As a security professional, I frequently get questions about security careers. One common topic is the role of SOC analyst. What is a SOC analyst, and is a SOC analyst a good job? Those are fair questions, and not necessarily as straightforward as it first sounds.
What is a SOC?
SOC stands for security operations center. A security operations center generally looks like a room full of computers with one or more big screens showing some kind of overview. Much of what you see when you tour a security operations center is, frankly, security theater. The big screen is for show. The big screen is useful for alerting, perhaps, but the real work happens on the screens directly in front of each analyst.
SOCs are generally outsourced. Most large companies figured out long ago they aren’t good at this type of work. They don’t know where to find SOC analysts, don’t know how to interview them, and don’t know how to train them. Also there is a certain economy of scale that single companies theoretically cannot make. There are times when a single analyst is sufficient and times when 10 analysts isn’t enough. Large corporations don’t like paying highly skilled workers to sit around, so they outsource it.
Companies throw a fit when they find out how many other companies they are sharing an analyst with, so the outsourced companies in the SOC business are very cagey about it. I once knew an SOC manager who admitted to a Fortune 100 company how many other companies they were sharing analysts with, and let’s just say that was a career limiting move for him.
The race to the bottom
That is the dark side of the industry. It is a race to the bottom and commoditized security. If someone comes along and can provide the illusion of something equal or better for 5% less, there is a good chance that a company will jump.
Increasing retention rates is a goal in this line of business, but frankly, it’s going to be hard to figure out how to do it reliably. It’s a regulatory requirement that nobody does particularly well, so any upstart who can demonstrate they can do a better job than a company can do themselves for slightly less than their incumbent has the advantage.
It is a very high turnover industry. The contracts sure on a regular basis, and the employees churn on a regular basis. That increases the pressure.
The dark side of the SOC analyst job
All of this means it is a very high pressure job. There isn’t a lot of mental downtime. If an emergency takes an hour to process, The incentive is to give you eight or nine emergencies per day. It’s more profitable to give you nine.
That means you are in emergency mode pretty much all the time. And you’re not going to feel like you are adequately handling the work you need to do. That’s because you’re not. Some of the work that crosses your desk will take more than an hour to do right. But you’re not really being paid to do it right. You’re being paid to handle volume. You are the McDonald’s of security. They are giving the illusion of a high-end restaurant experience at a McDonald’s price, but it’s a lie.
What you can expect from management
Your direct manager probably has some experience in your field, and probably can contribute to the team to a degree. If you are lucky, all of the other managers in your management hierarchy will also have experience in the field. But once a security company reaches a certain size, The non-technical managers start moving in. And that’s not to say that a non-technical manager isn’t smart, but they are not going to be skilled at measuring your workload. They won’t necessarily know if what they are promising is realistic.
That’s a common problem in security, and not just limited to this niche. It’s not necessarily even limited to security, it happens in IT as well. I once heard a CIO say that he planned to replace green screens with blue screens, unironically. He was talking about migrating off mainframes, and he chose the color blue because his company color was blue. Even though he worked in computers, he didn’t know that a blue screen in Windows is an incredibly bad thing.
I think it is something that you learn to handle with age and experience, but early in your career, it’s jarring. When I worked fast food and retail, virtually all of my managers, including the district managers, had done my job still knew how to do it, and would take the occasional turn at it to retain their knowledge. So it feels weird to go from an environment where your manager knows how to do your job, and might be the manager because they can do all of the jobs on the floor competently, to having to answer to managers who don’t necessarily know what SOC stands for. They are there to balance a ledger more than to help you solve problems.
It’s easy to forget that when you’re 24. Sometimes I still forget and I’m a long way from 24.
Is an SOC analyst a good job?
If you ask if an SOC analyst is a good job, I can spin it either way. When you hear old dudes talking about how coddled Miillennials and Gen Z are, a SOC analyst is a fantastic job to cherry pick from. It’s a job with a reasonable degree of upward mobility, the pay generally tends to be in the 60s or 70s, you may be able to work from home, and the benefits tend to be competitive. You’ll get paid time off, the medical and dental plans should be pretty good, you’ll probably get a decent 401k match, and you’ll probably have a budget for continuing education.
If I want to be smug, I can talk about how my first real job paid 1/3 of that with no retirement, no continuing education, and so on. But that’s before adjusting for inflation. If I’m being intellectually honest, if I adjust for inflation, there is still a gap, but a much smaller one. When you factor in the cost of a college education in the 1990s versus today, it starts looking more fair. I made less, but I spent less to get that first job.
It’s a better job than my first job, but I can easily overestimate how much better.
Is a SOC analyst a good job in today’s market?
Putting it in terms of today, and not just comparing it to the options available to me in the mid 1990s, the typical salary today is lower than the range of an SOC analyst. A SOC analyst makes about 20% more than the average member of the workforce. So purely from a money and upward mobility standpoint, it’s a profitable job. It’s nice to make an above average salary right away.
And you have some options when it comes to upward mobility. The companies in this line of business tend to promote from within. A good SOC analyst can potentially get a management position if they want one. Also, it’s a good position to build a professional network from. It’s high turnover, so that means a lot of your co-workers move on to bigger and better things. If your friend gets a better job somewhere, they might be able to help you get one. If you get friendly with one of the companies you support, and they like you and think highly of the work you do, they might try to hire you.
All of those are good things. Very good things. It’s a better situation than I was in early in my career, when building a professional network was extremely difficult. I stayed in bad jobs for 5 and 7 years because I didn’t have any way out.
It’s harder to exploit your IT workers for long periods of time today. They have more options now.
The showcase SOC
Companies in the SOC business will operate a showcase SOC and give tours to their customers and prospects. They build an elaborate military style operations center, built to look state of the art and impressive, and they place the SOC in cities that tend to be known as tech hubs and have lots of options when it comes to incoming flights. Then they hire local analysts, and require them to work out of the showcase SOC when someone wants a tour.
I have colleagues who worked under this business model and were local enough to a showcase SOC that they had to report for duty and work in person on a regular basis. They all said it felt weird. The area was designed to look impressive, not to promote efficient work. The analysts in the SOC are part of the show.
As a security professional, it occurs to me this isn’t necessarily the kind of thing you want to be putting on display. You are telling your clients that their security incidents are going to be part of the spectacle for other prospects. It’s odd how this never really dawns on them.
Security Operations Center or Showcase Operations Center?
I called this business the McDonald’s of security, but perhaps a better analogy for this part of the line of business would be Hooters. A frightening amount of the same psychology is going on.
I don’t mean to be flip. They call these places showcase SOCs. They aren’t even trying to hide it. It’s designed to resemble a military SOC, because that’s what we expect an SOC to look like. The components are chosen as much to look good as they are for function. In some cases they’re chosen for how they look rather than how they function. But they need human beings in those chairs looking like they are doing something.
How much does an SOC analyst make?
There is some conflicting information out there regarding an SOC analyst salary. Some of the salary data you will find does not distinguish between grades of security analyst. So they may tell you that the average salary for an SOC analyst is, say, $90,000, because that’s the going rate for the average security analyst as a whole. That doesn’t generally mean an entry level SOC analyst will make that kind of money out of the gate. But it tells you what you can aspire to.
Moving onward and upward from SOC analyst
Your annual training budget may or may not be enough to cover a SANS class, but try to get some training in an area of specialty that interests you and fits within the budget. If the SIEM you use offers certification, get the certification in that. Splunk skills sell. Take a Python class. Seriously, learn Python somehow. Getting my CISSP was good for my career, but morning enough Python to be able to connect to an API, download some data, and convert it to another format was arguably better for my career than even my CISSP. If one of those sounds easier than the other, do the easier of the two first.
Speaking of certifications…
If you can get some certifications, do it. It’s part of the game. When I stated in the last paragraph that I have a CISSP, you either gained or lost a lot of respect for me. But having certifications opens doors for you.
I have heard CISSPs like me deride people for having three CompTIA certifications. But if you have A+, Net+, and Security+, that gives you a baseline of IT knowledge many security professionals don’t have. If you want to investigate incidents someday, or work in vulnerability management, knowing basic networks and operating systems in addition to the basics of security will take you a very long way. While some would argue that knowing why the hard drive is called c is academic and or trivial, knowing the structure of the c drive and what generally is stored where is information that you will be glad to know when you need it. If you don’t know those kinds of things, others will use it to discredit you and you may or may not know it.
Getting high-end certifications will open doors for you. Some of the best people I’ve ever worked with had three high-end certifications, and so have some of the worst. It tends to be an indicator of extremes.
Do I recommend an SOC analyst position?
I liken the SOC analyst position to desktop support. It is an entry level blue team position. And at this point in time, it is probably the path of least resistance to get into a higher paying security job with less stress and a better overall quality of life.
And yes, it is a blue team position. It is unusual to get red team or purple team jobs straight out of the gate, and I’ve seen that expectation ruin careers. There is nothing at all wrong with blue team. I’ve been doing blue team type work since 2009, and expect to spend the rest of my career doing blue team security work. I won’t name names, but security podcasts tend to over glamorize red team. There is a big adrenaline rush when you get access to something you weren’t supposed to, but there’s a lot of paperwork involved as well. It’s not just pwning stuff, there is a lot of paperwork after you got in. If writing a long technical report doesn’t sound like fun, it’s a lot easier to avoid that long blue team.
I do a ton of writing from the blue team side, but it’s not repetitive. And some of my colleagues rarely write anything.
Is there a better option?
Spending a couple of years in an SOC analyst position to build up some skills and experience and a professional network is the easiest way to get into security. I had a very hard time getting into security with IT experience alone, even though virtually all of my IT experience was security related somehow, and even though much of it was patching.
I think system administrator experience is incredibly useful, but SOC analyst experience gets you a high paying security job much faster. Security teams undervalue system administrator experience, so it doesn’t pay for you to get it. If you already have it, transition to SOC analyst, and the less you mentioned system administration experience in your future job interviews, probably the better. The security industry would be much better off if they learned general IT, but that’s on us to figure out. I’m trying to help you get in, not trying to fix the industry.