Fixing the Lack of Enablement

Written By Mark D. Rogers Jr.

The Determent to our Operations is Our Skills Gap

Working as an analyst over the last few years before transitioning to an engineering role, I come to understand probably the biggest thing I didn’t expect coming out of my role as a senior: Being a Mentor. Probably more hours than I spent working on my own hunting and senior-level tasks, along with leading operations, mentoring was my biggest ‘billable’ hour. This wasn’t in one SOC either. Each SOC I stepped into as I moved from Junior to Mid to Senior had its challenges of analysts just simply not understanding what to do, or even worse, what it is they even do or contribute to. Be forewarned, a lot of this article comes from the heart based on my experiences, so I go in heavy to some topics. My goal is to be as constructive as possible though, so I hope that many take away positive feedback from this!

Senior Team Members Need to Step Up

My biggest pet-peeve to being a senior team member is understanding your role as a senior team member. You are likely not shift-based anymore, have your own desk or even an office, and have specialized tasks like content creation, detection engineering, threat hunting, incident escalations, etc, but If you aren’t prepared to usher the next generation of analysts (who are often the fresh certified/graduated new guy trying cybersecurity for the first time) then I’ll be brunt: You’re not in the right job. The pay bump isn’t just so you can feel good about your role as a senior team member, and you most certainly didn’t get your role from sitting around. You’ve honed your craft and made a name for yourself. You’re now on top of your technical mountain and your view is the mountains that others must now climb. It’s time you use your climbing experience to help others become successful as well, following the mantra the Army (jokingly) taught me:

“One Team, One Fight”

Be prepared to spend time with your analysts. They look up to you and often see you as a role model, and you should be leveraging their undivided attention as a means of ensuring they understand their role, the mission, and how to succeed as an analyst and as a team. Here’s a list of things you should be doing as a Senior Analyst:

  • Hosting a SOC First-Day Orientation

  • Training and enablement on your Tool Kits

  • Monthly or Bi-Monthly Team Meetings on Important Topics (Changes in people, processes, or technologies)

  • Conducting Lessons-Learned/After Action reviews

  • Assisting in helping an analyst create a learning path

  • Impromtu Hands-On training

  • In general, Break the ‘Drink from the Firehose’ Mentality by facilitating more effective and concise learning experiences, rather than in-the-moment

Additional things that a SOC Manager should be doing:

  • Weekly or bi-weekly one-on-ones as a check-in for team members

  • Ensuring that a 30/60/90 day plan is effective and implemented to your new team members to help give them goals to work toward

  • Getting access to training and enablement materials from vendors of products you use

  • Being comfortable to receiving feedback about SOC people, processes, and technology (feedback isn’t just a one way street as a manager)

  • Work with your organization to fund educational items for your team like certification reimbursement, student loan assistance, industry conference passes, etc.

There is no one-sized fits all template that you can Google to be an analyst. Trust me, I tried. I heavily relied upon the mentorship of my team, and used the foundational knowledge I received from things like certifications and college to only be the canvas which my mentors painted upon. Which leads me to my next big problem with our current educational environment…

Gatekeeping and Pay-to-Play

This section should be self-explanatory. The financial burden of SOC team members and their education is one that shouldn’t be ignored by employers anymore. Once we get past our entry-level certifications like A+, Network+, and Security+ ($300-$400 a voucher), we are suddenly inundated with certification costs that begin hovering around a $1,000 per voucher, and don’t even get me started on SANS courses (which start at the lovely tune of ~$4,000 plus voucher).

As employees, we no longer can afford our education, no matter how invested and motivated we are; money just doesn’t appear out of thin air for these types of expenses, and expecting employees to shuffle out credit lines to afford them is negligent. You will praise them all for exceeding in their education right up until they’re suddenly resigning because they received a 20-40% raise and a sign on bonus virtually eliminating that debt (that was me once).

If you want to have a world-class SOC or even just a darn good one, employers should take note of this free consulting advice: Stipends, reimbursement, group training programs; it doesn’t matter how you get it too your SOC team, just do whatever you can do get them there. You will boost moral and retention for ensuring your staff is educated and compensated for their time and effort they put in to keep you secure 24/7/365. This process starts at the SOC Manager level, who should work with leaders to advocate for your teams to get them where they need to be!

On the flip side, team members, you can’t ask and ask and ask and do nothing once you receive. You need to be taking advantage of employer education programs and maxing out the benefit every year. Show them that you’re worthwhile and try for the best review remarks you can each review cycle so that you show these kinds of programs work and are effective at improving yourself, the team, and the organization.

Finally, a note on the gatekeeping. The price of education is one thing to gatekeep, but there are individuals who also gatekeep for the sake of keeping information proprietary to seem smarter or more important, or even is just a general laziness in that they don’t want to train the team to solve the problem. Either way I’ll call this methodology what it is: its a failure on the part of that team member not enabling the team to be able to cover all functions and it slowly boils to a single-point of failure. In reverse, it is a team unable to adapt to important functions that leaves one team member feeling the burden of always having to cover that task. This needs to be nipped away as soon as possible; no one piece of information is too good to be kept to one individual if there is no good reason for compartmentalization for the sake of security. There will be gaps in skills, but there should never be a gap in the carrying out of a process.

College Isn’t For Everyone

If you’re still young (at least in spirit), are interested in cybersecurity, and haven’t gone to college yet, here’s some advice: consider not doing it. The mentality that a degree earns you the best living doesn’t exist in this field, and I’ve seen it first hand. The best experts are often under-credentialed overachievers who simply do circles around the best of us who are knee deep in certifications and experience (and I’ll be the first to admit it). Take Justin, our Co-Founder and SOC Expert, who doesn’t have a college degree, yet is CEH and GREM certified, along with being a designated Lethal Forensicator by SANS. I’ve come across many professionals in the field who don’t have a degree in cybersecurity like I do that can perform at a similar or better capacity than I do. This industry is about heart and adaptability, and that’s only half of the problem with college in this field.

The second is the inability for college itself to adapt. Programs teach on outdated material or just lack-thereof. College programs have to go through certification and accreditation processes before they’re taught to the general public and this creates a critical failure in the education system. I joke that by the time they teach about SolarStorm in college-level courses, SolarWinds won’t even be a company anymore. Colleges need to rethink their strategy if they hope to effectively bridge the workforce skills gap with new talent that knows how to work in a SOC. Many-a-times otherwise, colleges teach what I call ‘utopian principles,’ which are sets of standards and practices that have little to no real-world use or effectiveness, that professors teach because they lack the real-world experience or are required to by curriculum built by someone who doesn’t have real-world experience. My bachelors taught me zero about what SOC life actually was, only my experience did.

The positive note I have on this, is I am getting a lot of ads lately which are pointing towards college-lead cybersecurity bootcamps. Bootcamp style education is becoming very popular these days, with bootcamps for just about everything in the I.T. industry, where topics are broken down over a period of anywhere between three to thirty-six months that approach education in a informal way. I would only advise caution approaching these, but otherwise endorse this new way of getting people the knowledge they need without the filler college degrees require.

Finally, It’s Up to You

If you’ve followed me the end on this one, I appreciate it. This entire post is most certainly a huge debate amongst professionals in the field. Most of us know at this point the pipelines we have for new talent and improving existing talent just aren’t effective, and all of this comes from my time and experience on the subject as I’ve grown in the field over the last decade.

So what’s next for you then? Well, if you’re a newbie reading this article, or the experienced and grizzled senior analyst, here’s a few places you can turn to so that you can better understand where to go next on your journey:

  • What kinds of jobs are out there? Here’s CISA’s adoption of NIST’s NICE Framework that can be a helpful guide helping you understand jobs, their titles, and required credentials and experience: https://niccs.cisa.gov/workforce-development/cyber-security-workforce-framework

  • Curious about the types of certifications and a supplemental roadmap to NIST’s NICE Framework? Paul Jerimy almost quite literally wrote the book on understand certifications by compiling a list of them in technical order: https://pauljerimy.com

  • Need to boost your existing knowledge, career, or build that resume? Coursera scrapes job postings and looks for certification requirements, then updates and feeds us that data so we can keep a lookout on the current demand in the workforce: https://www.coursera.org/articles/popular-cybersecurity-certifications

  • You can get fantastic video courses on general topics and specific certifications from sites like https://linkedinlearning.com and https://www.udemy.com as well as free A+ to Security+ from https://www.professormesser.com

  • Does your employer cover SANS courses? If so, its time to really step up your game then and go to the industry standard in technical training and certification: https://www.sans.org

  • How about an I.T. Bootcamp? There are tons of bootcamps that are both general and very specific, such as ones from https://trainingcamp.com that cover mostly certification training. There are others though like the earlier mentioned college-led ones that cover entire subject matters.

Enjoy reading our content? Consider Sharing this post and Supporting Us!

Mark D. Rogers Jr.

Mark is a decade-plus veteran of the I.T. and cybersecurity space, specializing in Blue Team operations such as SOC analytics, CTI, engineering, and management.

https://socops.ninja/team/mark-d-rogers-jr
Previous

Inhibitors to Remediation
Next

SANS vs NIST Incident Response Steps