“The forefront of a robust SOC and a strong NOC”

By Elías Cedillo Hernández
Grupo Be IT and BuróMC CEO.

In the years I’ve been working in the world of digital information security, I have encountered several industry benchmarks to establish solid foundations for designing a SOC and implementing a NOC in the organizations that have been clients of our company. It’s not just about understanding the concepts, tools, best practices, and standards that provide the theoretical basis for building a SOC and launching a NOC. It’s about managing the techniques and processes that will be part of the implementation design and will be key elements to safeguard the information security of many clients. This includes installation, troubleshooting, and updating critical business network software, antivirus support to prevent viruses from entering and spreading through the network, among others — all of which together become critical issues organizations must consider. But I want to start by giving you a clear definition of SOC and NOC, because without these initial definitions it will be very difficult to understand what each one is about and the impact that effective and strong leadership in these areas will have on organizations.

From the basics, what is a NOC and a SOC? A comparison side by side

SysAdmin Audit, Networking and Security Institute (SANS) is officially recognized as one of the international authorities in cybersecurity and information security education. SANS defines a SOC (Security Operations Center) as “a combination of people, processes, and technology that protects an organization’s information systems through proactive design and configuration, continuous monitoring of system status, detection of unintended actions or undesirable states, and minimization of damage caused by unwanted effects.

" Meanwhile, a NOC (Network Operations Center)" is a network operations center that, as its name indicates, is a specialized site for the control of communication networks, whether Internet, television, or satellite networks, and generally any other type of local or national network, not limited only to telecommunications networks.”.

Let’s put it this way: a manager of a Security Operations Center (SOC) or a Network Operations Center (NOC) must clearly understand the concepts mentioned above, but they don’t necessarily have to follow a conventional career path. While prior knowledge in network security, management, and operations can be helpful, it is not mandatory. They may come from backgrounds in cybersecurity, information technology, or even completely different fields; likely, they have gone through stages as team members before taking on the responsibility of leading a SOC or NOC. However, being a SOC/NOC manager is not limited to administration — it requires distinctive and, above all, proactive leadership. It is precisely here that I want to explore this transition with you, sharing from my experience the resources that have helped my collaborators become exceptional leaders in these complex and demanding fields.

What are a NOC and SOC for? 

Once both entities have been defined, I must point out that many people mistakenly equate a NOC with a SOC. However, they are two completely different concepts.

One of the main objectives of the NOC is to ensure the availability of the data center. Its scale—both in terms of physical space and personnel—is usually determined by the size and critical importance of the data center to the business that requires it.

To further deepen the distinction, large data centers have a NOC room that operates continuously, 365 days a year. However, due to the associated costs, smaller data centers tend to opt for automated monitoring software instead of establishing a full NOC. This allows them to supervise their network with minimal human intervention and without incurring the expenses related to a full-time NOC team. 

The SOC, on the other hand, focuses on cybersecurity. In fact, for the vast majority of companies and organizations, it is not the primary objective but a supporting function that ensures the fulfillment of the company's mission. This means it is extremely important for the SOC to understand the context of the information security events it processes and to prioritize the large volume of incoming data. This can only be achieved by clearly understanding exactly what the SOC is protecting and why.

To effectively provide services to clients, the SOC must manage, maintain, and exchange situational awareness (SA) data, in addition to defining the perception of the client’s cybersecurity status and the cyber threat landscape over time and space, understanding their interrelation (i.e., cyber risk), and predicting their state in the near future. The situational decision-making cycle corresponds to the O. O. D. A. loop (Observe → Orient → Decide → Act),  which refers to observing, orienting, deciding, and acting to make better decisions and achieve flawless execution. In a SOC, all analysts—sometimes unknowingly—perform actions according to the O. O. D. A. cycle, which can last from minutes to months, while there is a continuous increase in operators’ knowledge about the client’s infrastructure and relevant cyber threats.

Understanding the SOC better…

The SOC is divided into three main areas:

1. Engineering Specialization / Ethical Hacking and Forensic Investigation: Ethical Hacking (both black-box and white-box) focuses on the proactive prevention of cyberattacks, while Forensic Investigation centers on the reactive response to security incidents. Both play vital roles in protecting organizations against cyber threats.
2. Processes / ISOs: Cybersecurity processes and ISOs establish standards and procedures that help manage and improve information security systematically and effectively, ensuring the protection of digital assets and business continuity in the face of cyber threats.
3. Technology / SIEM: These tools serve to detect, analyze, and respond to cyber threats in a centralized and efficient manner, providing complete visibility over network security and streamlining incident management.

 

On the other hand, the NOC represents the nerve center for network monitoring within the data center environment. It enables subject matter experts to oversee the data center’s network infrastructure and quickly resolve any issues that may arise to prevent data loss. For larger enterprises, the NOC and SOC are complementary and necessary to each other; neither can operate independently.

While the NOC’s role is limited to monitoring the network without direct intervention, the SOC takes a more active role, focusing exclusively on security. Its primary task is to detect vulnerabilities, potential attacks, and threats within the network. Additionally, it is responsible for identifying anomalies and mitigating security incidents in real-time or even before they occur.

When should we talk about their efficiency?

Many times, people ask me how efficient a SOC and a NOC can be, and what type of leadership is needed to establish and manage them. This is where, from my perspective, I begin to consider not only the significant skills of the professionals involved, but also the processes to be followed and the type of technology to be used for their proper deployment—not to mention the strategies, infrastructure, governance model, planning, implementation, and more, taking a holistic approach that considers the various commercial and open-source tools found in the most modern SOCs and NOCs.

On one hand, ideally, the leadership of a SOC should take into account vulnerability and risk management, threat intelligence, digital investigations, data collection, and, to an extended degree, security data analysis, while keeping in mind modern technical components, as well as the evaluation of the current state of the SOC and the identification of areas for improvement. Moreover, that leadership must also be aware of the strategic planning of the SOC itself, the design and construction of its infrastructure, security incident management, the organization of response teams for incidents that arise, and the measurement of its performance—with a clear definition of an optimal governance and staffing model that supports the SOC’s readiness for launch, including comprehensive transition plans that detail best practices we can recommend from a high-level consulting perspective for security operations, including continuous improvement and refinement. I say this because, at Grupo BeIT, we always aim to follow this path to find the most suitable answer—not only for creating a SOC, but also for managing it.

Regarding the NOC, it’s important to note that a hierarchical structure is used to classify personnel—from novice engineers to experienced ones—allowing for an efficient response to a variety of problems. This organization ensures that the right personnel are assigned to address each situation, whether it’s a power outage or a direct attack on the NOC. Here, leadership plays a crucial role in these environments, ensuring the availability and preparedness of staff in critical situations, especially in NOCs that operate for highly integrated services, where constant vigilance is key to safeguarding the integrity of an organization’s servers. It’s here that proactive actions often provide the advantage needed to tackle higher-impact solutions.

NOCs are meticulously organized with established protocols to maintain calm and minimize response times for the professionals who manage them. These centers operate with high efficiency and control, given the strategic importance of their functions and the expertise of those who manage and make decisions within them. 

How is management versus leadership in a NOC and SOC? The fundamental approach

As I mentioned, as CEO of Grupo BeIT and its business units, BuróMC and Elit Infrastructure Services, I have noticed that although management and leadership are often used interchangeably, they actually represent two crucial facets in team management. While management focuses on execution and oversight to achieve established goals, leadership goes deeper, providing direction and guidance. To illustrate this distinction, we can refer to Peter Drucker’s famous quote: “Management is doing things right; leadership is doing the right things“.

Leadership, therefore, is oriented toward identifying and selecting the right goals, establishing a clear vision of the future and a deep understanding of the underlying purpose. This approach goes beyond merely executing tasks efficiently—it involves the strategic choice of which tasks to prioritize and how to achieve them. In the context of a SOC and NOC, this distinction takes on particular relevance, as it means leading the vanguard of cybersecurity and ensuring the correct management of network operations centers.

Do we cultivate SOC leadership at Grupo BeIT? We do it where it must begin: at home!

Yes, leadership has been associated with innate traits, and in our company, we adopt a perspective of “in-house leadership process definition” that suggests it can be learned and cultivated through behavior and interactions within the company and in our engagements with clients. This vision broadens access to leadership, making the development of skills in this field attainable for anyone committed to learning and continuous growth, in order to execute actions not only for improvement but also for prevention.

Do we lead the operational environment of the SOC and NOC?

Having defined the above and based on the specific context of SOC and NOC—where speed and precision are crucial—leadership plays an even more prominent role. Here, the leader not only guides the execution of the right tasks but also sets the strategic direction to face emerging threats and protect digital infrastructure. Inspired by Simon Sinek’s “why”, the SOC leader articulates a compelling vision that motivates our team, uniting efforts towards a common goal: effective defense against cyber threats.

Leadership in the SOC is not limited to managing daily operations. It involves forging a path toward excellence in cybersecurity. By adopting a proactive, vision-centered approach to leadership, SOC managers can not only effectively direct their teams but also lead innovation and continuous adaptation in an ever-evolving digital environment. In the case of the NOC, its transformation could lead to unified IT operations with interdisciplinary teams. However, not all companies need a radical change with major updates; some require minor modernization and the fulfillment of their work with solid leadership in these areas, so that large and medium-sized companies can find a justified and precise direction. 

From my consulting perspective, effective leadership in SOC and NOC environments seeks professional articulation with subject matter experts, who not only provide a focused professional point of view but also a core “E” action, Efficient, Effective and Efficacious, to ensure the application of a path full of solidity and clarity, so that organizations find a safe and well-justified direction in their digital operations, while optimizing the value of their investment in these topics.