Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Careers & People

10:30 AM
Edy Almer
Edy Almer
Connect Directly
E-Mail vvv

Killer SecOps Skills: Soft Is the New Hard

The sooner we give mindsets and tool sets equal bearing, the better. We must put SOC team members through rigorous training for emergency situations.

I spend a lot of time with security operations center (SOC) and incident response teams — functions that have been hit particularly hard by the cybersecurity talent shortage. As I witness my colleagues struggling to fill open SOC positions, I can't help but notice their tendency to value technical skills and specific product knowledge over all other criteria. Now that breaches are the new normal, so-called "soft skills" — such as communication and teamwork skills — are just as important as technical skills but are almost always overlooked when hiring.

Don't get me wrong — technical skills and product knowledge are essential, but when a breach is discovered, SOC staff flip from being the last line of defense against an attack to the first ones responding to it. SOC analysts have evolved into cybersecurity first responders, but they're not evaluated and trained the way first responders in other domains are, and they should be. Think about it — when a cyberattack occurs, an analyst with 10 years of experience with Windows Sysinternals and Wireshark won't be much of an asset if he or she doesn't perform well under pressure.

No reputable EMT provider would hire paramedics only because of their experience with a certain kind of defibrillator, yet that's how we hire in cybersecurity. Even in SOC analyst job descriptions where soft skills are given lip service, rarely are those traits vetted with any rigor during the interview process.

● Excellent communication skills: At just about every customer site, we are asked to help train SOC managers to do a better job of communicating technical information to non-technical executives. This is hard enough to do when you have time to prepare what you want to say, so imagine how stressful it can be to explain the nuances of a ransomware situation to a CFO or CEO when a decision on whether or not to pay the ransom needs to be made in a matter of minutes.

● Teamwork skills: SOC teams must be able to collect and disseminate information and tasks across multiple teams. For example, when correlating information about a new attack, clues usually come from multiple sources: network and endpoint experts, malware analysts, operations teams, and additional team members. Incident responders must not only communicate effectively and succinctly, they must be able to delegate to and project manage multiple teams that may have limited understanding of cybersecurity, and under accelerated timelines where broken communication channels can have irreversible negative consequences. 

● Creative thinking/problem solving: Out-of-the-box thinking is an asset valued by the hacker community for good reason. The same qualities than enable attackers to get into a network are just as useful for defense. For example, one of our customers simulated an attacker blocking the Windows Task Manager process. One clever incident responder renamed and ran the file, which revealed the attacker's actions and enabled them to squash the attack.

● Functions well under pressure: This is a signature quality of any first responder in any field. Currently, few cyber incidents qualify as life-and-death situations, but as attacks against industrial control system targets such as electric and nuclear power plants and Internet of Things systems such as car computers and medical equipment become mainstream, that is likely to change. Incident responders who are unable to function under extreme pressure should be identified and transferred into other roles now, before cyberattacks have the capacity to become fatal.

Any profession that requires people to perform well in high-stakes, high-pressure situations (doctors, pilots, paramedics soldiers, professional athletes) are evaluated and trained the same way — through realistic, experiential drills that simulate or otherwise recreate real-world conditions.

When preparing for the Battle of Normandy, General Eisenhower created a replica of the enemy's coastal defenses, and in order to get soldiers used to the pressure, had the troops repeatedly practice landing on the shore amid simulated gunfire and explosions. Other fields, including ER doctors and pilots, undergo equally elaborate simulated training as well. It's time we did the same with SOC analysts.

But we can't just look for these traits when hiring and then move on once the analyst has been hired. To make sure cybersecurity first responders are prepared for an attack, especially given how quickly SOC tools and attack tactics, techniques, and procedures evolve, incident responders should be drilled regularly — at least quarterly.

It will be a culture and process shift to adapt our hiring and training processes accordingly, but it's an entirely doable proposition — we just need to make it happen. The skills shortage won't go away overnight, but when it comes to hiring and training incident responders, the sooner we give mindsets and tool sets equal bearing, the better.

Related Content:



Join Dark Reading LIVE for two cybersecurity summits at Interop 2019. Learn from the industry's most knowledgeable IT security experts. Check out the Interop agenda here.

Edy Almer leads Cyberbit's product strategy. Prior to joining Cyberbit, Almer served as vice president of product for Algosec. During this period the company's sales grew by over four times in five years. Before Algosec, Almer served as vice president of marketing and ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Apprentice
6/6/2019 | 11:24:36 AM
Everywhere security should be there and always the security has to be updated according to the conditions otherwise there will be some loopholes in it and it can be bypassed easily can someone suggest what kind of security should be there in the best institute in bhubaneswar so that my coaching remain safe.
Ransomware Is Not the Problem
Adam Shostack, Consultant, Entrepreneur, Technologist, Game Designer,  6/9/2021
How Can I Test the Security of My Home-Office Employees' Routers?
John Bock, Senior Research Scientist,  6/7/2021
New Ransomware Group Claiming Connection to REvil Gang Surfaces
Jai Vijayan, Contributing Writer,  6/10/2021
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Current Issue
The State of Cybersecurity Incident Response
In this report learn how enterprises are building their incident response teams and processes, how they research potential compromises, how they respond to new breaches, and what tools and processes they use to remediate problems and improve their cyber defenses for the future.
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-06-21
White Shark System (WSS) 1.3.2 has a SQL injection vulnerability. The vulnerability stems from the log_edit.php files failing to filter the csa_to_user parameter, remote attackers can exploit the vulnerability to obtain database sensitive information.
PUBLISHED: 2021-06-21
White Shark System (WSS) 1.3.2 has web site physical path leakage vulnerability.
PUBLISHED: 2021-06-21
White Shark System (WSS) 1.3.2 has an unauthorized access vulnerability in default_user_edit.php, remote attackers can exploit this vulnerability to escalate to admin privileges.
PUBLISHED: 2021-06-21
White Shark System (WSS) 1.3.2 has a sensitive information disclosure vulnerability. The if_get_addbook.php file does not have an authentication operation. Remote attackers can obtain username information for all users of the current site.
PUBLISHED: 2021-06-21
White Shark System (WSS) 1.3.2 has a SQL injection vulnerability. The vulnerability stems from the control_task.php, control_project.php, default_user.php files failing to filter the sort parameter. Remote attackers can exploit the vulnerability to obtain database sensitive information.