Five Attributes for Hiring the Right Cyber TalentJuly 19, 2017
In my last Security Operations Centers' post, I highlighted that the single most important aspect of any successful security operations center (SOC) is the people. The next consideration is determining what characteristics make great SOC analysts. In my experience, I’ve found that great SOC analysts share five common attributes: creative thinking, critical thinking, curiosity, a foundation in technology, and a propensity for using technology to replace manual, repetitive processes.
Focusing on these five attributes in hiring can give managers an advantage in competing for scarce cybersecurity talent; they enable managers to think outside of the box and broaden the pool of available candidates. For example, I’ve hired new computer science graduates out of school who fit these attributes, and they have turned out to be top-notch talent, even though they didn’t yet have deep cybersecurity expertise. Finally, I have found that if you can hire two to five analysts who have these five attributes, your SOC can be taken to a whole new level of effectiveness in identifying and removing malicious activity in an enterprise.
Creative and critical thinking
Great analysts use both creative and critical thinking, often going against the herd or seemingly conventional wisdom. Creative thinking is about new ideas, methods, and techniques. Critical thinking is the ability to evaluate the worth or validity of an existing idea, method, or technique. Within cybersecurity, critical and creative thinking are both required to understand cyber threats specific to the environment and to tailor solutions.
Creative and critical thinking are also required to prioritize investigations in a sea of data. Anyone can do searches for IP addresses and other indicators of compromise, but SOCs need people who can create new ways of finding attacks and previously unseen attacks, and those who can think beyond the bits and bytes to understand more sophisticated threat actors on the other side of the keyboards. Above all, SOCs need those who are inherently interested in learning more about the technology, as it is constantly changing.
This takes curiosity. And it starts with the interview
When screening and interviewing candidates for analyst positions, I look for those who are interested in cybersecurity and/or coding as a hobby—what do they do with their spare time? Is it computers? Then chances are, the analyst would not only be enthusiastic to come to work but also to continue learning in an ever-shifting environment. How does one tell if a candidate has curiosity as a trait? During the interview, are the candidate's questions only about the role, or does he want to know about the threat landscape the SOC organization is faced with and the scope (tools, technologies, processes) within which your analysts operate?
Fundamental understanding of technology
If a candidate is intellectually curious, and genuinely enjoys technology, she is probably learning the fundamentals on her own, or through formal education. Certainly, the fundamentals can be learned as the analysts go along, but they first need an inherent technology foundation that they can build on. They also need the ability to recognize when they don’t know something and take initiative to go figure out it out. Incidentally, one-week training courses tend to be insufficient if genuine interest is not there. For example, if analysts are poring through router protocol information, such as netflow, they might need to dig in to how the protocol works, how it's used, and then go on to any specifics to the routers they are parsing, such as specific Cisco idiosyncrasies. While a one-week course in Cisco router protocols can be beneficial to analysts genuinely interested, it will have little impact on those who are not inclined to learn on their own to supplement the training.
They use technology to automate repetition
Another kind of great analyst can be the technologist motivated to automate to avoid repetitive or otherwise tedious analysis. As a SOC manager, I might want the intellectually curious people who use computers to learn and reduce the tedium. Sometimes it comes from being lazy, or an analyst thinking, "I want to know something, but I want the computer to do it for me." That is, he writes scripts to test out his ideas, perform tedious or repeated tasks, and aid him in his analysis. This can be the perfect SOC analyst (caveat: make sure they're not lazy about other things, like showing up for work).
Consider a few great analysts
A SOC can be potentially far more successful at detection, defense, and even prevention with just two to five high-caliber cyber analysts than a SOC with 50 average analysts. Excellent analysts serve as force multipliers, with the ability to see where things are working and to develop their own ways of addressing problems. Through this, they identify inefficiencies and ineffectiveness, and initiate their own workarounds. Of course, strong SOC managers are necessary to ensure balance and set the strategic direction and operational priorities.
Those SOC managers who can attract a few great analysts, then build out and automate from there, can significantly increase effectiveness of a modern SOC. Until then, SOC managers can and should challenge their own SOCs and analysts by regularly asking how many actual incidents (new incidents, not previously detected) were found with event monitoring? Are the analysis and warning efforts effectively identifying malicious activity? If the answer is continually negative, then consider how a great analyst could help modernize your SOC.