The people in Security Operations Centre (SOC)
The traditional SOC team is well defined and will normally consist of the following roles.
Tier 1 analyst
This is your junior position. People in this position will have some, but not a large amount of knowledge and expertise in the areas of computer systems, networking, cyber security and operating systems. Their job is to handle the simple day-to-day activities and to conduct simple monitoring. People normally stay in this role for fewer than two years (and many rise more rapidly).
Tier 2 analyst
This is the position for more experienced individuals. People in this position will have a deeper understanding of cyber security issues and more breadth and depth in computer systems, networking and operating systems. Their job is to help mentor the tier 1 staff, to conduct more involved analysis, undertake threat mitigations and possibly suggest changes to the system. People normally stay in this role for three to five years.
Tier 3 analyst
This is normally the highest of the technical jobs and for that reason, many people will stop here. People in this role will have strong cyber skills as well as strong skills in computer systems, networking and operating systems. They will also normally have specific specialist skills such as digital forensics, reverse engineering, cyber intelligence, etc. People may take up to five years to get into the role and may decide not to progress further.
This is the primary leadership role. People in this role will normally have spent some time as an analyst and will have decided (or been pushed) into taking on a leadership role. People in this role will provide leadership to SOC teams in a particular area or team, or in the case of small SOCs, may be in charge of the whole SOC. Their job is to manage both the day-to-day activities and projects, ensuring in all cases that what is being delivered aligns with what the business needs. This role involves a lot of soft skills so less time will be spent on the more technical aspects of the SOC. This is a role that people often stay in for an extended period of time.
In larger or more specialised SOCs, there are often other roles that need to be filled in addition to the ones given above. The more common of these are:
This is the overall leadership role within the SOC. In medium to large SOCs, there may be multiple managers and a SOC director is appointed to take overall charge of the SOC. People in this role will provide leadership and direction for the whole SOC. Their job is almost entirely management and they may not have a strong technical background (although, ideally, they should have enough of a technical background to understand the issues involved).
Chief information security officer (CISO)
The C-level SOC champion. Often not directly part of the SOC, the CISO still has a lot of influence and control over the SOC. This role is almost entirely management and is responsible for security leadership and direction throughout the organisation. These individuals should have strong technical skills as well as management skills as they are the primary person responsible for evaluating and driving substantial changes to the security landscape within the organisation. This is often a role that people will achieve later on in their careers
The translator for the SOC. The SOC team is focused on ensuring that the systems are as secure as they need to be. Unfortunately, many SOC teams focus on ensuring that the systems are as secure as they can be, which can have a negative impact on the business. The business partner’s role is to act as a translator/communicator/mediator between the SOC and the rest of the business. People in this role need not have strong technical skills but they need to have enough to understand what the SOC team are saying and translate it into a language that makes sense in the business context, and also be able to explain the business needs and requirements in a way that make sense to the SOC team. The primary skill needed for this role is communication skills. Business partners may also act as project managers as they often have strong business skills. This role is one that tends to attack people from a business rather than a technical background.
The day-to-day activity of the SOC. This role is mainly found in larger SOCs where there is a separation between the teams that run the system and the teams that change the system. People in this role are responsible for ensuring the availability, stability and continuity of the SOC systems as well as the IT systems that the SOC relies on. Their focus is on the SOC infrastructure and they are responsible for maintaining the SLAs and ensuring that existing systems continue to meet the business requirements. Technical skills are required for this role, the exact nature depending on the level at which the operator is working at, but specific cyber skills may not be required as people in this role often do not undertake any analysis work. This role is one that people can enter at many different levels.
The change-makers. Again, this role is mainly found in larger SOCs as is the compliment of the operations teams. Engineers are responsible for projects and changes to the system. Their focus is mainly on the specialist SOC infrastructure but they may also work as security engineers on other projects throughout the organisation. Strong technical skills are required for this role, often on very particular bits of technology. For this reason, an engineering team will often have a small core of internal employees which is supplemented by contractors or vendor-provided engineers who are proficient with a particular technology. The contracting aspect of the role is one that many people find attractive as it allows more flexibility in their work.
Which of the above roles do you think you are currently suited to? Why? Which role would you like to aspire to? Why? What are the disadvantages of the role you aspire to?
Discuss your answer to these questions in the comments below.
© Coventry University. CC BY-NC 4.0