Building a SOC - Staffing



Similar documents
Focusing on you. Focusing on the future.

Career Paths in Information Security v6.0

Managing Your Career Tips and Tools for Self-Reflection

The How, What, When and Why of On-Boarding

THE COMPANY AND SERVICES

A Practical Guide to Seasonal Staffing Alternatives

DESCRIBING OUR COMPETENCIES. new thinking at work

OFFICE ANGELS. Office Angels Employers guide office-angels.com

Attracting Top Talent

How To Develop A Global Leadership Development Program

Talent Management. What is it and how can you do it?

Job Description. The post-holder will be expected to implement and work within the University s Policies, Procedures and Guidelines.

Lab Support Your Job Search Resource

Recruiters

Exceptional people. Providing specialist SAP recruitment solutions and IT support worldwide

HOW TO USE VIDEO TO MOTIVATE LEARNING

To be determined but likely to include a Regional HR Manager (to be appointed) London or Nairobi with significant travel to the East Africa region

IBM Client Innovation Centre Preston Graduate Vacancies (includes school leavers)

Consumer Awareness Guide. Using Recruitment Agencies

The Val Garland School of Make-up PROSPECTUS

Sorting out SIEM strategy Five step guide to full security information visibility and controlled threat management

Talent Management Glossary

The complete guide to becoming a mortgage advisor

Solutions overview. Inspiring talent management. Solutions insight. Inspiring talent management

Candidate Tips and Tricks

Workforce Diversity: The Fresh Face of Employment in Canada

MI5. Careers Guide 2012/13. Owing to the sensitivity of our work, we do not publicly disclose the identities of our staff.

planning for success.

5 costly mistakes you should avoid when developing new products

Human Resources Report 2014 and People Strategy

This page was left intentionally blank.

Omni s 4 Simple Steps to Reduce. What You Need to Know to Cut. Recruitment Costs

ATS. The. The Staffing Agency s Guide to Buying an Applicant Tracking System

Gaps in Companies HSE Onboarding Programs: Assessment and Remedy Dr. Elie Daher, Darrell Dowd, John Balogh - United Safety Ltd.

IBM Client Innovation Centre Preston Vacancies for experienced hires

Talent Management Framework

How To Start A Recruitment Business

Where are all the candidates at?

IT Recruitment Services

Certified Information Security Manager

Graduate Programme Put yourself at the centre of the action

HR Business Partner Candidate Information Pack.

SORTING OUT YOUR SIEM STRATEGY:

INTEGRATE CHANGE INTO YOUR WORKFORCE STRATEGIC TALENT MANAGEMENT SOFTWARE SOLUTIONS

JOB DESCRIPTION Facilities Manager Soft Services. RESPONSIBLE FOR: Team Leaders and Contract Support staff

Careers in Cyber Operations. Defence Signals Directorate

How HR Software Can Help Deliver a Competitive Advantage

How to Select, Manage & Implement an RPO

Hiring for Retention Get It Right, Right Out of the Gate

University Teacher in Journalism

Bridging the Cybersecurity Talent Gap Cybersecurity Employment and Opportunities for Engagement

6.2 Hiring the principal designate

Consultants on-demand:

ROI & Cost-Benefit Analysis

18 Fresh Ideas for Lawyers. frahanblonde`

An Accelerated Pathway to Careers in Cybersecurity for Transitioning Veterans. NICE Annual Conference November 2015

The Service Desk Manager is responsible for the performance of the Service Desk down to the individual level.

customer experiences Delivering exceptional Customer Service Excellence

Recruiters Guide. Contents

D 1. Working with people Develop productive working relationships with colleagues. Unit Summary. effective performance.

INTERVIEW TIPS PREPARING FOR INTERVIEWS

Sample Teacher Interview Questions

Cyber Security Consultancy Standard. Version 0.2 Crown Copyright 2015 All Rights Reserved. Page 1 of 13

Asbestos Manager Recruitment Pack

INVESTORS IN PEOPLE ASSESSMENT REPORT PERPETUITY RESEARCH & CONSULTANCY INTERNATIONAL

Agenda. Strategic Succession Planning: Building Your Bench Strength. The Numbers say. SP Defined* The Art of Choosing Positions

HR SOLUTIONS RECRUITING FOR A NEW AGE

Recruitment and Selection

How to Justify Your Security Assessment Budget

Rising Above the Rest: Employee Performance Management Creates Lasting Market Differentiation. A Performix Technologies White Paper

How to Work With Retained Executive Search Consultants. Executive Career Management from BlueSteps.com

Supervisors Guide to Induction and Onboarding

Job description. Terms of reference. November Date: 2 November Job title: Vacancy reference: Team/business unit: Base location:

JOB DESCRIPTION. To ultimately liaise with departmental editors across the institution regarding development of their areas of the corporate site.

Lessons Learned by engineering students on placement

Succession Planning: Developing Your Bench Strength. Presented By: Michelle McCall, Managing Principal, IMG

Seven Things Employees Want Most From Their Training

EVERYTHING YOU NEED TO KNOW ABOUT MANAGING YOUR DATA SCIENCE TALENT. The Booz Allen Data Science Talent Management Model

How to write a great job ad

Situated in the picturesque County Durham area this hotel provides the highest quality food and service.

Transcription:

Building a SOC - Staffing Staffing is often one of the most challenging aspects of building a Security Operations Centre (SOC). Experienced SOC professionals are difficult to find, expensive to recruit and hard to retain. Regardless of the processes and technologies in place, a SOC is nothing without the right people; their ability to investigate intrusions and keep abreast of cyber threats, vulnerabilities and advancements in techniques are a crucial element to successful SOC operations. In this paper we look at some of the staffing questions you may need to consider when looking to create a world-class Security Operations Centre. Consider the mix For your SOC to be a success it s vital that you staff it with the right mix of skills, experience and roles, bearing in mind that these people will all need to gel and compliment each other as a team. There are a range of things to be done, from the mundane and process driven - to piecing jigsaws together - right through to the deep technical challenges. You ll most likely want to have tiers of staff with different skills and aptitudes working together. Bear in mind that it s no good having a team of uber analysts if nobody is keeping an eye on the time or on what you re actually meant to deliver. The soft skills are also critical, and no one can determine the ideal mix other than you this will often depend on the culture of your organisation and the purpose of your SOC - a topic covered in my last paper. In-house or new blood? So you need some high-calibre technical experts. If you re lucky you will already have a pool of skilled analysts within your organisation to draw from; people who are familiar with your internal networks, systems, business and politics. In practice, transferring these staff to the new SOC can be fraught with difficulty; they may not be releasable from their existing roles, or may not wish to work in the new SOC environment. 1

Transferring from other roles can often be a big change for staff. Amongst other things, the SOC roles may require shift work, adopting the ITIL way of life, and performing against the rigour of SLA s (or OLA s if your SOC is internal). It s worth open discussion with the people on your pick list as to whether this is right for them. The alternative is to recruit externally to fill the SOC vacancies. This can bring the benefit of fresh eyes, but as with all recruitment, will take time and effort. It can be quite difficult to assess a candidate s suitability for SOC work within the confines of a regular interview. Very quickly you may find yourself devising and staging assessment centres to identify the aptitude and ability of applicants. It s not always the obvious things that identify a good SOC analyst. Ask me and I ll tell you some stories of the successes, learning points and surprises I ve had so far! Experience Even if you do plan to use existing staff from across your business, it s unlikely they will have worked in a SOC environment before. The style of working shift work, changes in tempo, and the need to alternate between monitoring and in-depth analysis can take some getting used to, and ultimately isn t for everybody. Oneway to kick start your new team is to tempt staff away from established SOCs. Recruiting experienced talent can be expensive though; the Barclay Simpson 2015 Security Market Report shows that average salaries for Security Analysts range between 42-50,000 (rising to 49-60,000 in London), with Network Security Team Leaders earning 70-76,000 ( 84-89,000 in London). Even the smallest SOC will typically need 4 analysts and 1 team leader to operate successfully, with that number increasing drastically if a 24x7 service is required. Discretion In order to monitor for anomalies, intrusions or incidents, SOCs tend to have unparalleled visibility of data from right across the enterprise. This means that SOC staff will need to be highly trusted and extremely discrete, as it is likely that they will see documents or conversations during the course of their work that a regular staff member would not normally be privy to. For some organisations this will necessitate SOC staff holding the highest level of security clearance, something that may not be achievable. If you re not going through an external clearance process, you may wish to think of what additional internal checks you ll run before allowing access to all the data held in your SOC. 2

Qualifications, training and mentoring The security landscape is far from static, meaning that staff will require constant and continual training to keep abreast of new and upcoming threats, techniques and tools. A well-defined training programme will ensure that analysts are always learning and improving. This begins with a comprehensive induction to bring everyone up to a common baseline, regardless of their prior experience or background. It is likely that there will be vendor-specific training (in the shape of instructorled courses) for the software/hardware elements of your SOC - these are often a great way to ensure that all staff get up to speed quickly and are able to use the tools at their disposal. As new tools or capabilities are released, staff will require refresher training; something that needs careful factoring into future training budgets and staff rotas. On-the-job training is vital for passing on the organisation-specific elements of the SOC - the processes, procedures and ways of working. The easiest way to transfer this knowledge is for experienced analysts to mentor new starters. Whilst in principle a laudable aim, in practice experienced analysts are often too busy to spend time training, which can lead to frustration from both teacher and student. This is particularly true in SOCs with a high turnover of junior staff, where an experienced analyst can find themselves coaching and nurturing newbies almost every week. Running a successful SOC also means diving head first into the alphabet-soup of security certifications CISSP, CISM, CISA, ISSMP, CompTIA, GIAC, CCNA, SSCP - the list keeps growing. Most SOCs find that no single certification exactly matches their business processes, so some staff end up with an impressive string of initials after their name, and an equally massive training budget to match! It s also worth saying that the inverse is equally true: just because somebody applies to work in the SOC and they ve got an armful of cyber certifications and a brand new information assurance degree, doesn t necessarily make them right for the team. Mindset and aptitude We find that whilst professional qualifications and national security clearances are useful indicators, it is a particular mindset that separates a great employee from a great SOC analyst. The thirst for knowledge, an inquisitive nature, natural curiosity and enthusiasm are attributes shared by all good SOC staff, and are what keeps them coming back day after day. The ability to prioritise work in a fast-paced and deadline driven environment is key, along with an attention to detail and a commitment 3

to providing a high quality service. superhero! In short, you re looking for a cyber Communication A good SOC analyst needs the ability to communicate, not just with their colleagues and teammates, but also to a wider nontechnical audience. Many analysts struggle with the translation from geek-speak to business language; they may be able to reverseengineer malware or identify unusual packets on a 10Gigabit network, but those skills are almost useless if the findings can t be shared in plain English. Whether it s producing written reports, or presenting intelligence derived from a mass of raw data, it s vital that SOC analysts are able to relate the impact of a security event to business leaders, clearly and concisely. This combination of in-depth technical and interpersonal skills is exceedingly sought-after, and if an analyst possesses this rare commodity it is highly likely they could have a very successful career as a security consultant, working onsite with clients, rather than pulling shifts in a SOC. This makes retaining staff with blended technical and communication skills an extremely difficult task. Career progression Almost all SOCs suffer from a lack of career progression due to their small size. Typical roles include: SOC Analyst: responsible for the day-to-day monitoring, analysis, triage, and customer-facing interactions Security Specialist/Investigator: uses deep technical skills to investigate anomalies SOC Manager: responsible for staff rosters, development programs, recruitment, training and the overall running of operations For a small corporate SOC, it would be common to have one SOC Analyst and one Security Specialist on each shift, with a SOC manager overseeing the bigger picture elements of the service. This structure can result in very limited career progression opportunities, not least because the skills required to be a good SOC Analyst do not necessarily immediately lead on to being a good Security Specialist, or SOC Manager. Each role requires a discrete set of skills, and whilst it may be useful for a SOC Manager to have worked their way up through the team, it is by no means a requirement. 4

One technique used by some businesses with an internal SOC is to rotate staff between traditional IT support teams and the SOC. Whilst this can assist with knowledge transfer across a wider team, it does not immediately solve the problem of career progression within the SOC. Staff retention As you ll have hopefully realised by now, a good SOC analyst is a rare breed indeed. In a 2013 study published by (ISC) 2, Booz Allen and Frost & Sullivan, 47% of respondents said that security analyst was the job title undergoing the most extensive workforce shortage. Whether you recruited your analysts or have grown your own, there will be lots of other companies trying to hire them from you, particularly if their CVs are now laden with industry-recognised qualifications. SOC work can be highly demanding, stressful, repetitive and boring - sometimes all at the same time! This can lead to poor staff morale and ultimately a high level of staff turnover rates of 30% per year are not unheard of in some sectors. Some of the topics we ve already covered (such as training and career progression) can help with retention, but a good SOC will need to continue to provide an exciting, challenging and nurturing environment, keeping analysts at the top of their game for a prolonged period. This is far harder to achieve for single tenant SOCs (e.g. those which are only monitoring a single organisation or estate) as the lack of diversity can lead to boredom and repetitive tasks more quickly than in a multitenant environment. Finding, recruiting, training and retaining SOC staff is hard, time consuming, expensive work. Is there an easier way? Falanx Assuria. Talk to us to take the pain out of Protective Monitoring. E: info@falanxassuria.com T: +44 (0)207 856 9457 W: www.falanxassuria.com 5

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information