimes say they have sent their resumes in response to dozens or even hundreds of job postings without getting a single interview. How can this be?
Part of the problem is the pattern-matching systems used in HR to weed out wildly unqualified entries by requiring certain key phrases to appear in the resume. Just as bad, the application process is crafted by HR workers who often know little or nothing about IT and cybersecurity. They get the job description asking for a certain number of years of experience and several certifications such as CISSP. If CISSP doesn’t show up in the document, HR doesn’t mark them as candidates – even if they have other similar certs that would probably suffice.
Ananth believes it’s possible to “train” HR to understand what’s being implied instead of just strictly what’s being said in a resume, focusing on experiences and qualifications that don’t fall under strict degree or certification signposts. “The most interesting people may come from the most unconventional backgrounds,” he says.
Ananth recommended placing less importance on educational qualifications and more on finding people with a demonstrated track record of being able to think and function on their feet in challenging situations. Yes, you may make the occasional mistake if you are a little looser with hiring requirements, but a probationary period can be a way to get around that.
Curiosity in IT and cybersecurity
There is an old saying, “Curiosity killed the cat.” That may well be the case for cats in certain situations, but curiosity won’t kill a cybersecurity career. Ananth isn’t necessarily keen to hire someone who has been doing the same function for 11 years, as it may indicate someone satisfied with merely doing the same work day after day, year after year. Potential SOC employees should have the right mix of curiosity and experience. Curious people tend to be more teachable and interested in learning new things. If hiring someone with the ideal qualifications and the requisite number of years of experience is beyond your budget, it might be time to recruit someone who can be trained rapidly. Therefore, look for signs that the person is exploring new horizons, is keen to try new things, and can think on their feet during interviews.
SOCs offer cybersecurity opportunities
The modern SOC, then, is changing rapidly from its traditional roots. Remote operations, smaller teams and the demand for higher efficiency would appear to limit the number of cybersecurity opportunities available to young professionals. But the opposite is true. More organizations than ever require SOC services, whether in-house or outsourced. Those with the right mix of skills will find ample SOC career possibilities in the coming years.
Learn more about A. N. Ananth's predictions for the future of Security Operation Centers by watching this episode of the Cyber Work with Infosec podcast.