Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Careers & People

10:30 AM
Edy Almer
Edy Almer
Connect Directly
E-Mail vvv

Killer SecOps Skills: Soft Is the New Hard

The sooner we give mindsets and tool sets equal bearing, the better. We must put SOC team members through rigorous training for emergency situations.

I spend a lot of time with security operations center (SOC) and incident response teams — functions that have been hit particularly hard by the cybersecurity talent shortage. As I witness my colleagues struggling to fill open SOC positions, I can't help but notice their tendency to value technical skills and specific product knowledge over all other criteria. Now that breaches are the new normal, so-called "soft skills" — such as communication and teamwork skills — are just as important as technical skills but are almost always overlooked when hiring.

Don't get me wrong — technical skills and product knowledge are essential, but when a breach is discovered, SOC staff flip from being the last line of defense against an attack to the first ones responding to it. SOC analysts have evolved into cybersecurity first responders, but they're not evaluated and trained the way first responders in other domains are, and they should be. Think about it — when a cyberattack occurs, an analyst with 10 years of experience with Windows Sysinternals and Wireshark won't be much of an asset if he or she doesn't perform well under pressure.

No reputable EMT provider would hire paramedics only because of their experience with a certain kind of defibrillator, yet that's how we hire in cybersecurity. Even in SOC analyst job descriptions where soft skills are given lip service, rarely are those traits vetted with any rigor during the interview process.

● Excellent communication skills: At just about every customer site, we are asked to help train SOC managers to do a better job of communicating technical information to non-technical executives. This is hard enough to do when you have time to prepare what you want to say, so imagine how stressful it can be to explain the nuances of a ransomware situation to a CFO or CEO when a decision on whether or not to pay the ransom needs to be made in a matter of minutes.

● Teamwork skills: SOC teams must be able to collect and disseminate information and tasks across multiple teams. For example, when correlating information about a new attack, clues usually come from multiple sources: network and endpoint experts, malware analysts, operations teams, and additional team members. Incident responders must not only communicate effectively and succinctly, they must be able to delegate to and project manage multiple teams that may have limited understanding of cybersecurity, and under accelerated timelines where broken communication channels can have irreversible negative consequences. 

● Creative thinking/problem solving: Out-of-the-box thinking is an asset valued by the hacker community for good reason. The same qualities than enable attackers to get into a network are just as useful for defense. For example, one of our customers simulated an attacker blocking the Windows Task Manager process. One clever incident responder renamed and ran the file, which revealed the attacker's actions and enabled them to squash the attack.

● Functions well under pressure: This is a signature quality of any first responder in any field. Currently, few cyber incidents qualify as life-and-death situations, but as attacks against industrial control system targets such as electric and nuclear power plants and Internet of Things systems such as car computers and medical equipment become mainstream, that is likely to change. Incident responders who are unable to function under extreme pressure should be identified and transferred into other roles now, before cyberattacks have the capacity to become fatal.

Any profession that requires people to perform well in high-stakes, high-pressure situations (doctors, pilots, paramedics soldiers, professional athletes) are evaluated and trained the same way — through realistic, experiential drills that simulate or otherwise recreate real-world conditions.

When preparing for the Battle of Normandy, General Eisenhower created a replica of the enemy's coastal defenses, and in order to get soldiers used to the pressure, had the troops repeatedly practice landing on the shore amid simulated gunfire and explosions. Other fields, including ER doctors and pilots, undergo equally elaborate simulated training as well. It's time we did the same with SOC analysts.

But we can't just look for these traits when hiring and then move on once the analyst has been hired. To make sure cybersecurity first responders are prepared for an attack, especially given how quickly SOC tools and attack tactics, techniques, and procedures evolve, incident responders should be drilled regularly — at least quarterly.

It will be a culture and process shift to adapt our hiring and training processes accordingly, but it's an entirely doable proposition — we just need to make it happen. The skills shortage won't go away overnight, but when it comes to hiring and training incident responders, the sooner we give mindsets and tool sets equal bearing, the better.

Related Content:



Join Dark Reading LIVE for two cybersecurity summits at Interop 2019. Learn from the industry's most knowledgeable IT security experts. Check out the Interop agenda here.

Edy Almer leads Cyberbit's product strategy. Prior to joining Cyberbit, Almer served as vice president of product for Algosec. During this period the company's sales grew by over four times in five years. Before Algosec, Almer served as vice president of marketing and ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Apprentice
6/6/2019 | 11:24:36 AM
Everywhere security should be there and always the security has to be updated according to the conditions otherwise there will be some loopholes in it and it can be bypassed easily can someone suggest what kind of security should be there in the best institute in bhubaneswar so that my coaching remain safe.
NSA Appoints Rob Joyce as Cyber Director
Dark Reading Staff 1/15/2021
Vulnerability Management Has a Data Problem
Tal Morgenstern, Co-Founder & Chief Product Officer, Vulcan Cyber,  1/14/2021
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: This is not what I meant by "I would like to share some desk space"
Current Issue
2020: The Year in Security
Download this Tech Digest for a look at the biggest security stories that - so far - have shaped a very strange and stressful year.
Flash Poll
Assessing Cybersecurity Risk in Today's Enterprises
Assessing Cybersecurity Risk in Today's Enterprises
COVID-19 has created a new IT paradigm in the enterprise -- and a new level of cybersecurity risk. This report offers a look at how enterprises are assessing and managing cyber-risk under the new normal.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-01-20
OpenMage is a community-driven alternative to Magento CE. In OpenMage before versions 19.4.10 and 20.0.6, there is a vulnerability which enables remote code execution. In affected versions an administrator with permission to update product data to be able to store an executable file on the server ...
PUBLISHED: 2021-01-20
Weave Net is open source software which creates a virtual network that connects Docker containers across multiple hosts and enables their automatic discovery. Weave Net before version 2.8.0 has a vulnerability in which can allow an attacker to take over any host in the cluster. Weave Net is suppli...
PUBLISHED: 2021-01-20
A vulnerability in the CLI of Cisco SD-WAN vManage Software could allow an authenticated, local attacker to read sensitive database files on an affected system. The vulnerability is due to insufficient user authorization. An attacker could exploit this vulnerability by accessing the vshell of an af...
PUBLISHED: 2021-01-20
Multiple vulnerabilities in Cisco SD-WAN products could allow an unauthenticated, remote attacker to execute denial of service (DoS) attacks against an affected device. For more information about these vulnerabilities, see the Details section of this advisory.
PUBLISHED: 2021-01-20
Multiple vulnerabilities in certain REST API endpoints of Cisco Data Center Network Manager (DCNM) could allow an authenticated, remote attacker to execute arbitrary SQL commands on an affected device. For more information about these vulnerabilities, see the Details section of this advisory.