How to Train Your SOC Staff: What Works and What Doesn’t

We’re all familiar with the shortage of talent to staff security operations centers (SOCs), the challenge of hiring qualified cyber security professionals, and that burnout and overwork makes it impossible to keep good staff. So why not make an effort to hang on to your security analysts and make sure they stay up to the challenge? 

The stress of the 2020 remote work pivot is still fresh in the minds of staffers who had to secure an entire workforce of remote workers in days—and sometimes overnight. Now is a good time to pay attention to the care and feeding of your SOC staff, and training is a good way to show them you’re paying attention. On the job training and professional development are good ways to improve your staff retention, according to the annual survey from (ISC)², the association of certified cybersecurity professionals. 

Training programs have a two-fold benefit to organizations: not only do they help SOC staff learn new skills such as Security Orchestration, Automation and Response (SOAR) and machine learning, which makes them more productive, but training can also cut back on staff losses. A SANS study found that instead of taking their new skills elsewhere for more money, highly-skilled staff were the ones who stayed on the job the longest. 

With that in mind, how do you put together a good training program for your SOC?  You need to start by knowing your goals, then developing a lesson plan that works with the ways your people want to learn, and execute that plan in a way that works with your organization, not against it.

What Works

Know what you want to accomplish: What do you want your people to learn? Often, the main goal of training staff is changing behaviors. You may want the SOC to improve average response time to threats, or spot security gaps on cloud-based systems. Define that goal and then you will know just what you need to include in your training program.  

Your goal should prioritize building skills over knowledge, because the skills are what really effects that behavior change you seek. Added skills means your SOC personnel will second-guess themselves less. Knowledge is good; it’s great to understand the concepts and  background behind your systems, but you’re truly striving to build up skills. That’s where you can really see progress towards those goals you set.

Establish a Baseline: Start out with an assessment to discover the skill levels of your learners. You have to know where your team stands, because not everybody is always going to be at the same place in terms of their knowledge. The tight market for talent means many SOCs are hiring entry-level staff that may not be as experienced. They’ll need to be trained on all your systems, while more experienced people won’t need the same content. A needs assessment provides a baseline for where your staff is in terms of their skills and where they can reasonably go in their development.

Build a core curriculum: Right-size the materials so they are just challenging enough and long enough to be effective. Don’t judge quality by how much time it takes or how difficult it is, rather make sure your training content teaches and changes behavior.

Make sure the training is relevant to real life and the situations your team will face. A lot of security training uses scenarios that can go a bit off into Hollywood territory: “Your company has been targeted by some criminal organization with highly sophisticated capabilities.” Instead, a lot of what a SOC analyst deals with on a daily basis is commodity malware, or very common threats.

You want to make sure that you’re prepared to deal with the severe threats, but also that your team has enough training in the things that people are actually doing every day. Then, as you’re training your SOC analysts, you might want to introduce some offensive security content, so they can start understanding how attackers think. That complementary knowledge makes them more effective and helps sharpen their skills set.

What Doesn’t Work

Lack of Structure: Your program should have guardrails. Don’t just purchase a training platform or a subscription training service and let your people go at it without any kind of guidance. Even if you’re using an off-the-shelf training program, you want to make it your own. Make sure that it fits your team, your learners and your industry. 

Map it to your learners and to the current threat landscape. Communicate across teams: ask your SOC team what kind of phishing emails they’re seeing; ask incident responders what threats they are dealing with; ask threat hunters what attacks are most common, etc.  Make it more authentic to your organization.

Having a road map is not only good for the learners, but also good for supervisory staff who have to report to management. It gives everyone more buy-in and more ownership of the process, rather than a directive of: “It’s February; time to do your training.”

Lack of goals:  I’ve said this before, but it bears repeating: know what you want to achieve and how to measure if you’ve actually achieved it. Your SOC staff is busy. They often feel overwhelmed by constant alerts. Don’t make training a chore by turning it into a requirement to spend “X” hours taking a course. 

Does the training give those learners the confidence to deal with threats? Does it give them the experience to make the behavior change to where they’re not second-guessing themselves, or hesitant to react to an alert? Are they able to utilize the right tools and the right processes?

Having a set measure of achievement means you don’t confuse quantity with quality. It’s tempting to say more training hours is better, but that doesn’t always equate to good content. Sometimes a person can learn more in less time, but we often believe that if the training is longer, we must be getting our money’s worth.

One-size-fits-all approach: Give your learners space for self-direction. It’s not practical to say to your staff: “Everyone’s going to train every Wednesday from 3:00 to 5:00.” There are meetings to be scheduled, or a SOC analyst may have to deal with an event. They can’t just ignore that alert because 3:00 to 5:00 p.m. today is blocked for training and they’ll be reprimanded by management for missing it. 

Your training also needs to accommodate all learning styles. We all learn differently. Some learn by reading, some by watching, and some through hands-on experience. As good as hands-on training is, it can be very taxing on team members that already have a lot on their plate. Don’t overdo it. Make sure you mix training formats up and add variety to keep learners engaged. Also provide different avenues for staff to acquire new skills, since everyone has different learning styles.

Training programs are an expense to an organization, but as surveys have shown, offering SOC staff professional development opportunities turns out to be a tool for talent retention. It shows that you not only value your team, but you value making them more effective cybersecurity professionals.

view counter

Jeff Orloff is Vice President of Products and Technical Services at RangeForce, a cybersecurity training company. He has over ten years of experience in cybersecurity, computer and network security and system administration. Prior to RangeForce, he was Director of Product Management and UX at COFENSE, a company specializing in email security, phishing detection and response. He also served as Technology Coordinator for the Palm Beach County Florida School District.

Previous Columns by Jeff Orloff:
Tags: