How to Build and Retain a Strong Security Operations Team

Shaking Hands

A security operations center (SOC) is like a machine. But like a machine, when one component is not working, performance can come to a standstill. Among the various elements — people, process, and technology — required to run an effective security operation, people are arguably the most important.

Challenges of Creating a High-Performing Security Operations Team

People are at the core of a high-performing SOC team, but there are many challenges to finding skilled security talent. Hiring managers are up against skills shortages, frequent turnover, and increasingly stressful environments.

A documented hiring strategy can help you combat staffing challenges and build an effective security team. Your strategy should act as a blueprint for the people part of the SOC and should consider the goals of your security operation, the organization’s goals, budget, and the staffing model that best suits your needs.

While we describe how to create a complete hiring strategy in The SOC Hiring Handbook, this post will help you identify the critical roles you need on your team and how to find the best fit for those positions.

Building Your SOC Team

Common security operation staffing models include entirely in-house, outsourced, or a hybrid of both. What model you choose will depend on a variety of elements like budget, size of your organization, and the level of risk in your organization. Once you have identified a model that best suits your organization’s current and future goals, the next step will be to add the key roles for your security operation to your hiring strategy.

An efficient security operation requires fundamental roles and duties to be filled by the right individuals. While the names and duties of these roles can vary, the following will provide an overview of the roles you should have in your hiring strategy. Download our Security Operations Center Job Description Templates to help you craft effective job listings for each of these roles.

Chief Information Security Officer (CISO)

Other commonly used titles include Chief Security Officer (CSO), Vice President of Security, and Director of Security. This role will often report to the CEO, a member of the C-Suite, or the board in some organizations.

The CISO/CSO is a senior-level executive responsible for creating and maintaining a vision and strategy to protect an organization’s information and data security. CISOs should have a broad list of technical skills, including, but not limited to, security technology and architecture, governance, risk, compliance, and experienced in incident response. CISOs will also need to know regulatory compliance and compliance passements. In addition, modern CISOs need to have the experience business acumen to financially run their organization and should be experienced in program development. CISOs are also leaders and should be open to providing guidance, training, and growth opportunities.

SOC Manager/Director

Other commonly used titles include Security Manager, Security Director, and SecOps Lead. This role typically reports to the CISO. The SOC Manager or Director is responsible for recruiting, hiring, onboarding, and supervising your security operations team. Smaller organizations may have a SOC Manager who oversees the SOC and reports directly to the CISO, while larger organizations may have a Director role who would oversee the Manger and report to the CISO.

A SOC Manager should demonstrate their ability to manage and optimize security operations programs and have a strong understanding of compliance requirements and crisis management. They should have strong leadership and communication skills and be willing to assist in security response when needed.

Security Engineer

Other commonly used titles include Cybersecurity Engineer, Security Engineer, SIEM Engineer, and Technology Engineer. This role will typically report to the SOC Manager. A Security Engineer is responsible for implementing and administrating network security hardware and software and identifying any vulnerabilities in systems. He or she will monitor networks and systems to find and resolve potential security threats.

Security Engineers should have a broad list of technical skills, be well versed in systems and technology, and have knowledge of modern architectures such as cloud and microservices.

Incident Responder

Other commonly used titles include Incident Handler, Malware Analyst, Forensics Examiner, and Threat Intel Analyst. This role will typically report to the SOC Manager. Incident responders have the knowledge to lead investigations of confirmed incidents and quickly respond to and neutralize threats before they become incidents. He or she will manage and prioritize work during security incidents, including forensics and remediation.

Incident responders should have a list of technical skills including, but not limited to in-depth knowledge of systems, applications, and systems forensics, an understanding of various coding languages, strong knowledge of threat intelligence, and may be able to reverse engineer malware. The person in this role will be comfortable working under extreme pressure and should be good problem-solvers.

Security Analyst

This role is also called SOC Analyst and typically reports to the SOC Manager. Security Analysts are one of the most fundamental roles in a SOC. He or she primarily focuses on monitoring the environment, threat detection, and incident response. Most large organizations will employ different levels of Security Analyst starting at triage (level one) and moving up based on expertise to tasks like threat intelligence, forensics, malware analysis, and incident response.

Security Analysts should have a list of technical skills including, but should also show a willingness to learn and enthusiasm about their future in security. They should be able to demonstrate their ability to identify threats and know the workflows associated with investigating events and incidents.

How to Retain Your Security Team

Hiring talent is just one part of the equation. You need a strategy to retain and develop top talent. 75% of security teams have more stress than they did two years ago. You want to make sure you are doing your part to make sure your team avoids burnout.

“People don’t leave bad companies. People leave bad managers and leaders. To be a leader people want to work for, you should be a servant-leader first. Part of this means setting aside your ego to be strong enough to hire to offset known weaknesses and trust your team.” – James Carder, LogRhythm CSO and VP of LogRhythm Labs

You can do to help combat some of the reasons an employee may want to leave your team.

  • Invest in your employees
  • Have your teams’ back
  • Engage staff and allow for creativity
  • Create a culture of cybersecurity
  • Offer bonuses and extra perks

You’ve evaluated the roles you need for your team and how to find the right fit for each position, but your strategy should also document the goals, objectives, budget, specify your staffing model, and have your retention plan.

Read The SOC Hiring Handbook to learn how to complete your documented hiring strategy.