Staffing Your SOC for Success

Building a SOC is one thing; maintaining it with high-quality technicians and security experts is another. Here's how to plan for long-term success.

After attending Continuum’s recently-held Navigate conference in Pittsburgh, PA, XaaS Journal, along with dozens of interested MSPs, had the opportunity to visit the company’s nearby SOC. The guided tour of the facilities along with various interactions with the company’s security team made it clear that building an SOC is one thing; maintaining it with high-quality technicians and security experts like Continuum has managed is another. With the Continuum SOC visit fresh in my mind, I spoke with Andrew Upah, Enterprise Accounts, and Don Becker, Engineer at Theorem, about staffing and building an SOC for long-term success.

XaaS Journal: What skills should an MSSP look for when staffing a SOC?

Don Becker, Engineer, Theorem: Staffing a SOC for offering as a service should start with experienced leadership in the space. Since this individual will likely be interfacing with high levels of customer management, those with a background as a CISO (Chief Information Security Officer) are likely candidates. Looking at the other levels of the SOC, although a high degree of skill in security is needed, a closely related skillset is having an organized approach to the management of the SOC and any incidents responded to. This can have a significant impact on the SOC’s ability to handle multiple customers and to correctly prioritize incident response, especially when faced with multiple incidents and/or limited resources.

XaaS Journal: What’s the best way to find and recruit them?

Becker: Despite the IT industry being large, security is a small subset, and networking and word of mouth are fairly critical. A sponsorship or recruitment effort at a security conference (Blackhat, Defcon, etc.) could prove fruitful. Another approach would be working with current skilled IT staff to provide a guided career path towards security. Many security roles require a high amount of skills and experience in many areas of IT, so this is an exceedingly common approach.

XaaS Journal: What’s the competitive landscape for top talent?

Becker: Staffing sufficiently qualified security personnel is expensive as they are in high demand. There are many jobs and not enough skilled people to fill them. Retention is also a challenge. Due to the nature of security, ongoing, (often expensive) training/certifications are constant. The security field is one of the least likely specialties in IT that can delay training without significant risk to the organizations that they secure. New attack vectors can be revealed frequently, necessitating swift threat mitigation.

XaaS Journal: How can you keep employees engaged and prevent burnout?

Becker: Ensure alerts are urgent and actionable by minimizing false alarms. Plan for the team to be sufficiently staffed to handle anticipated workloads with reasonable on-call rotations to provide a good work-life balance.

XaaS Journal: What other advice would you offer for staffing a SOC?

Becker: It is critical that all legal boundaries and responsibilities are clearly defined between the MSSP and its customers. The MSSP SOC is a critical extension of the customer’s IT organization and making it work requires a high degree of skilled communication between all involved.