Cyber Skills
min read

Interview Series - Rob Line on Starting a Career as a SOC Analyst

Published on
November 8, 2022
November 14, 2023

This is the first of a three-part series where we dive into the world of cybersecurity operations with an exclusive interview featuring Rob Line, Principal Talent Consultant at CyberSec People. Renowned for his expertise in recruiting top-tier talent for high-stakes positions in cybersecurity, Rob brings a wealth of knowledge and insights, particularly beneficial for those aspiring to launch their careers as Security Operations Center (SOC) analysts.

In this interview Rob answers critical questions about the skills, experiences, and traits that make a standout SOC analyst in today's rapidly evolving cyber landscape. Whether you're just starting out or looking to pivot into this exciting field, Rob's perspectives are sure to provide valuable guidance and inspiration. Read on to uncover the essentials of building a successful career in cybersecurity operations, through the eyes of a seasoned recruitment specialist.

Can you describe the typical career progression for someone starting as a SOC analyst?

If someone is beginning their career as a SOC Analyst, they typically start as an L1 Analyst. This role involves monitoring logs and network traffic to identify suspicious activities. The primary tasks include distinguishing false positive alerts from legitimate threats and escalating these genuine threats to a more senior analyst. Once they have accumulated sufficient experience, and depending on the maturity of the SOC, they would progress to L2 and eventually L3 roles. In these advanced stages, they often become the point of escalation due to their experience. It is at this stage that most analysts tend to specialize in a particular discipline, such as Digital Forensics and Incident Response (DFIR), Threat Hunting, Threat Intelligence, or SecOps engineering, including Detection Engineering.

What are the key skills and experiences needed to advance in this field?

In my opinion, many people complete a security certification aspiring to be a SOC Analyst but often lack the essential fundamental IT knowledge. Some of the best analysts I've seen have a background in Helpdesk or tech support, where they gain a deep understanding of how computer systems work and experience in triaging problems. Building on that, the key skill or trait needed for success in this field is curiosity. To truly excel, it can't just be treated as a 9-5 job. The industry evolves rapidly, and staying up-to-date with the latest trends and techniques used by threat actors is crucial. It must be a passion, characterized by both interest and commitment. Additionally, real-world experience or scenarios are also vital, which we will likely discuss more in detail later.

What are the latest trends in cybersecurity that are impacting SOC roles?

The industry's rapid growth and the advanced development of threat actors are leading to a significant shift from reactionary work to more proactive efforts. This change is evidenced by the growth in proactive security operations capabilities such as Detection Engineering, Threat Intelligence, and Threat Hunting. It is increasingly acknowledged that breaches cannot be completely prevented, and having a solid Incident Response (IR) plan and function is the next best strategy to minimize damage.

What new skills are becoming essential for SOC analysts in light of these trends?

When it comes to hard skills, as more companies operationalize Threat Hunting and Threat Intelligence capabilities, those who excel in writing excellent queries in SQL or NoSQL will find themselves in a strong position career-wise. Regarding softer skills, an understanding of risk management and business acumen is crucial. This knowledge provides individuals with a lens to view their work in the context of business impact, helping them understand how their actions affect the business. I have long maintained that communication is the most important skill in this field, and I stand firmly by that belief. In an industry evolving at such a rapid pace, the ability to communicate effectively, share knowledge, and contribute meaningfully to technical debriefs post-major incident is absolutely imperative.

What are the most significant challenges SOC analysts face in the current cybersecurity landscape?

Apart from technical aspects, log fatigue and burnout are becoming increasingly prevalent issues in SecOps. Recently, I spoke with two senior candidates who left their current roles without having a new position lined up. They plan to take a few months off to recharge, as their health has been adversely affected. This situation underscores the importance of addressing mental health and work-life balance in the high-pressure environment of cybersecurity operations.

How can new entrants prepare to meet these challenges?

Technically, new entrants in the field need to continuously upskill, and there are numerous ways to do this across various platforms. However, consistency is key. For example, dedicating an hour each day to learning is far more beneficial than committing a whole day out of your weekend. Regarding burnout, it's crucial to be honest with yourself and your manager. Managers aren't mind readers and can only address issues they're aware of. Open communication about how you're feeling at all times helps to stay ahead of any potential problems. Additionally, it's important to take care of yourself physically, mentally, and emotionally.

For someone just entering the field, what qualifications or certifications are most valued by employers for SOC roles? How do these enhance a candidate's prospects?

This topic is quite contentious, as I discussed in a LinkedIn video. Certifications provide a fundamental theoretical understanding, but too many people early in their careers are persuaded to pursue these certifications without fully grasping about 60% of the material. As a result, they're essentially just passing exams with content they don’t completely understand.

In my view, training platforms are becoming incredibly effective, almost like a cheat code. These platforms expose you to scenarios that you won’t encounter in your day-to-day work, allowing you to learn a great deal and acquire ancillary knowledge that will be beneficial in your current role. I recently posted about a few of these resources.

Furthermore, in terms of enhancing career prospects, these platforms show potential employers the scenarios the candidate has worked on, demonstrating their understanding and ability to work through specific problems.

What advice would you give to individuals aspiring to start their career in SOC? Are there any common misconceptions or pitfalls they should be aware of?

The biggest common misconception I encounter is the belief that having a degree in Cyber Security or a specific certification will automatically guarantee a job. My advice for those looking to start their career in Security Operations is to thoroughly research and understand the field. It’s important to:

- Talk to people who are already working in the role. Use LinkedIn to network and prepare some thoughtful, burning questions you want answers to. People generally like helping others, and the Cyber Security community is one of the most supportive and helpful I have come across.
- Utilize YouTube. There is fantastic content available about SecOps, including "day in the life of" videos. Even some heavyweights in specialized fields, like Digital Forensics and Incident Response (DFIR), share hundreds of valuable insights based on their experience, free of charge. All this information is there for the taking, but it requires a committed effort to learn and absorb it.

November 14, 2023
February 12, 2024
Cyber Skills

Ready to step-up your cyber response management? Try the Cydarm platform.

Avoid the sales demo. Get your free 30-day trial.