Is building a security operations center (SOC) the right way for your company – and how can you staff it despite the shortage of skilled security employees?

Matthias v. Knobelsdorf

Matthias v. Knobelsdorf is Sales Director DACH at Cyberbit. In the following interview, he discusses trends and opportunities for the qualification of SOC employees and gives recommendations to companies.

Matthias v. Knobelsdorf, Sales Director DACH at Cyberbit

A security operations center (SOC) tops the wish list of many CISOs and IT managers. If you are responsible for IT security, the prospect of having 24/7 monitoring and security expertise on hand is obviously appealing: at minimum, it should equip you to detect attacks and take prompt action to counter them. Based on your experience: does having a dedicated SOC really make sense?

The answer highly depends on the company‘s industry and level of cybersecurity risk. Nearly all businesses today either have sensitive data to protect or rely on digital infrastructure to operate. As a result, it’s important for them to monitor warnings and detect and respond to threats.
I recommend that any company with sales of more than USD 50 million or more than 100 employees should start thinking about an SOC. Smaller companies in this category should consider fully outsourcing this function, while larger ones should aim for a hybrid SOC (partly outsourced and partly operated in house) or a fully in-house approach.

Are there criteria for determining when to build an in-house SOC rather than use an external managed service?

One key question here is how quickly you need the SOC. If you believe that your need is urgent (within less than six months) I would recommend starting with a managed SOC or MDR provider and further developing the approach later. If you have at least six months, however, you should aim to set up a fully purchased or hybrid SOC.
Additional points to consider are the investments you have made so far and your current capabilities. If you have invested in tools like EDR and SIEM and built a certain level of competence in using them, you should be able to develop a hybrid SOC rather quickly and evolve to a fully insourced SOC from there.
Of course, the budget is a key issue as well. An insourced SOC requires an approved budget for personnel and tools. About 12 people will be needed to manage three shifts around the clock. If you think that organizing this level of support is feasible and the other elements are in place, you can set an internal SOC as your goal.      

What’s the difference between a CERT and an SOC?

A CERT (computer emergency response team) focuses on responding to incidents. As the name “security operations center“ suggests, an SOC keeps the IT infrastructure of a company or organization secure. To do so, it integrates, monitors, and analyzes all systems with security relevance, such as company networks, servers, workstation computers, or Internet services. For example, it collects log data from each system and analyzes it, looking for anything unusual. In addition to analyzing systems and log data, a central tasks of the SOC consists of issuing alarms and taking action to protect data and applications.

What’s driving the need for a new approach to building cybersecurity capabilities?

A major change has occurred in the risk landscape – and it demands completely new capabilities from cybersecurity teams. A few years ago, all an information security pro really needed was a sound understanding of networks, techniques, and ethical hacking. Today the cloud and supply chains need to be secured, attacks are far more sophisticated, and new weak points like Log4J have emerged. As a result, top-tier cyber incident responders must master a long list of technical capabilities, including cloud security, coding, forensics, threat intelligence, and malware analysis. They also need nontechnical “soft skills” in areas like teamwork, communication, critical thinking, and working under pressure – all of which play a decisive role in successfully addressing security incidents. Finally, teams need to stay up to date about the new technologies, new malware, and new weak points – like LogJ4 – emerging every day.

But often cyber pros simply accrue know-how on the job or take part in outdated cyber training programs and once-a-year courses designed to prepare them for the last decade’s challenges. In these cases, organizations soon realize that their teams are not up to tasks they face. Next-generation cyber defenders are critical but in short supply – and as a result, spectacular security breaches are increasingly frequent. Common approaches to cybersecurity training like courses, on-the-job training, and academic degrees have three problems:

  • They aren’t available anywhere, at any time, whenever they are needed
  • They don’t keep pace with new threats
  • They don’t present or simulate real-life situations.

The changes taking place make it critical to completely rethink how to build cybersecurity skills. You wouldn’t train pilots to fly by sending them to a course twice a year – and this approach doesn’t work for cyber defense, either. 

In your experience, how long would it take to turn someone with no experience into a cybersecurity expert?

A typical “zero to hero” transformation of a person with no experience into a tier 1 analyst takes 16 weeks – if you use a simulation-based capability building platform like Cyberbit. In the past, this process could take more than six months, and also require additional on-the-job training.

Is Cyberbit’s offering a response to the general shortage of skilled cybersecurity workers?

Our platform addresses the shortage of qualified cybersecurity employees in several ways. We help academic institutions and cyber academies to produce more graduates who are prepared for their jobs from the very first minute. And we help industry organizations to internally build next-generation talent that they can’t find elsewhere. For example: hiring a cloud security expert takes months and is very expensive. We offer cloud security modules on our platform that enable companies to build these skills among the team they already have or to hire a recent graduate and develop these skills internally.

How can I find the right employees for my SOC? What abilities matter most?

Don’t rely on resumes! Instead, we recommend subjecting candidates to a practical assessment – like the one we offer on our platform. This is the most reliable method for evaluating cybersecurity candidates. If I had make a hiring decision for an entry-level role based on other factors, I would mainly look for a good level of IT or cybersecurity knowledge – but consider the candidate’s personality, too. I like to test potential employees‘ cognitive abilities and leadership qualities by, for example, having them solve problems that put them in a high-pressure situation. Assessment based on technical capabilities alone is not the best way to hire SOC staff.

After they provide training to equip employees for SOC work, many companies face the big question: How do I keep my experts motivated for the long term? Shift work is not generally something that excites people …

There’s no single recipe for success. The best recommendations I can give are:

  • Build a strong company culture and mission.
  • Show candidates a career path that they can strive for.
  • Invest in your employees – in a recent survey we conducted, most SOC employees said that they believe their organizations could improve employee retention at their SOCs by investing in higher-quality training for them.

Work at an SOC always involves the interplay of different technologies: SIEM and SOAR tools, endpoint security and XDR, widely different source systems like firewalls, and aspects of cloud services versus classical on-site IT. Do you see any clear trends in this area?

The market is consolidating and we are seeing many products being added as features to the “major” tools. SIEM continues to represent one of the biggest investments for organizations, so it will remain central. UEBA is increasingly part of SIEM, and SOAR is moving in the same direction.  The switch from EDR to XDR is more difficult, since XDR overlaps with classical SIEM and the enormous investments being made there.

Will Microsoft’s dominance continue to grow or are there still convincing arguments for specialized tools from other manufacturers?

Microsoft has developed into a major security provider and, like the others (such as Palo Alto and CISCO) it strives to offer holistic solutions by taking over smaller companies and integrating them into its platform. This trend will continue: every time a smaller provider brings out a successful function, one of the giants will acquire it or realize it themselves.

Please remember: This article is based our knowledge at the time it was written – but we learn more every day. Do you think important points are missing or do you see the topic from a different perspective? We would be happy to discuss current developments in greater detail with you and your company’s other experts and welcome your feedback and thoughts.

And one more thing: the fact that an article mentions (or does not mention) a provider does not represent a recommendation from CyberCompare. Recommendations always depend on the customer’s individual situation.