This feature first appeared in the Spring 2023 issue of Certification Magazine. Click here to get your own print or digital copy.
There's a great deal of research done to track the ever-growing cost of data breaches and other cybersecurity snafus. Last year, IBM and cybersecurity think tank Ponemon Institute estimated the average total cost of a data breach, to businesses and organizations anywhere in the world, at $4.5 million. It's worse in the United States, where the average total cost was $9.4 million.
It's no wonder that cybersecurity staffing is a top priority for just about every human resource department everywhere. There are a number of key positions required to create and sustain effective enterprise cybersecurity. One emerging role that's vitally important is that of SOC manager, the point person and key decision maker at the heart of a security operations center (SOC).
How a security operations center functions
Before addressing the SOC manager role, let's discuss what a security operations center, or SOC, is and how it functions. The mission of a security operations center is to monitor, prevent, detect, investigate, and respond to cyberthreats around the clock. That's right, truly effective cybersecurity never sleeps.
SOC teams are charged with monitoring and protecting an organization’s assets including intellectual property, personnel data, business systems, and brand integrity. The SOC team implements the organization’s overall cybersecurity strategy and acts as the central point of collaboration in coordinated efforts to monitor, assess, and defend against cyberattacks.
Although the staff size of SOC teams varies depending on the size of the parent organization and its industry positioning, most have roughly the same roles and responsibilities. For instance, a financial institution will have more personnel in certain SOC roles than might be required in a less high-profile industry.
In practice, then, an SOC is a centralized function within an organization that employs people, processes, and technology to continuously monitor and improve the organizational security posture while preventing, detecting, analyzing, and responding to cybersecurity incidents. This overall responsibility has three key areas of focus.
Prevention and detection: When it comes to cybersecurity, prevention is always going to be more effective than reaction. Rather than responding to threats after they have escalated, SOC teams to monitor IT resources around the clock. The essential aim is to detect malicious activities and shut them down before any serious damage is done. When an SOC analyst sees something suspicious, they take immediate action.
Investigation: During the investigation stage of responding to a threat, the SOC team analyzes whatever suspicious activity was detected — and shut down — to determine the nature of the threat and the extent to which it successfully penetrated organizational infrastructure. It's important to note here that any SOC team will have to filter a LOT of "noise," sifting through a mountain of false alarms and irritations for every serious threat.
While conducting an investigation, SOC teams probe the organization’s network and operations from the perspective of an attacker, looking for key indicators and areas of exposure before they are exploited. Analysts must identify various types of security incidents and determine how to effectively respond before they get out of hand.
Response: After the investigation phase has concluded, the SOC team coordinates a response to remediate the issue. As soon as an incident is confirmed, the SOC acts as first responder, performing actions such as isolating endpoints, terminating harmful processes and preventing them from executing, deleting files, and so forth.
Response includes the aftermath of an incident, where the SOC team works to restore systems and recover any lost or compromised data. This may include wiping and restarting endpoints, as well as reconfiguring systems or — in the case of ransomware attacks — deploying viable backups in order to circumvent the ransomware.
When successful, response will essentially return the network to the state it was in prior to the incident. After an incident has been contained, it can be reported publicly and damage control can begin.
The SOC manager
In a nutshell, the SOC manager is expected to direct SOC operations. An SOC manager is responsible for syncing between analysts and engineers; hiring and training personnel; and creating and executing an overall cybersecurity strategy. An SOC manager also directs and orchestrates the organizational response to major cybersecurity incidents.
Every analyst and engineer on the SOC team reports to the SOC manager. Coordination is probably the hardest part of the job. Directing the response to organizational threats requires constant attention — and this is only after the manager gets everyone hired and has a complete SOC team is in place.
At a big organization, an SOC manage might oversee 100 or more engineers and analysts. Making sure that everyone is trained, disseminating information about cybersecurity processes and procedures, aligning schedules, and assuring overall job satisfaction, is a considerable task. An effective SOC manager must also possess thorough knowledge of a lot of different tools and methodologies.
An SOC manager must understand the company’s cybersecurity policy — including possibly helping draw it up — and be prepared to act in every facet of responding to outside attacks. The right candidate must be prepared to work with the legal team and public relations after or during a cybersecurity incident.
Bad actors and cyber criminals will never stop trying to steal, gain access to corporate information, or trick people into giving them money. More to the point, they will never stop evolving and changing their methods. An SOC manager is expected to stay abreast of new and emerging types of attacks and attack vectors. Knowing how the next attack will be attempted and where to look for it is critical.
For example, attacks on physical infrastructure like pipelines and control systems are likely to become more sophisticated in the near future. It's critical for an SOC manager to be well-informed about the current threat landscape and constantly aware of changes to that landscape.
Training and certification
A key and sometimes underrated aspect of preparing for the SOC manager role is to build strong interpersonal skills. An SOC manager will be directing a coordinated effort that involves many different individuals. Building and continually refining soft skills is essential to success.
A degree in cybersecurity, formal training in cybersecurity, and perhaps a four-year degree in advanced mathematics would all be beneficial. If I were hiring for this role, I would lean toward someone with an analytical mind, and really lean toward someone with strong hacking credentials. If you want to include that element in your preparations, please be certain that all of your hacking is of the "white hat," above board, ethical variety.
Any aspiring SOC manager will be well-served by getting any of the "big dog" security management certifications, in particular the CISSP offered by (ISC)² and the CISM curated by ISACA. Even more than those, however, I would focus on technical certifications like the Certified Ethical Hacker (CEH) offered by EC-Council — it takes real-world skill to combat real-world threats.
You can also benefit from building your professional network. Many of the people that you meet in the too-small pool of cybersecurity professionals may be the very individuals you seek to hire after landing in an SOC manager role. Don't hesitate to follow respected cybersecurity leaders and practitioners — people who are longtime experts in cybersecurity are often excellent sources of information about new and emerging threats.
It's an exciting time to have a professional interest in cybersecurity. The demand for skilled cybersecurity experts is constant and intense. If the idea of being on the front lines of the ongoing cyber-struggle between malefactors and legitimate organizations is appealing, then getting a job as an SOC manager could be an ideal long-term goal.