Have You Chosen the Right Person to Lead Your SOC?

Cybercriminals are increasingly penetrating enterprises through non-technical means, such as social engineering. At the same time, there is a global IT security shortage of nearly three million people, according to the 2018 (ISC)2 Cybersecurity Workforce Study, leaving enterprises struggling to find the right talent to safeguard their networks.

There are multiple theories on how to solve the problem, and several programs have popped up in the last few years to attempt to address it.

According to Chris Schueler, SVP of Managed Security Services at Trustwave, enterprises need to consider other options. Yes, IT and cybersecurity degrees are in demand, but we are failing to look at professionals outside of those areas. Enterprises must change their mindsets and begin recruiting talent from non-traditional backgrounds like liberal arts majors, statisticians and private investigators, he suggests.

“There are many backgrounds and alternative skillsets that lend themselves well to cybersecurity, and organizations need to start considering rounding out their cybersecurity teams with people from varied backgrounds,” Schueler says.

Schueler advocates looking at a new type of cybersecurity SOC analyst, one who relies as much on understanding the psychology and science behind a threat, as he or she does on technical know-how, such as:

Law Enforcement/Military/Investigators – These professionals are experienced threat hunters, able to adopt a black hat mindset, build criminal profiles and establish modus operandi. They know how to take practices from their former lives, such as establishing “Proof of Life,” and apply them to ransomware attacks and other digital threats. “Law enforcement and military professionals are incredible; they know how to ‘follow the bread crumbs,’” Schueler says. “They look under each stone and are trained to be comfortable in difficult situations. A SOC environment is a pressure cooker, all the time, and military and law enforcement can stay calm and cool under pressure.”
Data Scientists and Statisticians – These professionals know how to parse through vast volumes of organizational data to look for unusual patterns or anomalies that can indicate a breach. They also excel at gauging organizational risk tolerance and determining incident probabilities. “Parsing through data – in a private or public cloud or a SaaS environment – is a new big challenge,” Schueler says. “Sure, machine learning helps, but you still need a math and data background to process all of that.”
Liberal Arts – “I like this one the most,” Schueler says. From communications to psychology, philosophy to sociology, individuals trained in liberal arts fields help us understand the human side of the equation and leverage abstract thinking to match the minds of black hats. “These people don’t conform to ‘group think’ easily, and that’s good. Adversaries are unconventional, and liberal arts find variances that may get you to a different result. I see liberal arts professionals as the ones who can understand what the adversary is trying to do; almost becoming a bit of a profiler. If you think in black and white, then you can’t profile. In a SOC, it’s not just one person leading an investigation, and I like the liberal arts professional because you are always guaranteed one person in the pod who won’t conform to group think.”
Multicultural Backgrounds – With threats coming from around the world, cybersecurity teams need to include members from a wide variety of geographic and demographic backgrounds who are able to think like black hats and understand their motivations. “I always advocate for hanging multiple demographics,” Schueler says, “in order to strengthen the overall coverage to offer you different approaches to problems.”

Once you have the “right” person on your SOC team, the next challenge is to keep them, Schueler says. “It’s important that their ‘on position time’ is rotated. Yes, there is a lot of turnover with Tier 1 SOC analysts, but we can help to reduce some of the heavy lifting with automation to help them stay satisfied in their roles. As an industry, we can invest in automation and machine learning to reduce the workload and to provide them with more Tier 2 analyst work. That may be a reason that they stay, or they go. I already see the industry moving towards that direction.”

Diane Ritchey was former Editor, Communications and Content for Security magazine beginning in 2009. She has an experienced background in publishing, public relations, content creation and management, internal and external communications. Within her role at Security, Ritchey organized and executed the annual Security 500 conference, researched and wrote exclusive cover stories, managed social media, and authored the monthly Security Talk column.