Lessons from 10 years in the SOC

Lessons from 10 years in the SOC

I started in the cybersecurity scene in the early 2000s. I was 12 or 13, hanging out on AIM, IRC, and Yahoo! chat rooms. I discovered warez and learned my first hack, the ping of death. I’d hop on AIM and netstat for your IP address and send you a packet too large for your dialup to handle, and it’d kick you off line. I was a prankster, just a bit mischievous but never malicious. I dove headfirst into the Linux subculture and went to Walmart, where I found Mandrake for sale on CD. Now, most people think you can’t sell Linux because it's open source, but you can. This is Lessons from 10 years in the SOC.

You’re selling the distribution of Linux, and you used to be able to walk into stores and buy it. This was when it’d take you days to download an OS and a quarter of your hard drive. It led to Knoppix Linux, which was the first live Linux distribution. I would take it to school, pop it into the computer, and all the restrictions were lifted, and I could jump back into my IRC chats. Always a chatter, which has become troublesome because I treat Facebook and social media as an informal chat room, and people take it very seriously.

I went to a terrible high school, so I dropped out in 10th grade and went directly to get my GED. I walked in and passed it without any classes. In fact, in 9th grade the year before, I tested postgraduate in all the standardized tests. I started college at 16 in the only place that’d take me, DeVry, and I had the whole college experience. I stayed in dorms, hung out doing nerdy things on campus, and delivered pizza to pay for my living expenses. My grandmother paid for my student housing, but the rest of my living expenses were up to me. I look back fondly on my time at DeVry in Decatur, Georgia. It was a good education, too. I took my classes on-site and learned a lot. Some of my classes were online, but it wasn’t the same learning experience. I think DeVry gets so much of a bad rep because people start and never finish, and it is expensive. The classes can be difficult. It depends on the professor; some take their jobs very seriously and care a lot about the subject.

I graduated from college, and I had the whole graduation experience. For the first time in my life, I graduated. I walked across the stage at the Georgia Dome in front of my family and friends, who were there to support me. I got pictures, threw my cap, and everything. It was the very first thing I accomplished in life. Prior to that, I wasn’t much of a finisher.

After college, I worked in IT support at a local community college. I spent eight months there and then started my career in cybersecurity at Dell SecureWorks in the SOC in December 2013. I had so much fun working with my peers in this SOC that I’ve spent my entire career trying to find a place with the camaraderie that was the unique culture.

Since December 2013, I’ve worked at several companies, with an average tenure of 2–3 years, so I’ve seen many different environments. These are the lessons that I’ve learned in my 10 years working in cybersecurity.

Becoming SOC mature is about learning what to ignore.

I saw on LinkedIn recently that someone said becoming mature in cybersecurity is about learning what to ignore, and I just loved it. It resonated so well with me. When you first start, everything is a crisis. Everything is new, and everything is critical. Once you have time in your seat long enough, you learn what is expected and what is a unique occurrence. What’s an anomaly in the industry, and what seemingly happens all the time? This is important because knowing this helps you determine if there is an established process at your company for seeing this type of thing.

If you’re new at a company but have seen this often before, there’s likely a playbook for it.

Zeal fades as you slowly learn how compliance and regulation work. And how everyone gets paid.

Zeal is essential for you to start. It's the fountain of motivation to learn how everything works. It's a blessing and it's a curse. Not everything works the way it should work for whatever reason, and this creates conflicts of interest that really dampen how you feel about the importance of your work.

Not everyone will care about cybersecurity as much as you do, even the people paying you to do your work. Ideally, cybersecurity exists so businesses can take risks responsibly, but in some places, cybersecurity exists just to say cybersecurity exists here.

Cybersecurity was at the top of executives' agendas when daily breaches were in the news. Breaches rarely make the news anymore. The public has been desensitized, controls have been put in place to protect people, and overall, there has been improvement in the cybersecurity industry. It's a different place today where a breach isn’t likely to affect your stock very much. There was a period about five years ago when a breach would even make your stock go up.

Boy, was that difficult to deal with. Try going to work every day to protect a company when a breach would make them more money.

Now it's just become daily life.

There’s a gray area of perception. What you see on the outside of a company isn’t what is true, and that’s accepted.

As a business owner, I’ve been viewed as not an individual but a company trying to promote/sell something to an audience. It's made me feel compassion for the community because they are predisposed today to be skeptical of everything and have been manipulated so much by marketing schemes. Marketing exists to make you want something and to get your product to the people who want it. In this effort, things get misconstrued, which is often borderline untrue. Your company has a marketing team, and your company strategizes on how to get the product the right spin on it to make people buy it. I’ve worked at companies with great marketing teams, and the perception is that this company really has its stuff together, and then I go to work there and they’re announcing how great their new product is that I know now hasn’t even finished developing. It doesn’t exist! It can leave a bad taste in your mouth about the company you work for, thinking they are all just talking nonsense, but just know this is what marketing teams are supposed to do. They're doing their jobs great, and now everyone else needs to do their jobs to catch up. This is normal and happens at every company. This is the product people want; now we need to make it.

You’re paid to protect a company from itself. If I paid someone to protect you from yourself, how would you feel if you kept being told to correct yourself? That’s how it looks as a CEO.

I said that right. You aren’t protecting your company from the bad guys out there hacking your company; that's just par for the course. You’re protecting your company from users who do something to let them in. As a CEO, you are your company. When addressing executives, use tact and empathy when explaining that one of their indirect reports caused a security incident. It's not essential to punish anyone for bad behavior in most cases, outside of insider threat. It's necessary to come up with solutions and things we can do to prevent this from happening again. Live in the solution.

These are some of the things I’ve struggled with over the years, often causing periods of depression in my work when my idea of what cybersecurity should be isn’t what it truly is. The world didn’t meet my expectations in what I was led to believe would be my purpose, and it's sad. When this happens, it's time to get comfortable in Corporate America and play this game the way it's played.