Cybercriminals target organizations to steal sensitive data, disrupt operations, or cause damage to organizations. But a well-designed security operations center (SOC) helps prevent these attacks from ever occurring.
SOC managers detect and respond to cyber security threats to ensure your organization operates securely. They manage the team, develop policies and procedures, and keep the CISO informed about security operations. Let’s take a look at the SOC manager role.
(Check out our recommendations for security books and security events & conferences.)
A SOC manager/director is a senior position person who leads the SOC team and cybersecurity professionals within a company or organization. They handle different aspects of a SOC to protect the company's digital assets from cyberattacks.
They oversee the team, ensuring everyone is trained, motivated and effectively working together. This involves everything from hiring new team members to conducting performance evaluations and providing ongoing training and development.
Importantly, the SOC manager reports to the chief information security officer (CISO) about security operations. They provide regular updates on the SOC's activities and performance and any notable incidents or threats that have been detected.
Ultimately, managing or directing a SOC is a challenging and rewarding role that requires:
As a critical position within an organization's security operations, the responsibilities of a manager or a director are multifaceted, as you’ll see in these next sections.
So, here are the common day-to-day responsibilities and duties of a SOC manager.
A well-trained and capable SOC team is crucial to the success of any cybersecurity operation. As a SOC manager, you must ensure that your team has the necessary skills and knowledge to effectively detect, analyze and respond to security incidents. You can do this by…
Security policies help ensure everyone in the organization is on the same page regarding security procedures and protocols. SOC managers play a key role in creating and enforcing these policies.
They develop security policies by reviewing industry standards and working closely with other departments to understand their security needs. Security policies might originate with cyber frameworks, or might follow common cyber hygiene practices.
Establishing performance goals and priorities is essential in ensuring that everyone is working towards the same objectives. To be productive and effective, your SOC team needs to understand their preferences and what they are working towards.
As a SOC manager, you can establish goals and priorities by working closely with your team to identify the most critical focus areas. These include:
Once you've identified these priorities, you must convey them to all the team members.
As a SOC Manager, it's your job to oversee your staff's activities and ensure they focus on the right priorities. You can oversee SOC activities by reviewing your team's performance metrics, incident reports and other key indicators. This will help you identify areas for improvement and ensure that your team is performing at its best.
Your SOC team relies on various tools and resources to detect, analyze and respond to security incidents. Serving as the manager or head, you must keep these tools and resources up-to-date.
You can manage SOC tools and resources by evaluating the latest technologies that may be beneficial. To use these effectively, you should also monitor whether your team has the necessary resources, such as staffing, budget and training.
When a security incident occurs, the SOC team has to respond as quickly as possible. And you have to lead these efforts by establishing clear incident response procedures and protocols and conveying them to the team. This will ensure that your team knows what needs to be done to handle uncertain security issues.
(Learn about the incident commander role, which might overlap with the SOC manager.)
Analyzing incident reports is essential to understanding your organization's security posture. By reviewing incident reports, SOC managers identify patterns and trends that may indicate weaknesses or vulnerabilities in their security defenses.
The best way to analyze reports is by reviewing incident or threat frequency, severity and duration data. You can also work with other departments to identify the root causes of security incidents and develop strategies to mitigate these risks.
(Explore how CVE severity can help this approach.)
As a SOC Manager, one of your primary responsibilities is to serve as the point of contact (POC) for security incidents within the company. You are the primary liaison between the SOC team, other internal stakeholders, and external parties such as vendors, clients or regulatory bodies.
Your prompt response to security incidents helps protect the company's sensitive data, reputation and compliance.
Another crucial responsibility of the SOC manager is to report to the CISO about security operations within the company. This means that you must keep the CISO informed about everything that’s happening in the operations center.
You can do this by preparing clear and concise reports that highlight key findings, and recommendations about the operations. Your reports will help the CISO make informed decisions about security investments and strategies that align with the company's goals.
(Know the differences between CIOs, CISOs & CPOs.)
Once you're done with reporting to the CISO, you should share the officer's reviews and comments with the entire team. Providing performance reviews helps to:
You can use objective criteria — metrics, incident resolution rates or customer satisfaction surveys — to evaluate the team's performance and provide them with performance reviews.
Pro Tip: Communicate the review results supportively, fostering a culture of continuous improvement and not criticism.
As you can see, SOC directors are responsible for plenty! So, it makes sense that they are well paid and in much demand. Salaries for SOC managers or directors vary depending on several factors, such as company size, industry, location and level of experience. Larger companies tend to pay more than smaller ones, so managers or directors in the tech industries earn more than in other industries.
Per Glassdoor, SOC managers make around $90,561 per year on average in the U.S. And some earn extra reward bonuses, commissions, or tips. So, the average salary including all extras is around $316,845 per year. Here are some other 2023’s salary reports from sources:
These figures are averages which means the actual salary may vary based on several factors. But experienced SOC managers typically earn higher salaries than those with less experience.
(Check out more salaries for IT roles plus IT spending forecasts.)
Becoming a SOC Manager requires a combination of technical and soft skills. So, here’s a breakdown of all the skills you need to become a SOC manager.
To become a SOC manager, you must monitor SOC activities proficiently. This includes understanding the various tools used in monitoring the network, such as:
You should know how to analyze the data collected from these tools.
Risks are a significant barrier to business growth. So, you should know how to identify potential security risks that could impact the organization's security position. To monitor such threats and stay up to date with any risks, SOC managers should…
Incident response is a critical aspect of a security manager's role. You must coordinate with the incident response teams and know the necessary actions to resolve the issue. This can include:
(Related reading: Incident Severity Levels 1-5 & Top Incident Response Metrics.)
Automation is becoming increasingly crucial in SOC operations. To improve efficiency, reduce response times and increase accuracy, you should have the skills to test automation tools and implement new automation techniques.
If you want to work as a SOC manager, you should be able to keep track of the latest threats and vulnerabilities affecting the industry. You must know how attackers may use new hacking techniques to disrupt your organization's security.
Some employers also require skills like vulnerability management, scanning, assessment, and remediation for this role.
Sitting in a managerial role requires a knack for leadership. To fulfill this role, you should know the art of inspiring and motivating your team, setting goals and providing guidance when needed. To be an excellent SOC manager, you have to make tough decisions and take responsibility for the team's actions.
Not in a manager role yet? But you want to become one. In that case, you can seek leadership opportunities within your organization and take courses or workshops to improve your leadership skills.
SOC managers communicate different aspects of the security operations center to other authorities. So you must know how to communicate complex technical information to your tech and non-tech staff.
Good communication skills will help you build relationships with other stakeholders in the organization, such as the CISO and other executive team members.
Cybersecurity incidents are stressful and high-pressure situations. So, if you're managing a SOC team, stay calm under pressure, make quick decisions and maintain a relaxed environment for the team too.
By practicing handling stressful situations, you can develop this ability to handle critical situations in your organization.
Since SOC managers analyze complex data and information to identify potential threats and vulnerabilities, employers look for strong analytical and problem-solving skills.
With hands-on experience, it's easier for SOC managers to understand the challenges their team faces daily. This experience will allow you to make informed decisions, set realistic expectations and identify areas for improvement.
You can gain work experience by working for any security operations center. This will expose you to various security incidents, tools and techniques.
A CS degree ensures you have the technical knowledge necessary to understand and oversee complex security systems and technologies. Many employers require a bachelor's degree as a minimum qualification for this role, so it'd be great if you have a master's or any senior-level education too.
If you’re already a SOC Manager, here are some tried and true best practices.
One of the most critical tasks of SOC managers is to build a strong team of SOC experts. This means you should hire individuals who possess experience in cybersecurity, have a deep understanding of threat intelligence, and are well-versed in the latest technologies and methodologies.
It’s also best to nurture a culture of teamwork and collaboration, where team members can share their knowledge and expertise.
Security threats increase with time if not stopped first. So you need to strengthen your security processes. Being a SOC manager, you should learn how to assess and improve the organization's security processes. Here are some tips to help you assess processes effectively:
Staying up-to-date with the latest technologies and tools is essential because it will help you detect and respond to security threats. By understanding the latest threats and how they work, you can develop strategies to prevent them before they cause problems.
Building a successful SOC team requires you to communicate effectively with your team members, both in terms of setting clear expectations and goals and providing feedback for a job well done.
As a SOC manager, you should create an open and transparent culture where team members feel comfortable sharing their ideas and concerns.
Cybercriminals are always looking for ways to exploit organizational vulnerabilities, and the consequences can be severe. A SOC is essential to prevent cyberattacks, and a SOC manager is crucial to its success. Security center managers oversee the tasks, develop and enforce policies, and set performance goals and priorities.
See an error or have a suggestion? Please let us know by emailing ssg-blogs@splunk.com.
This posting does not necessarily represent Splunk's position, strategies or opinion.
The Splunk platform removes the barriers between data and action, empowering observability, IT and security teams to ensure their organizations are secure, resilient and innovative.
Founded in 2003, Splunk is a global company — with over 7,500 employees, Splunkers have received over 1,020 patents to date and availability in 21 regions around the world — and offers an open, extensible data platform that supports shared data across any environment so that all teams in an organization can get end-to-end visibility, with context, for every interaction and business process. Build a strong data foundation with Splunk.