Industry Insights with Jon Hencinski

Governance & Risk Management , Remote Workforce , Security Operations

7 Habits of Highly Effective (Remote) SOCs

Insights on What's Working So Far
7 Habits of Highly Effective (Remote) SOCs
John Hencinski of Expel

At Expel, one of our mantras is this: Teamwork makes the dream work.

And anyone who works in security operations knows why teamwork is so critical.

But as of late, our SOC analysts are no longer sitting together. In order to maintain the texture of the team in a completely remote setting we'd need to commit to a new set of daily habits - seven in fact, to keep our (remote) SOC highly effective.

To be candid, we're still adjusting. You may be experiencing something similar right now too. Or you and your SOC team may consider yourselves veterans of an all-remote setting. That's great too.

Either way, now we're all in the same boat.

We'll share what's worked for us (so far) as our entire SOC goes remote:

1. Prioritize Video Conferencing

Workplace camaraderie and trust are key ingredients of an effective SOC. Trust brings safety and camaraderie adds a sense of "togetherness." We trust each other to operate in the best interest of achieving our goal (protecting our customers and helping them improve) and to work with a "we're in this together" mentality.

We need to maintain and nurture these key ingredients in an all-remote setting. But how?

We introduced what we call the SOC party line. The SOC party line is the name of our video conference that's open 24x7 for the team. Instead of walking onto the SOC floor, our analysts start their day by joining this meeting. While we're no longer able to sit next to each other we can be with each other. We're emulating the texture of the SOC floor by staying connected via video conference and maintaining our sense of "togetherness."

(Side note: Security is serious business. We have the privilege of helping organizations manage risk. We take our work very seriously but don't take ourselves too seriously. It's OK to find the bad guys and have fun while doing it.)

2. When in Pursuit ... to the Breakout Room!

While our 24x7 video conference meeting emulates the SOC floor and brings us together, pursuing threats in this main meeting wouldn't yield the precise, coordinated response we're seeking.

Instead, as work enters the system and the team spots activity that requires investigation or follow up, the lead investigator spins up a virtual breakout room and invites the necessary resources required to run the item to ground.

As an individual contributor, you're provided with a virtual conference room with a clear goal and objective. As a manager, you have a clear understanding of current utilization based on the number of folks in the main video conference room versus breakout rooms. You're enabling a highly coordinated response and have a clear line of sight on capacity. A win-win.

3. Emphasize Empathy

Empathy is a core competency for leaders. I personally believe that no other skill makes a bigger difference than empathy when it comes to leadership. Simon Sinek agrees with me on this one.

Now more than ever we need to emphasize empathy. We're all going through something significant right now. It's okay to acknowledge that and talk about it with one another.

As a SOC management team, we're spending more time with our people, not less. And most of our 1:1s right now are centered around how our folks are doing and what else we could be doing to set them up for success in this all-remote setting. We listen really hard and most importantly we let them know we've got their back.

4. Be Transparent About Quality

We're doing everything we can to make our shift to a remote SOC seamless for the team. But we're also being super cognizant of the quality of our work output.

We use a quality control (QC) standard, Acceptable Quality Limits (AQL), to tell us how many alerts and incidents we should review each day. We then randomly select a number (based on AQL) of alerts, investigations and incidents and review them using a check sheet. We send the results to the team using a Slack workflow.

Reviewing the results with the team lets us know how we're doing. It lets us know how we can adjust and improve. And no, we never expect perfection.

5. Over-Communicate

This one is a bit obvious but it's worth stating. Since we're no longer working alongside each other, effective communication is crucial. And working in an all-remote setup may mean more distractions for some folks, not less.

We're emphasizing empathy and constantly listening to learn what these distractions are for the team and landed on the need to over-communicate. Repeat important messages in team meetings and 1:1s. In our SOC, "I don't know" or "I'm having difficulty understanding that" is always an acceptable answer to a question. Bottom line: Over-communicate like your team depends on it.

6. Seek Out Fun

In these stressful times, not only is it OK to have fun ... but you need to seek it out for your team. We're still finding our way here a bit, but we've experimented with virtual happy hours, coffee breaks and book clubs all via video conference (don't worry, we're always watching those alerts).

Finding ways for your team to have fun together will help reduce stress and build camaraderie.

7. Test, Learn, Iterate

Remote work is our new normal for a while. Are all the adjustments we've made the right moves? Maybe not. We'll continue to test new things, learn from our mistakes and iterate our way to an even more successful remote setup. We're never afraid to ask if there's a better way to do things.

Parting Words

We're still getting adjusted to our all-remote setup but we've landed on some things that work and wanted to share them with you. We'll continue to learn and improve, as we always do.

Finally, it's OK to acknowledge that we're all going through something significant right now. Emphasize empathy with your team and the people around you. Listen hard. Prioritize effective communication. Over-communicate. And try to have a little fun while doing it all.

About the Author

Jon Hencinski

Jon Hencinski

Director of Global Operations, Expel

Jon Hencinski is the Director of Global Operations at Expel. In this role, he's responsible for the day-to-day operations of Expel's security operations center (SOC) and detection and response engineering. He oversees how Expel recruits, trains, and develops security analysts. Jon has over a decade of experience in the areas of SOC operations, threat detection, and incident response. Prior to Expel, Jon worked at Mandiant, BAE Systems, and was an adjunct professor at The George Washington University.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.