SOC Team Analysts: Do Managers Prefer Rockstars or Teamwork?

Many organizations attempt to create a Security Operations Center (SOC) team without a comprehensive plan or an understanding of the needs driving the initiative. They know threats are everywhere and the need for a strong cybersecurity and intelligence capability is obvious.

What is not obvious to many leaders is the form the team should take to best serve its needs and the functions that should be performed to truly increase the overall security posture. In addition to protecting a network from malicious actors, a well-crafted team must be able to provide an enhanced intelligence capability.

There are several benefits of incorporating highly trained intelligence analysts into the technical security functions of the SOC. Many organizational leaders – the customers of the intelligence products generated by SOC analysts – are unaware these benefits even exist. Listed below are a few examples of what this intelligence capability has to offer.

1. It provides leadership with a decision advantage.

2. It provides organizations with a competitive advantage.

3. It influences the adversary’s decision cycle.

4. It can provide understanding of complex issues.

5. It can contribute to overall operational efficiency.

6. It can contribute to an enhanced security posture.

7. It supports the organization’s strategic goals.

Although SOC analysts draw on technological aids and inputs, it is ultimately the human brain that organizes and interprets data to generate assessments. A functional intelligence team involves cognitive and social processes.

Analysis is a cognitive activity in that it is based on a system of heuristics and conclusions. Analysis is also a social activity in that its members draw of the expertise of their teams and support their missions. “Lone wolf” analysts – often portrayed in popular media – are always the exception to the rule.

The Cognitive Perspective

The different perspectives on analytic work (cognitive and social) have several significant implications for the design and leadership of intelligence teams. The cognitive perspective (also referred to as co-acting groups) puts individual analysts at the center stage.

The leader organizes and encourages individual work and supports excellent individual performance. This model tends to select highly talented analysts and provides them with advanced training and technical support. In these roles, the individual analysts are held accountable for their actions.

This is the model I find most predominant when instructing analysts in the field. Although the management style of any team is influenced by “top down” organizational culture, I believe this is actually the result of the “contracting culture” pervasive in the cybersecurity industry.

Hiring managers want to “try before they buy” and extend short-term contracts for positions that may offer either renewal or conversion to employee status when the contract expires. Knowing that an individual’s performance will dictate the outcome of the initial contracting period, it incentivizes individualism while disincentivizing personal sacrifice for the sake of the entire team.

The Social Perspective

The social perspective (also referred to as interdependent work teams) focuses on the importance of collegial interactions in competently assessing data and managing relationships with all those involved. Projects tend to be larger in size and potentially more significant.

Team members have specific expertise and specialized team roles do evolve over time. In the model, the entire team produces the intelligence product and held accountable for the outcome. These SOC teams tend to be more mature, comprised of employees as opposed to contractors, and embrace a culture in which the success of the individual is subjugated to the success of the organization.

Both Perspectives Have Pro’s and Con’s

There is no “one size fits all” model for building a well-planned, highly trained SOC team with a strong intelligence capability. Both perspectives have merits and downfalls. Whether co-acting groups or interdependent work teams, the best analytic teams are stable and bounded, with members interdependent for a particular shared purpose.

However, experienced SOC managers understand there are common denominators shared by high performance analytical teams regardless of the team’s structure or perspective. If they are truly leaders as opposed to “bosses,” they strive to create a team culture and foster an environment of personal and professional growth.

If you share this leadership vision for your team – or aspire to evolve into a leader who will embrace it when the time comes – I would encourage you to create the following conditions for your SOC analysts.

1. A clear and compelling direction

2. The right size to perform the task

3. Meaningful work assignments

4. Trustworthy feedback is regularly received

5. Clear norms exist defining acceptable behavior

6. A supportive organizational context is always present

7. Members receive recognition for performance

8. Members receive coaching, training, and experience

I have been fortunate to have had the opportunity to operate in both the intelligence and cybersecurity fields, and I believe there is a unique opportunity to synthesize both in the modern threat landscape. I also believe the minds of those working in these disciplines are the greatest weapons we have in our arsenal to defeat malicious actors.

What do YOU believe? Do managers prefer rockstars or teamwork? I’d be interested to hear any opinions or insights you have to offer on this topic.

“There is no need to out-fight anyone you can out-think.”

Michael I. Kaplan is the founder and CEO of Phase2 Advantage, and currently manages the Defensive Security initiatives of the company. He is a military veteran and a national advocate for the military affiliate community. After attending the U.S. Army’s Intelligence Center of Excellence at Fort Huachuca in Arizona in 1983, he attended the Defense Language Institute, Airborne School, several specialized Schools at FT. Bragg in North Carolina, and was assigned to the 11th Special Forces Group (AGR).

Michael was recruited in 1989 to Special Projects Group and served as an instructor and operator on a Federal International Fugitive Task Force (his FBI letters of reference can be viewed on his LinkedIn profile). He was responsible for supervising and training 325 agents who were responsible for more than 3,000 UFAP apprehensions in seven years. Michael left government service in 1994 to pursue a career in High-Threat Executive Protection as an instructor and operator, then founded Phase2 Advantage in 2014. His numerous Instructor firearm certifications are listed on the Phase2 Advantage website and LinkedIn.

Feel free to contact Michael at