What Today's SOC Teams Can Learn From Baseball

COMMENTARY

What do professional sports and security operation centers (SOCs) have in common? Before I became a cybersecurity professional and after my baseball career with the Colorado Rockies, I would have said nothing at all. As I've navigated the cybersecurity industry over the past 10-plus years, I've identified three core tenets that form the foundation of successful SOCs and championship baseball teams: leadership, preparation, and collaboration. 

Early in my baseball career, my high school coaches taught me valuable lessons about the importance of leadership, and showed me one of the most effective ways I've seen it applied. Managers of a baseball team are much like managers of a SOC, in that they both must build and manage effective teams consisting of wildly different personnel, personalities, and challenges. It's how they choose to lead their teams that truly sets them apart from a "day-to-day" manager.  

The best managers I've had in cybersecurity and in baseball were all prior practitioners who led by example and used every opportunity as a teachable moment. In baseball terminology, these leaders were "player's coaches," meaning they had a visceral understanding, knowledge, and passion for the game based on their own experiences but still demanded excellence from each of us. SANS Institute recently published a blog post about becoming a leader in the SOC, stating, "A leader doesn't necessarily need to be able to perform all the specialized activities covered by the team, they should understand the responsibilities of each team member and know what it's like to walk in their shoes."  

Managers that take this approach allow team members to succeed, fail, and learn from their mistakes, while knowing their leadership can commiserate with their shared experiences. Being a leader takes more than just setting a lineup or creating a SOC process; it's about ensuring the team knows you are invested in their growth, and can be an example of the time, effort, and skills it takes to be an effective SOC analyst. 

The Importance of Team Building

The University of Virginia (UVA) baseball program changed my perspective on the significance of team building and what it means to create a culture that embodies teamwork and preparation as a foundational focus. These experiences drilled home the concept of "battling" for each other, knowing everyone's strengths and weaknesses, and allowed us to overprepare for the actual game. SOC managers, leveraging well-designed tabletops exercises, can offer the same level of "game-like" intensity, high-pressure situations, and team-building atmosphere. By engaging the security analysts, threat intelligence analysts, engineers, and incident responders, tabletop exercises enable SOCs to battle test their playbooks, effectively communicate, and validate their processes, all while developing teamwork and bolstering their trust in one another. The Cybersecurity and Infrastructure Security Agency (CISA) offers some amazing resources that can be used to build effective tabletops centered around a variety of different generic scenarios. However, organizational-specific scenarios allow SOCs to design tabletops that are unique to their risk profile, infrastructure, and protected assets. For example, if the company is in the financial industry, it may practice and drill on scenarios related to information stealers or ransomware groups targeting access for monetary gain. When it's "game time" and a real-world incident affects that organization, the SOC will be ready to tackle anything the threats throw at them. 

After my fourth year at UVA, I was extremely fortunate to be drafted by the Colorado Rockies, and during my career, I witnessed how collaboration can foster championship teams. Communication and information sharing between team members or departments are integral for successful collaboration. In a highly skilled environment like professional baseball or a mature SOC, everyone wants to be the one the manager leans on to get the job done. This competitive nature can sometimes lead individuals to isolate themselves so that their abilities and knowledge stay wholly unique to their skill set. However, I've experienced on the field and in the SOC individuals who put their pride aside and continually took time out of their day to share their knowledge to help upskill and provide guidance to their fellow teammates. 

Working Together

SOCs that encourage interpersonal communication between their analysts, threat hunters, engineers, or incident responders develop a team that understands the roles and responsibilities of every other team member, and can use that knowledge to help streamline or assist in more effective ways during an incident. SOCs can also establish collaborative environments by creating and executing a collective game plan against their opponents. Professional baseball organizations have advanced scouting groups that collect as much information as possible about the opposing team, including pitching/hitting tendencies (behaviors), and who and how they are going to pitch to hitters (tactics). By leveraging an intelligence-driven approach, the SOC can also achieve an effective collaborative environment. Cyber threat intelligence (CTI) acts like the advanced scouting group by gathering as much information about the threats, actors, tactics, techniques, and procedures (TTPs), and behaviors to effectively profile their organizational risk and priorities. Those priorities are then communicated to different teams like threat hunting, detection engineering, and security engineers, allowing them to work as a collaborative unit and communicate based on actionable intelligence.  

Reflecting on my time in baseball and in cybersecurity, there are more similarities than I expected between developing into a professional athlete and a cyber professional. Through my journey in both careers, I've worked with amazing individuals that led by example and were more than just a manager. They instilled in me the importance of preparation and the significance of building a culture of teamwork. These collaborative environments have allowed me to not only learn from my managers but also establish long-lasting relationships with my peers and teammates.