SOC Training

When we talk about training security analysts, you probably immediately think about earning certifications such as CFCE or OSCP. This year’s Devo SOC Performance ReportTM found that among survey respondents who don’t consider their SOC to be a high performer, only 31% of those organizations have a defined program for training analysts. While practical skills are vital in the SOC, they’re not the end-all, be-all of reaching the next career level. It’s time managers and CISOs recognize the importance of training their analysts on the soft skills that will propel them forward from starting as a Level-1 analyst to L-2, L-3, and beyond.

I participated in a virtual panel with Mehan Kasinath, vice president of enterprise information security at IAC, and Yatin Choksey, CISO at Moelis & Company, and gleaned some valuable insights on what a more effective analyst training path should be. Let’s look at four ways SOC leaders can train and grow analysts beyond certifications and coursework:

  1. Surround your analysts with diversity
  2. Keep analysts on their toes
  3. Don’t be a helicopter manager
  4. Force your team to step outside their bubble

Surround your analysts with diversity

It’s no secret that there is a lack of diversity in many technical roles, including among security analysts. Nevertheless, it’s important to build a diverse team of people—not just racially or ethnically, but in background, training, experience, and education, too. By combining diversity of culture, diversity of background, and diversity of thought, you’re not only giving analysts the chance to learn and grow, you’re ultimately helping the business by creating a better team with a wider set of skills and insights.

Keep analysts on their toes

The work of a SOC analysts can quickly become tedious and repetitive, so it’s important to mix it up sometimes to keep your team sharp and excited. During our panel, Mehan Kasinath of IAC said, “I was a security analyst for 16 years and I still try to think like a security analyst. Through that I’ve learned that if you allow someone to stare at a screen for five days, eight hours, uninterrupted, it would be frustrating, and they would get bored pretty fast.” One way that Mehan keeps things interesting and breaks up the monotony is doing red-team challenges. Not only is it fun to pretend to be the bad guy, your team is still productive by testing its own capabilities and detections.

Don’t be a helicopter manager

One of the most important things you can give your SOC team is a sense of empowerment. That won’t happen if you’re micro-managing every decision and dictating their every move. Paint the broad picture of what needs to be solved and motivate them to go find solutions on their own. By setting them off on their own, you’re giving more exposure to different parts of the enterprise and different parts of the solution stack. This hands-on experience puts analysts in the fire, builds camaraderie, and makes for a more well-rounded team.

Force your team to step outside their bubble

Watching scrolling alerts all day trying to pinpoint where the next breach will happen is a lot of pressure and is obviously quite stressful for analysts. It’s important to take a break from the stress with projects that keep your team motivated and satisfied. Yatin Choksey from Moelis & Company had a couple of great suggestions. First, have analysts do job rotations, everywhere from engineering and ops, to design and product management. This will give them a better, more tangible understanding of what exactly it is they’re protecting, enabling them to become better partners to other parts of the business. Another tactic is giving analysts a research project that they’ll ultimately have to present not just to their own team, but to non-technical individuals. This will strengthen their soft skills and give the SOC team a better understanding of what’s driving the business from a non-technical frame of mind.

Ultimately, it’s all about empowering the people working hard in the SOC every day to do the job that needs to be done in the best way possible. Empowerment can come in many forms, but I hope those I’ve outlined here offer some insight into how security leaders can help build better individuals, better teams, and better results through nontraditional forms of training.

How are you empowering your analysts?