MITRE publication ‘11 Strategies for a World-Class SOC Centre’. Strategy #4 ‘Recruit and Retain Qualified Employees’

Ruslan Rakhmetov, Security Vision

It's no secret that the shortage of qualified personnel in the field of IS is one of the main challenges at the moment - this is typical for all over the world and for all types of companies, however, when building a SOC centre, personnel obviously plays a key role, so the issue of hiring, training, supporting, retaining qualified SOC employees is doubly acute. In Strategy #4, the authors of MITRE discuss the challenges of hiring and training employees, creating opportunities to develop staff competencies, succession planning, SOC staffing planning, and scaling staffing levels.

1. Who to recruit to the SOC?

Potential candidates for membership in the SOC team may have very different backgrounds, experience, education and skills. Not only the so-called ‘hard skills’ (knowledge and skills in the subject area of information protection) are important, but also ‘soft skills’ (personal qualities, skills of effective communication, interaction, processing and analysing information).

1.1 Mindset and soft skills

Working in a SOC centre implies a high level of intensity and dedication, which is impossible without full immersion in the profession, which should ideally be a personal passion of the employee, which will help him or her to maintain enthusiasm and perceive the fight against cybercrime as a kind of personal challenge and competition with attackers. Other important personal skills may include intuition (which usually comes with extensive empirical experience), out-of-the-box thinking, attention to detail with a macro view of the situation as a whole, the ability to absorb information quickly, critical and creative thinking, stress tolerance and time management skills, ownership of and loyalty to the SOC mission, and a strong desire to win the battle against cybercriminals. In addition, it is important for the SOC member to be a team player, which includes good communication skills, valuing the interests of the team above one's own, a willingness to accept responsibility for both successes and failures, positive acceptance of valid criticism, emotional intelligence and stress management, time and conflict management skills, initiative, clear thinking and unambiguous communication. For more experienced employees, it is also important to be able to transfer their ideas, findings, knowledge and skills to colleagues, to build sustainable relationships with colleagues and employees of the client company, the ability to think like an attacker and understand the client company's business, the willingness to find new solutions and improve the effectiveness of defence, the desire to share knowledge with colleagues, to conduct training and education. In addition, for the long-term success of the SOC, a strategy of attracting and internally training new talent will be advantageous - they can be acquaintances and friends of current SOC team members.

1.2 Candidate's previous experience and skills

With the emergence of specialised, modern cyber security training programmes in educational institutions, a formal requirement for a candidate to have some IT/IS experience may be unnecessary, rather than a requirement for experience in CTF competitions, participation in the development of Open Source projects, and internships in the IS industry. Candidates for SOC positions may come from related IS fields, as well as candidates with experience in technical support, software development, system administration. However, one should pay attention not only to candidates with IT or IS experience - the authors of the publication claim that in practice they have met examples of successful SOC employees without specialised education, who came, for example, from humanitarian professions. Also, when searching for candidates, do not harbour any illusions that there will be a candidate who will be an expert in all SOC subject areas - rather, you should focus on building a team with mutually complementary knowledge and skills. It is not necessary to focus on specific skills or work with specific SOCs - such an approach will weed out potential successful candidates on formal grounds; it is better to focus on general technical skills and knowledge, mindset, desire for development, soft skills, ability to work in a team.

1.3 SOC managers

The task of finding a competent SOC manager is a non-trivial one: the candidate must not only be immersed in the specifics of SOC work and operations, but also possess management skills, methods of working with personnel, be skilled in the subject area, and be stress-resistant enough to make and negotiate complex decisions under time pressure. At the same time, the manager will need to work carefully with confidential information, train and motivate staff, see the trajectory of SOC development, work with company managers at all levels and answer their questions, accept feedback and continuously improve qualifications.

1.4 General recommendations for recruiting a SOC team

When building a SOC team, HR professionals should be involved in the hiring process to manage the sourcing and hiring of candidates, including sourcing resumes, posting job openings, selecting candidates for interviews, conducting interviews, making hiring decisions, and negotiating compensation levels. A budget should also be planned for continuous sourcing and hiring of new employees, as the SOC will change over time, as will employees who will both leave and upgrade competencies to increase their knowledge to keep up with current cyber threats.

2 Invest in the development of your employees in the SOC

Despite the large number of courses, advanced training programmes, new IS specialisations in educational institutions, companies still face a shortage of qualified personnel, and the way out of the situation can be internal development of SOC employees. In addition to investing in finding and hiring experienced IS specialists, internal training programmes, developing employees beyond their current positions, and conducting external training for employees will also pay off - and such investments are needed for both entry-level positions and experienced employees due to the continuous evolution of the IS industry and the changing cyber threat landscape. The authors of the publication emphasise that such initiatives require consistent investment of time and resources, but will ultimately ensure the sustainability and success of the SOC in the long term. The benefits of developing internal expertise will be manageability of the process, control over the areas in which competence needs to be developed, and the opportunity for internal knowledge sharing and mentoring by experienced members of the SOC team. Subject areas in which competence is required may include network intrusion analysis, deployment and configuration of security defences (e.g. SIEM or EDR), forensics, vulnerability analysis and exploitation, penetration testing, VPO analysis and reverse engineering, OS, database and network hardware management, and cloud infrastructures. At the same time, it is important for SOC personnel to strike a balance between depth and breadth of knowledge. For example, a security protection administrator should have a deep knowledge of his/her subject area and a general understanding of related areas (which is done by VPO analysts and pen-testers, for example); it is also advisable to develop competences corresponding to the specifics of the customer's infrastructure (types of operating OS, security protection systems, network equipment).

2.1 On-the-job training, onboarding of new employees

Hiring candidates with little experience but high potential can be a winning strategy, given the shortage of experienced employees. In order to induct new employees and get them up to speed quickly, the SOC should develop an internal training (onboarding) programme, which may include both formal and informal aspects. The training plan may include technical training on the SOC toolkit, interactive hands-on training, theoretical training, workshops on working with real or test data to perform typical actions of a SOC team member, learning the TTPs of specific attackers, immersion in the customer company's business processes, infrastructure, and technologies, advanced use of the SOC toolkit, and study of cyberattack trends. This type of training is useful in terms of transferring experience and knowledge to a new employee from more experienced colleagues.

2.2 Cross-training and rotation of employees

Cross-training is conducted for different team members to immerse them in related teams/departments/roles - the more the SOC team members know about each other's functions, the better they understand their role in the overall operation and fulfilment of the SOC mission; such training will also help to temporarily cover the functions of an employee who has fallen ill or left unexpectedly, as well as avoiding monotony and providing a new perspective on the work of the SOC. Staff rotation will be particularly useful for smaller SOCs or SOCs operating on a tierless model; positions for rotating SOC team members may include signature and correlation rule development, cyber threat analytics and data processing, SOC antimalware administration and configuration, and ‘analyst of the day/week’ duty on small teams. This rotation will allow employees to better understand the SOC, processes and technologies used, as well as to understand the work of SOC colleagues and optimise the work in their area of responsibility.

2.3 External training

External training is useful for broadening horizons, enhancing skills, gaining a deeper understanding of the technologies used, and sharing knowledge with industry colleagues, but should not be a substitute for internal training programmes. The authors of this publication cite a number of vendor- and vendor-independent training courses, as well as a list of the most popular cybersecurity conferences.

3. Create a favourable work environment that motivates employees to work together for the long term

Retaining a team of skilled SOC employees is one of the most challenging tasks. According to the authors, the most frequently cited reasons for SOC employees to keep their current jobs are their perception of the SOC team as a close-knit, friendly group of highly skilled, motivated professionals, as well as the opportunity to work daily on interesting tasks with a high degree of decision-making freedom and a deep belief in the global, unique and important mission of cybersecurity. In addition, SOC leaders should consider the following factors to help retain employees and reduce turnover.

3.1 Provide fair, market-level financial compensation

A motivated and capable new SOC team member coming into an entry-level position may take 1-2 years to gain the necessary experience and then move to another company in pursuit of higher pay. The reason for this may be inadequate, in the opinion of the employees, level of remuneration, which may be below the market average. Highly skilled employees should also be given the opportunity to earn adequate salaries without the need for a purely financially motivated move into management positions. However, having achieved adequate financial support for the team, managers should look at other factors that increase employee retention rates.

3.2 Support the career and professional development of employees

Passion for the job, professional enthusiasm and the drive to overcome new challenges are among the most favoured personal qualities of a SOC employee. It is important to understand what motivates each team member - vertical growth (promotion, leadership roles) or horizontal growth (acquiring new competences, expanding professional horizons). When drawing up the employee training roadmap, it is important to understand whether the employee wants to develop further in the current direction or wants to switch to another position in the SOC, and then plan training sessions for the long-term perspective for the employee to understand his/her career track.

3.3 Encourage automation and the development of technical capabilities

Routine tasks and repetitive actions can demotivate SOC team members, so it's important to provide opportunities for employees to develop their technical skills to automate and analyse SOC processes. Automation frees up team resources, which is beneficial to both the continued progress of automation and employee commitment. A high level of automation of SOC employees' actions is achieved by using and maintaining up-to-date technical tools: team members need to be provided with a set of modern, user-friendly technical tools that are relevant to current cyber threats.

The authors of the publication recommend considering the following aspects:

- Structure, repeatability and automation of cyber incident analysis and investigation processes should be built in, for example, by using SOAR platforms and interactive tools for analysts to automate routine tasks;

- Automated cyber-attack prevention tools should be used (where economically feasible and applicable), such as EDR systems, to reduce routine operations that drain team resources;

- Changes should be made to the customer's IS management system to correct strategic cyber security issues that are identified by the SOC centre, thus avoiding recurring incidents and increasing the level of satisfaction of SOC employees from visible improvements in the customer's cyber security status;

- It is recommended that a high level of automation, repeatability, templatisation of responses to typical cyber incidents be provided so that they take minimal time to process and can be handled by junior members of the SOC team;

- It is recommended to delegate procedures for responding to certain types of typical incidents to other departments of the customer company (for example, internal cyber threats, including insider actions, can be handled separately from the SOC);

- Employees should be encouraged to develop SOC functionality in-house (including proactively searching for cyber threats, analysing and investigating cyber threats, and developing machine learning methods and tools to assist in incident analysis);

- Plan and provide opportunities for internal skills development initiatives, such as cyber threat hunting or Purple Teaming events (Red Team attackers and Blue Team defenders working together to share expertise).

3.4 Continuously interact and communicate with colleagues

One of the main motivators for SOC workers is teamwork and a sense of ownership of an important shared endeavour, hence it is important to provide feedback to SOC workers on the importance and results of their work in order to improve team morale. This can be done through regular SOC team meetings, either daily or weekly short meetings to discuss current tasks, or broader meetings every month or quarter to discuss strategic issues. It is also possible to provide feedback to the entire SOC on the results of incidents handled to ensure that everyone understands their contribution to the success of the overall effort, to share knowledge and techniques for handling incidents, to update all SOC team members on the state of the cyber threat landscape being handled, and to improve the performance of the entire SOC. Horizontal relationships within the SOC team are also an important way to share information, helping colleagues share knowledge to achieve synergies in incident handling.

4. Prepare for staff turnover in advance

In order to get through the period from dismissal of an employee to the hiring of a new one with minimal disruption, SOC managers should prepare for such situations in advance, primarily by organising thorough documentation of all response procedures and building up a knowledge base, and it is important that key staff and SOC managers have a wealth of knowledge to cover the ‘gaps’ in the team while new employees are hired.

5. Formalise SOC procedures

When formalising SOC operations, it is important to strike a balance between a well-defined, structured approach to response and a degree of creative freedom for analysts to work, especially with non-typical, unique incidents. It is recommended to create standard operating procedures (SOP, standard operating procedure) for such repetitive actions as checking data in consoles and feeds of protection systems, monitoring the performance of the SOC technology stack, checking the relevance of information on dashboards and in reports, analysing the availability of web resources that are a source of information for the SOC. It is also important to develop in advance detailed SOPs for escalation procedures for both typical, non-critical incidents and unusual, critical IS incidents (note that escalation procedures may be included in cyber incident response scenarios).

6. Calculating the number of SOC employees

Calculating the number of SOC team members required depends on many factors, but in general, the effectiveness of the SOC depends more on the skills of the analysts, the maturity of the processes, and the level of automation in the SOC. The authors of the publication point out that the number of SOC employees may depend on the number of protected assets and users of the customer company, the size and geographical distribution of the customer company's branches, the level of heterogeneity of the protected infrastructure, the objectives of the SOC and the range of services provided to the customer, the number of registered cyber incidents, the organisational model of the SOC, the level of complexity and distribution of the SOC technologies used, the level of desired and available competencies of the SOC personnel, the SOC operating mode (8x5, 12x5, 24x7, etc.), the level of automation of the SOC processes, the level of automation of the SOC processes, the level of the SOC personnel's skills, and the level of automation of the SOC processes. etc.), the level of automation of processes in the SOC, as well as the SOC budget.

When calculating the staffing of a particular function/service, the following recommendations of the authors can be used:

1. Real-time monitoring and categorisation: the number of employees depends on the number of incoming events and alerts, as well as on the level of automation of incident categorisation processes.

2 Incident analysis and investigation: the number of employees depends on the number of incidents reported, the skills of the analysts and the tools available to them.

3. cyber threat data processing, cyber threat search: the number of employees depends on the company's assessment of the level of cyber risk and the company's ability to mitigate the level of risk by investing in this SOC function.

4. Vulnerability scanning: the number of employees depends on the number of information systems to be scanned and monitored and the complexity of the IT infrastructure, the effectiveness of the scanners and the complexity of the scanner operation.

5. Vulnerability analysis, attack simulation and audits: the number of workers depends on the level of cyber risks of the company, which affect the required frequency and scope of work.

6. Development and management of the protection tools used in the SOC: the number of employees depends on the number of installations and the number of sensors, the variety of protection systems used, the level of automation in each protection system, the possibility of centralised management of protection systems, and the organisational requirements for technology management processes.

7. Development and management of technologies used in the SOC: the number of employees depends on the complexity of the systems and solutions used in the SOC, the speed at which new SOC services are provided to customers, the availability of internally developed technologies and the complexity of their development and support, the performance of system administration and development functions within the SOC or with the assistance of third-party departments.

8. SOC management: the number of management staff depends on the size of the SOC and the standards and practices of the customer company.