A security operations centre (SOC) analyst works within a team to monitor and fight threats to an organisation's IT infrastructure, as well as to identify security weaknesses and opportunities for potential improvements.
Since a SOC analyst must juggle multiple critical tasks spanning technical, analytical, and business areas, finding qualified candidates is often challenging. Fortunately, pinpointing expert hires can be made much easier by focusing on the following five key skills that every SOC analyst should possess:
Aptitude and drive are common and valued traits in smart, motivated people, yet SOC analysts must also be able to work closely and effectively with colleagues. "If you're looking at the SOC as a cohesive unit, you're looking for a lot of collaboration," says Scott Dally, director of NTT's security division's security operations centre.
"The ability to share information with other analysts through threat intelligence [ensures] that, collectively, the entire unit is on the same page for any given threat."
A SOC analyst must be able to work openly and cooperatively at all times, since a SOC staff is only as good as its least informed analyst. "Collaboration is going to be the key that ensures people are looking for new IOCs [indicators of compromise] and new vectors," Dally says.
Despite the fact that network and security automation technologies are valuable protection tools, and getting better all the time, skilled SOC analysts remain the strongest line of defence. Unfortunately, if analysts fail to properly manage an IOC alert due to a lack of collaboration, their response will be delayed, slow, or missed entirely. "All three of those scenarios are bad," Dally notes.
2. Critical thinking
A frequently overlooked, yet essential SOC analyst skill, is critical thinking—the examination of facts to form a judgement. Critical thinking lies at the heart of a SOC analyst's job, particularly when applied to technical analysis, such as when investigating the multiple layers of an attack scenario.
"Critical thinking skills drive intellectual curiosity," says Dan Callahan, cyber security training director at technology and business consulting firm Capgemini North America. "Most SOC analysts grow and learn by doing their work and gaining hands-on experience," he observes.
Yet textbook knowledge can only take a SOC analyst so far. "It's the desire to want to develop your own skills and abilities that drive a SOC analyst to be successful," Callahan explains.
An analytical approach to problem solving—the ability to not lose sight of the forest for the trees, yet still to be able to see the trees—is a valuable attribute to look for in any SOC candidate, says Theresa Lanowitz, AT&T's cyber security director.
"These types of individuals already exist in most organisations," she notes. "For example, quality assurance professionals who understand the entire scope of an application are highly collaborative in the way they work and are detail oriented." Lanowitz believes that cyber security leaders "need to think outside of the proverbial box" to find SOC analysts who "may not have classic cyber security training but have the innate desire and critical thinking skills to be an effective SOC analyst."
3. An inquisitive mind
Top SOC analysts have an insatiable thirst for knowledge. "The best operators never stop," says Callahan, who compares a top-tier SOC analyst to a professional athlete. "Most just see the athlete play in the game, but few see the practice and preparation behind the scenes that makes them so strong in their abilities," he explains.
Given the fact that the cyber threat landscape evolves continuously, presenting a constant steam of new challenges, a SOC analyst has to be an eager listener and an ongoing learner.
"SOC analysts are on the front lines, and they must maintain currency on both of those skills to achieve maximum effectiveness," says Jon Check, senior director, cyber protection solutions, at Raytheon. "The pace of change is rapid, whether we are considering the ever-evolving tactics, techniques, and procedures our adversaries are practicing, or the plethora of tools continuously being developed to combat those threats."
4. Strong fundamental skills
Along with other attributes, a SOC analyst should possess fluency in key cyber security technologies and attack methodologies. The topics can’t be easily learned on the fly and must be acquired through diligent and frequently refreshed study and practice.
A SOC analyst should have at least a fundamental understanding of information technologies, including networks and communications protocols, says Cory Mazzola, a training architect at cyber security and career training firm Cybrary.
"In order to identify, manage, and respond to a critical cyber security incident, the SOC analyst must be able to effectively monitor network activity and detect pertinent threats," he explains. "Without effective security monitoring and threat detection, an incident could potentially occur without notice, causing untold harm."
While technology- and attack detection-related skills are core hiring considerations, a SOC analyst should also be a good judge of human behaviour, as well as someone with a spotless security record. The biggest threat to cyber security is the human element, whether internal or external, malicious or accidental, Lanowitz says.
"In defending against that human element, don't overlook personal characteristics when selecting your SOC analysts," she urges.
5. Ability to work under pressure
An ability to work effectively while under pressure, regardless of stakeholder expectations or time constraints, is a key SOC analyst attribute. "It's not that technical, problem analysis and problem-solving skills aren’t important, but if you can't work with a clear mind under pressure, you won’t be able to solve security problems," says Ken Magee a skills author for security education provider Infosec.
In today's turbocharged business environment, clients, customers, and business leaders want answers immediately, and they want their systems to go back online as quickly as possible. "It's this pressure from managers—especially non-technical management—that a good SOC analyst has to be able to deal with effectively while solving the problem to prevent recurrence or reinfection," Magee explains.
What about certifications?
Opinions vary on the value of certifications, with most experts concluding that accreditation should be a relatively minor consideration when evaluating a SOC analyst candidate. While useful, certifications should not weigh heavily in the hiring decision.
Certification provides some proof of understanding, credibility, and a desire to learn, but it doesn't provide a clear picture of a candidate's qualifications for the role, Checks says. "A resume adorned with certifications looks nice at face value, but if an individual can't showcase their expertise during an interview or on the job, they aren't proving to be a qualified SOC analyst," he notes.
Certifications may be more important at the start of an SOC analyst's career, since they can give potential employers a baseline and a certain level of confidence in a candidate's abilities, Dally says. As a career progresses, however, certifications become less important as experience and drive become priorities.
Don't be dazzled by a SOC analyst candidate possessing multiple certifications, Lanowitz warns. Concentrating solely on certifications in hiring will almost certainly eliminate potential hires with strong critical thinking and analytical skills, she says. "Focusing on certifications alone significantly narrows the pool of candidates."