- Career vs. Job
- Developing Job Roles
- SOC Job Roles
- NICE Cybersecurity Workforce Framework
- Role Tiers
- SOC Services and Associated Job Roles
- Soft Skills
- Security Clearance Requirements
- Onboarding Employees
- Managing People
- Job Retention
- Evaluating Training Providers
- Company Culture
Developing Job Roles
Many different job roles fall under the categories “cybersecurity” and “information technology.” Within those generic categories are roles that are responsible for presales, delivery of services, daily operations, and everything in between. Your SOC will have roles that fall under the cybersecurity and information technology categories; however, your SOC roles will require specific skills, knowledge, and experience based on the services your SOC offers. Sometimes skills, knowledge, and/or experience can be acquired on the job, while other times they are prerequisites for an employee to take on the associated responsibilities of a job role. Successful organizations clearly define job roles, compensation ranges, responsibilities, and paths for career growth because these elements are what attract and retain quality people.
In Chapter 1, I introduced the eight core services I find within mature SOCs. Each service has different types of job roles, which some can apply to multiple services while others are very specific to a single service. You will need to recruit and retain the right talent for the services you offer, which continues to be an extremely challenging task in today’s competitive cybersecurity job market. Not only is it hard to find the right talent, but experienced talent will be expensive. You will have to decide when you can groom an internal employee for a role or seek external talent to fill a position.
One major factor that impacts these decisions is available budget for recruiting talent. Leadership will need a general number of what the cost will be to fill a SOC position. The best way to determine a ballpark cost to fill a SOC position will be using publicly available pay scales. The general schedule pay scale is an example of such a resource.
General Schedule Pay Scale
The U.S. federal government uses a scale based on series and grade to categorize and define jobs. The series is a numbered system for grouping similar occupations. For example, a computer engineer is part of the 0854 series, while a nurse is part of the 0610 series. The grade refers to the General Schedule (GS) pay scale representing the pay level for the job. A job role with a higher GS grade will have a higher pay range. Employees with a high school degree and little experience fall under the GS-5 and lower range, while people with work experience can expect to be at least at a GS-7 level. Employees with a master’s degree and special experience will expect a GS-9 or higher job role. People looking to work for the U.S. federal government can use this system to quickly understand the pay range for any available U.S. federal job request. Candidates can also refer to the standardized language of the GS pay scale jobs to ask about how the existing role can advance to higher GS grades as the candidate gains experience in the role.
The GS pay scale is just one example of a pay scale you can use to standardize how compensation is distributed to each job role in your organization. You want to apply a formal pay scale to your SOC roles to set expectations for the pay range associated with your positions. You also need to be specific regarding what skills and other requirements are involved with each role to ensure potential candidates know what is required to qualify for the role. This also applies to advancements in a role. For example, as a SOC analyst gains experience, her title should change. A SOC analyst could start out as a grade 1 analyst. Once that analyst meets certain time, skill, and experience requirements, the analyst can request to be promoted to a grade 2, which will have a higher pay range. While skills are being obtained, salary increases should be provided that fall within the specific pay range. At some point, the candidate will hit the top of the pay range and must move to another pay range before any further increases in salary can be provided.
Formalizing pay scales enables employees to understand how their compensation will change as they increase in grade scale or switch roles, which will have their own assigned grade scale. Some job series will max out faster than others, encouraging an employee to switch roles if they desire a higher pay scale. An analyst series might max out at the role “analyst grade 5” while the pay for a analyst grade 5 is similar to a “architect grade 2” role. In this example, an analyst would not be able to make the same income as an architect grade 3 or higher, motivating the analyst to switch roles if he wants to be part of a higher pay scale than what an analyst pay scale could offer. Having certain job series max out at lower pay scales than other job series isn’t a bad thing. Developing a job role structure with certain job pay scales maxing out lower than others encourages career development that is driven toward senior job titles. Companies that don’t encourage career growth and just provide standard raises on an annual basis will not encourage employees to invest time into developing their skills or career. As a result, employees will remain unmotivated and a flight risk.
IT Industry Job Roles
Job roles need to be clearly defined to identify a baseline of responsibilities as well as skills and experience expectations. The next section reviews the various types of jobs and their expected associated skills. It is up to your organization to customize and explain how the general skills associated with a job title relate to the specific job role and what additional skills and experience are desired for a potential candidate to be considered.
According to the employment website Indeed (https://www.indeed.com), the following items need to be included in a basic job title. Make sure to elicit responses to each of these categories with any job posting that you publish.
Job role: Use targeted language rather than generic titles. Avoid lingo that is internally unique to your organization.
Job summary: Sell your job with an attention-grabbing summary. Include the exact job location, including whether remote work is an option.
Responsibilities and duties: Outline the core responsibilities. Highlight the day-to-day activities. Specify how the position fits within the organization and SOC.
Qualification and skills: Provide a list of hard and soft skills. Keep the list concise.
To better understand job roles, let’s review common job titles and their associated skills.
Common IT Job Roles
Reviewing the common job roles that exist in the IT market space is a good place to start before focusing on the SOC-specific roles you will want in your organization. You can use the following list of IT industry job roles to better understand what type of skills are associated with a common IT title and determine if that role could apply to a SOC role you are looking to fill. Some roles will be tied to generating revenue, known as presales roles, while others will be supporting the organization in various fashions. Some job roles, such as a PCI DSS compliance officer, are tied to specific tasks, while others, such as a network engineer, are more generalized. The range and depth of skills will also vary between roles. A presales engineer might or might not have much hands-on experience with a technology depending on how the candidate utilized the technology in his or her previous role. It is best to qualify any skill during the interview process and validate experience through references.
Account manager (AM): An account manager works in the sales and marketing department of a business and is responsible for managing client accounts. This job role requires very little technical knowledge, but it does require mature soft skills and a drive to execute on meeting or exceeding sales goals.
Sales engineer (SE): A sales engineer combines technical knowledge with sales skills (a combination of hard and soft skills). Because many account managers lack technology knowledge, they require an engineer to handle technical-related tasks. Those tasks include understanding the customer’s technical needs, explaining the technology or services those needs represent, providing demonstrations of technology, or possibly even installing technology to prove it can accomplish the desired goals so that a sale can be achieved. Sales engineers must be able to translate technical concepts into terms that nontechnical people understand.
Marketing engineer: Organizations that sell products or services have teams dedicated to developing how those offerings are marketed to customers. Some marketing teams require creative people with a technical background to explain the value of the solutions being offered as well as validate if the marketing efforts meet their targeted customers’ expectations. The level of technical and soft skills required for the marketing engineer position will depend on the type of products and services being offered as well as how the marketing engineer will be utilized.
Installation/post-sales engineer: This role supports presales teams by delivering the products and services that were sold to the customer. Services could be short-term or long-term contracts and have various travel requirements. For example, an installation engineer could travel often to new customer locations for short projects or be part of a long-term deployment that spans across multiple locations.
Compliance officer: Many organizations have compliance requirements that they must meet to offer certain types of services as well as to avoid the negative impact (such as fines) from not meeting mandatory compliance. Compliance officers are responsible for monitoring the current state of an organization’s compliance status, obtaining proof that compliance is met, monitoring for changes in compliance, and performing other compliance-related tasks.
Manager: Managers are responsible for addressing employees’ needs. Fulfilling those needs can include operational requirements, such as providing tools and support to perform their jobs, or emotional support to encourage a positive working environment. Great managers help people achieve goals as well as mentor employees so they can grow their skills and feel accomplished. When employees experience challenges, managers are responsible for representing their needs. Managers are expected to have strong soft skills and experience managing people.
Desktop support: The desktop support group focuses on managing host-related services. This can include support needed for desktops, laptops, mobile devices, and sometimes servers. Desktop support can be responsible for issuing equipment, enforcing security within equipment, and supporting the equipment with updates or software requested by employees. Desktop support can also develop policies for endpoints and support the SOC’s mission of enforcing security policies. Skills can range between operating system types and tools, depending on experience level.
Helpdesk: The helpdesk team is responsible for anything related to supporting employees and their equipment. This role is typically the first layer of support for an organization’s internal services. Examples of common helpdesk job duties include resetting passwords, provisioning hardware and software, and responding to security incidents, such as a user reporting that her computer might be infected with a virus. The desktop support role and helpdesk role can be the same role or have responsibilities divided between different teams. A SOC can include a helpdesk service to assist with responding to security incidents and to support SOC team members’ technical requirements.
Database/cloud engineer: Organizations create data and need a place to store it. Data can be stored locally on servers or on a cloud storage service provider’s servers. A database or cloud engineer acts as a data custodian ensuring that data is protected and policies created by the data owner are enforced. Technical skills include setting up relational databases, designing queries and reports to access information in the databases, and administering backup and recovery procedures.
Network engineer: Network engineers deploy and manage the organization’s networks. Every organization has some form of network services such as LAN, VPN, and wireless. Even organizations that lead with cloud services need a network to enable employees to access the cloud. Network engineer skills range from configuring to monitoring and troubleshooting various types of network equipment.
Software engineer: Computer programs are computer code created by software engineers. As IoT and other technology grows in popularity, the need for programmability and applications increases the need for software engineers. Many SOCs leverage customized applications that are built by software engineers or leverage open-source tools that can leverage programmable tools that modify how the tool works or how the data is used by the tool. Software engineers develop information systems by designing, developing, and installing software solutions.
Some of the preceding job roles could apply to SOC work, while others do not but could perform SOC work with some level of training. I also didn’t cover every job role you will find if you search popular job recruiting resources using terms like “cybersecurity” and “information technology” since the list could take up the entire chapter. Many of these jobs are also feeder roles into security-related work, meaning jobs people do before they start working in a SOC or undertaking similar security-related work. Sometimes people find a job in security later in their career because the candidate didn’t initially pursue a career in security after completing their education, found an opportunity in non-security-related work prior to performing SOC work, wasn’t qualified for security-related work, or other reasons.