By: Elías Cedillo Hernández
CEO and Founder of GrupoBeIT, BuroMC, and Elite Infrastructure Services
In the years I have worked in the world of digital information security, I have consulted several industry leaders to establish solid foundations for designing a SOC and implementing a NOC in the organizations that have been clients of our company. It’s not just about knowing the concepts, tools, best practices, and standards that provide the theoretical basis for building the SOC and launching the NOC; it’s about managing techniques and processes that are part of the implementation design and will be key elements to safeguard the information security of many clients. This includes installation, troubleshooting, and updating of critical business network software, antivirus support to prevent viruses from entering and spreading through the network, among others — all together becoming a critical issue organizations must consider. But I want to start with a certainly, by giving you a clear context of what SOC and NOC mean, because without those initial definitions, it will be very difficult to understand what each one entails and the impact effective and decisive leadership in these areas will have on organizations.
From the basics, what is a NOC and a SOC? Side by side
SysAdmin Audit, Networking and Security Institute (SANS) is officially recognized as one of the international authorities in cybersecurity and information security education. SANS defines a SOC (Security Operations Center) as "a combination of people, processes, and technology that protects an organization's information systems through proactive design and configuration, continuous monitoring of system status, detection of unintended actions or undesired states, and minimization of damage caused by undesired effects,while a NOC (Network Operations Center) “is a network operations center that, as its name suggests, is a specialized site for monitoring communication networks, whether they are Internet, television, satellite networks, or generally any other type of local or national network, and is not limited solely to telecommunications networks".
Let’s put it this way: a manager of a Security Operations Center (SOC) or a Network Operations Center (NOC) should clearly understand the above, without necessarily following a conventional career path. While having prior knowledge in network security, management, and operations can be helpful, it is not mandatory. They might come from a background in cybersecurity, information technology, or even completely different fields; it is likely they have gone through stages as a team member before taking on the responsibility of leading a SOC or a NOC.However, being a SOC/NOC manager is not limited to administration: it involves distinctive and, above all, proactive leadership. It is here, precisely, that I want us to explore this transition, while sharing from my experience resources to help my team members become exceptional leaders in these complex and demanding fields.
What is the purpose of a NOC and SOC?
Once both entities are defined, I must point out that many people often mistakenly equate a NOC with a SOC. However, they are two completely different things. One of the main objectives of the NOC is to ensure the availability of the data center. Its scale, both in terms of physical space and personnel, is usually determined by the size and critical importance of the data center for the business that requires it.
To further deepen the distinction, large data centers have a NOC room that operates continuously 365 days a year. However, due to the associated costs, smaller data centers usually opt to use automated monitoring software instead of establishing a full NOC.This allows them to monitor their network with minimal human intervention and without incurring the expenses associated with a full-time NOC team.
The SOC, on the other hand, focuses on cybersecurity. In fact, for the vast majority of companies and organizations, it is not the primary objective but rather a support function that ensures the fulfillment of the company’s mission. This means it is extremely important for the SOC to understand the context of the information security events, it processes and to prioritize the large volume of incoming data. This can only be achieved by having a clear understanding of exactly what the SOC protects and why.
To effectively provide services to clients, the SOC must manage, maintain, and exchange situational awareness (SA) data, in addition to defining the client’s cybersecurity status and the cyber threat landscape over time and space, understanding their interrelation (i.e., cyber risk) and predicting their state in the near future. The situational decision-making cycle corresponds to the O.O.D.A. loop (Observe → Orient → Decide → Act),which refers to observing, orienting, deciding, and acting to make better decisions and achieve flawless execution. In a SOC, all analysts—sometimes unknowingly—carry out actions according to the O.O.D.A. cycle, which can last from minutes to months, while there is a continuous increase in the operators' knowledge about the client’s infrastructure and relevant cyber threats.
Understanding the SOC more deeply
The SOC is divided into three main areas.
- Specialization in Engineering / Ethical Hacking and Forensic Investigation: Ethical Hacking (both black box and white box) focuses on the proactive prevention of cyberattacks, while Forensic Investigation centers on the reactive response to security incidents. Both play a vital role in protecting organizations against cyber threats.
- Processes / ISOS: in cybersecurity serve to establish standards and procedures that help systematically and effectively manage and improve information security, ensuring the protection of digital assets and business continuity in the face of cyber threats.
- Technology / SIEM: They serve to detect, analyze, and respond to cyber threats in a centralized and efficient manner, providing complete visibility over network security and streamlining incident management.
On the other hand, the NOC represents the nerve center for network monitoring within the data center environment. It enables subject matter experts to oversee the data center’s network infrastructure and quickly resolve any issues that may arise to prevent data loss. For larger enterprises, the NOC and SOC are complementary and necessary to each other; neither can function independently.
While the NOC’s role is limited to monitoring the network without intervening in it, the SOC takes on a more active role by focusing exclusively on security. The primary task of SOC personnel is to detect vulnerabilities, potential attacks, and threats within the network. Additionally, they are responsible for identifying anomalies and mitigating security incidents in real time or before they occur.
When should we talk about its efficiency?
I am often asked how efficient a SOC and a NOC are, and what kind of leadership is required to establish and manage both. This is precisely where, from my point of view, I begin to consider not only the significant capabilities of the professionals involved, but also the processes that will be followed and the type of technology that will be used for their proper deployment—not to mention the strategies, infrastructure, governance model, planning, implementation, and more. All of this requires a holistic approach that takes into account the various commercial tools and open-source software found in the most modern SOCs and NOCs..
On one hand, ideally, SOC leadership should take into account vulnerability and risk management, threat intelligence, digital forensics, data collection, and, to a broader extent, security data analysis. They must consider modern technical components, as well as evaluate the current state of the SOC and identify areas for improvement. Additionally, that leadership needs to focus on strategic planning, designing and building the SOC infrastructure, managing security incidents, organizing incident response teams, and measuring performance. This includes clearly defining an optimal governance and staffing model that helps prepare the SOC for deployment, with comprehensive transition plans detailing best practices that we can recommend from a high-level consultancy perspective for security operations—incorporating continuous improvement and refinement. I say this because at Grupo BeIT, we always strive to follow this path to find the most appropriate solutions not only for creating a SOC but also for managing it effectively.
Regarding the NOC, it is important to note that a hierarchical structure is employed to classify personnel, ranging from novice engineers to experienced professionals, enabling an efficient response to a variety of issues. This organization ensures that the right personnel are assigned to address each situation, whether it’s a power outage or a direct attack on the NOC. This is precisely where leadership plays a crucial role, ensuring the availability and readiness of staff in critical situations—especially in NOCs that operate for highly complex services, where constant monitoring is essential to safeguard the integrity of an organization’s servers. In these cases, proactive actions often provide the key advantage for addressing high-impact solutions.
NOCs are meticulously organized with established protocols to maintain calm and minimize the response times of the professionals managing them. These centers operate with high efficiency and control, given the strategic importance of their functions and the expertise of those who manage and make decisions within them.
How is the management of leadership in a NOC and a SOC? The fundamental approach
As I mentioned, as CEO of Grupo BeIT and its business units, BuróMC and Elit Infrastructure Services, I have noticed that management and leadership, although often used interchangeably, usually represent two crucial facets in team management. While management focuses on execution and supervision to achieve established objectives, leadership aims to go deeper by providing direction and guidance. To illustrate this distinction, we refer to the famous quote by Peter Drucker: “Management is doing things right; leadership is doing the right things.“.
Leadership, therefore, is oriented towards identifying and selecting the right goals, thereby establishing a clear vision of the future and a deep understanding of the underlying purpose. This approach goes beyond the mere efficient execution of work, encompassing the strategic choice of which tasks to prioritize and how to achieve them. In the context of the SOC and the NOC, this distinction takes on particular relevance, as it involves leading the forefront of cybersecurity and the proper management of network operations centers.
Do we cultivate SOC leadership at Grupo BeIT? We do it where it should start: at home!
Yes, leadership has traditionally been associated with innate traits, but in our company, we adopt an “in-house leadership process definition” perspective, which suggests that leadership can be learned and cultivated through behavior and interactions within the company and with our clients. This vision broadens access to leadership, making the development of leadership skills attainable for anyone committed to continuous learning and growth, enabling them to effectively execute actions not only for improvement but also for prevention.
Do we lead the operational environment of the SOC and the NOC?
Having defined the above and based on the specific context of the SOC and NOC, where speed and accuracy are crucial, leadership plays an even more prominent role. Here, the leader not only guides the execution of the right tasks but also sets the strategic direction to face emerging threats and protect the digital infrastructure. Inspired by Simon Sinek’sthe SOC leader articulates a compelling vision that motivates our team, uniting efforts toward a common goal: effective defense against cyber threats.
Leadership in the SOC goes beyond managing daily operations. It involves forging a path toward excellence in cybersecurity. By adopting a proactive, vision-driven leadership approach, SOC managers can not only effectively guide their teams but also lead innovation and continuous adaptation in a constantly evolving digital environment. In the case of the NOC, its transformation could lead to unified IT operations with interdisciplinary teams. However, not all companies require a radical overhaul—sometimes minor updates and straightforward modernization suffice, provided there is strong leadership in place. This ensures that both large and medium-sized companies can find a justified and precise direction.
So, in my opinion, at a consulting level, effective leadership in SOC and NOC environments seeks professional collaboration with subject matter experts who not only provide a focused professional perspective but also take action on core E: Efficient, Effective, and Efficacious, to ensure the implementation of a path full of strength and clarity, so that organizations find a secure and justified direction in their digital operations, while optimizing the value of their investment in these areas.
Post comments (0)