There’s a certain mystique and excitement surrounding the idea of a security operations center (SOC).
It puts your in mind of a mission control style room, possibly in an underground bunker, where people in uniforms shout orders and spend all their time responding to imminent threats.
And in a world where cyber attacks have become a daily reality, and even midsize organizations are forced to designate substantial budgets for cyber security, the idea of implementing a SOC has become far more realistic.
For that reason, this will be the first in a series of posts explaining how smaller or midsize organizations can realistically go about building and maintaining their own SOC. We’ll be covering everything from technological requirements and personnel to financial investment, infrastructure, and performance monitoring.
What’s Your Mission?
The quickest way to drain your security budget with minimal results is to stumble right out of the gate by not defining a clear mission for your SOC.
Without a focused mission, your SOC risks becoming a catch-all for “everything security,” a recipe for burnout, inefficiency, and missed priorities.
Chances are, your SOC shouldn’t be handling routine security tasks like delivering training or fielding everyday user support — that’s typically the role of IT help desks or specialized teams.
While every organization’s SOC mission will differ, here’s a strong example to guide you:
“The Security Operations Center (SOC) is responsible for protecting the organization’s most sensitive assets through continuous monitoring, threat detection and response, and management of security technologies—providing 24/7/365 coverage.”
To fulfill this mission, your SOC will likely cover:
Real-time network monitoring
Incident detection, triage, and analysis
Malware and indicators of compromise (IOC) investigation
Incident response and containment
Vulnerability management, penetration testing, and threat hunting
Maintenance of security infrastructure
Additionally, your SOC may provide vital intelligence to other teams. For example, Fortra Brand Protection’s SOC regularly shares findings with our Research, Analysis, and Intelligence Division (R.A.I.D.), fueling targeted employee defense training programs.
Before investing time and resources, establish your SOC’s mission clearly. Without it, you risk spreading your team thin and misaligning efforts with your organization’s true security needs.
People: Getting it Right
Every SOC lives and dies on the quality of its personnel. But this poses yet another problem.
The cyber security industry is facing a cataclysmic talent shortage, which doesn’t look as though it’s going to go way any time soon. As a result, the war for talent is well and truly on.
To address this, we strongly suggest that you put in the time and resources necessary to nurture a strong pipeline of good, young talent. As a starting point, you may need to hire more experienced (and thus more expensive) professionals, as the younger and less experienced analysts will need guidance as they develop.
Beyond this, though, your plan should be to identify and hire young, talented personnel, and train them up internally. As they progress, they can be given additional responsibilities and compensated fairly for their hard work and loyalty.
Of course, there are downsides to this approach, the most obvious being that the personnel you invest in will naturally accumulate a great deal of market value, and some will move on to work elsewhere. This is a natural (even if frustrating) cycle, but it’s one you’ll have to deal with if you intend to maintain your SOC in the years to come.
Managing Operations
Once you have your mission, location, and personnel in place, you might think you’re home free. Unfortunately, the logistics of managing a 24/7 SOC are surprisingly complicated.
For a start, you’ll naturally want to ensure you’re hiring the right number of people to do the job. And just to provide 24/7 coverage, when you consider sick and holiday leave, you’ll likely need at least six people.
This is where employment law comes into play.
The typical 40-hour work week doesn’t fit well into the 168-hour week. If you’re hoping your analysts will work more than 40 hours per week, though, you’ll need to find out precisely what is and isn’t legal in your state or country.
Your most obvious scheduling options are for each analyst to work either five eight-hour shifts per week, or to take on a rolling three days on/three days off approach with 12-hour shifts. Either way, you’ll have to pay close attention to scheduling to ensure each analyst is kept happy - Most people don’t like to work exclusively at night, and almost nobody likes working on the weekend.
Of course, there is a silver lining here. Chances are you aren’t the person who will need to deal with all this scheduling on a weekly basis.
As with any team, management plays a huge part in ensuring daily security operations go off without a hitch. And to that end, we’d strongly recommend you ensure the vast majority of shift management takes place locally.
Remote management is an option, if absolutely necessary, but by making sure an experienced SOC manager is on site for every shift you’ll dramatically reduce the chances of anything going wrong. Whether they need to step in and take an urgent call, guide less experienced staff, or provide leadership during incident response, high quality managers are an essential element of a top-performing SOC.
In addition to their operational role, managers are there to ensure all of your analysts (who, don’t forget, you’re investing heavily in) are looked after, and receive the training, feedback, and development opportunities they need. They’ll also be able to identify ‘lieutenants’, who can help shoulder the burden of shift management, and may develop into future managers with time.
First Things First
One of the biggest mistakes when setting up a new SOC is rushing into technology before addressing the logistics. No matter how advanced your tools are, your SOC won’t succeed without the right location, skilled people, and strong management.
The reality? Building and maintaining a SOC takes significant planning and investment. From providing 24/7 coverage—including nights and holidays—to ensuring each shift has proper heating, lighting, and experienced leadership, it’s far less glamorous than it sounds.
That said, a well-planned and managed SOC with a clear mission is an invaluable asset for any security-focused organization.
In our next post, we’ll dive into the essential hardware, software, infrastructure, reporting metrics, and budget considerations for SOC success.
Meanwhile, if you want to learn how our threat intelligence solutions can help your security team strengthen technical defenses and elevate awareness training, let’s connect.