How to Build a SOC Team - Who to Hire?

Back to all articles

How to Build a SOC Team

Forming a team, regardless of the organization’s industry is never an easy task. For those companies that want to build their security operations center (SOC) from scratch, or those who want to expand their existing one, staffing will be a core aspect of the overall picture. There are many challenges along the path to finding the right professionals, especially with the continuing reports of an increasing lack of cybersecurity professionals, and this will be even more true if the organization is relatively new in the market and not so well known and established.

Building your Security Operations Center (SOC) Team

Imagine having to choose experts that will constitute your SOC team - many of them come with experience, but also with drawbacks of different kinds. This means that they will have different preferences and expectations, which won’t always be fully in line with those of the organization. For example, someone more experienced may expect a higher level role, others might request greater flexibility of working hours or conditions, some might lack certain skills and will require more time to adapt with more training requirements, while others over time might not prove to be top performers, etc. While working in a SOC team might seem exciting and challenging, there have to be some processes that must promote consistency and predictability; otherwise, it will be very hard, if not impossible, to work in such a fast-paced and dynamic environment.

Who to Hire?

Organizations are often faced with the dilemma of how to get started in the first place and need to answer some common questions such as: Who should we hire? Where can we source this talent from? How can we develop the overall SOC setup?

If you are starting from zero and have to build your SOC team on a budget, which are the must-have roles you need to hire? The pressure arises. If this happens, it is best practice to focus on hiring professionals that excel in the following areas:

  • Management (SOC Manager)

You will need someone that will be able to plan and prioritize, and who can be held accountable for the strategic planning, while being responsible for the overall department’s day to day running on all levels, no matter how small the team is at the beginning or how large it may potentially grow to. Security managers are those who make sure the team is headed in the right direction and will be able to broaden the operations as time passes, setting and meeting the KPIs and organization goals.

  • Analysts (Security Analyst)

Security analysts provide expertise in all segments of the team’s operations, such as threat intelligence, overall security operations, incident response, incident management, and more.

  • SIEM Engineer

A person in this position should provide expertise and handle the SIEM administration, vendor management, incident response, engineering, content development and more.

With this initial setup of a SOC team, there might be a need for help from a third party provider, such as a Managed Security Service Provider (MSSP), and today with the aid of automation and orchestration tools, such as a Security Orchestration, Automation and Response (SOAR) solution for increased effectiveness and efficiency, this staffing basis should suffice for starters.

You should also dedicate sufficient effort at the beginning of the process, especially during the setup and implementation stages, to ensure all segments of the security program are sustainable, this way your organization can aim for better and more stable outcomes in the long run, only continuing to improve performance.

Evaluate Your Organization’s Needs

Before anything else, your organization should decide if the SOC team needs full-time staff that will monitor, analyze, and report 24/7. The answer will dictate the aspects that should be implemented next. No matter the individual needs of the business though, there are some guidelines that should be followed:

  • Every role within the SOC should have clearly defined duties and deliverables.
  • During a shift, every staff member must be aware of what is expected of them at any given time.
  • A SOC analyst should not operate in a shift alone.
  • Special care should be taken during a shift turnover, as many oversights take place then. Therefore, there has to be a clear and well-established protocol when the shift handover happens.
  • Documenting and keeping a formal log of issues and events.
  • Make adjustments to the workload by measuring the volume of tasks in each shift. An overworked analyst will not perform well.
  • The SOC Manager should communicate at all times with all shifts and staff members.

Depending on your organization’s needs, a SOC may be established to function within business hours, or extended hours, or it can be a mix of internal and outsourced staff.

Spending a good portion of time establishing the basis for a SOC team will work wonders in the long run and will boost your overall cybersecurity, threat detection and Incident Response programs. As threat actors and security incidents evolve in sophistication, well staffed and managed SOC teams can make sure no threat gets by unnoticed.

Final Thoughts

A fully established SOC with dedicated resources can grow in operational maturity if it has a well-aligned mission and vision, with the correct tactics, techniques, and procedures in place. This type of security operations team is expected to respond efficiently and effectively in the event of security threats to normalize the issue as quickly as possible. Finally, even though each organization has unique needs, budget, and requirements, when it comes to security issues, they all share the same common goal - improving defense through detection, prioritization, and response to all security alerts and incidents before they potentially lead to a more serious security breach.

Get Started with a One-to-One Personalized Demo

Dramatically reduce the mean time to detection, response and remediation of all potential security incidents, ensuring no alert goes untouched.

See IncMan SOAR in Action.

Request a demo