A security operations center (SOC) manager is probably not the first role that you assume in your professional career. Whether you started your journey in cybersecurity, IT, or a completely different field, you will likely have spent some time working as part of a team before eventually being in charge of a SOC. Becoming a SOC manager means transitioning from a team member to team manager. And it does not stop there. Not only are you expected to manage the SOC, but you are also expected to lead it! As we will see in this blog post, managing and leading are two very different expectations that require different mindsets and approaches.
In this article, I will shed some light on what leadership entails and provide you with some resources to become a better leader. While it is impossible to fully cover this fascinating topic within just one article, I hope it will provide you with a good starting point and a means to accelerate your journey as a leader.
As a starting point, we will look into the difference between management and leadership. Only when we can distinguish the two and understand what leadership means can we move on to ask how to be a great leader.
Distinguishing Leadership from Management – Definitions
The terms management and leadership are often used synonymously, yet both possess a distinct meaning.
Looking at the meaning of the word management in the Merriam Webster English dictionary, it is defined as “the act or art of managing: the conducting or supervising of something (such as a business).” Also, the term manage: “to exercise executive, administrative, and supervisory direction of” something “to succeed in accomplishing” and “to direct or carry on business or affairs.”
The definition of leadership, however, provides a slightly less clear result. It is defined as “the office or position of a leader”, the “capacity to lead” and “the act or an instance of leading.” While the definition for managing provided the reader with a more thorough understanding of what it means to manage, the definition for leading brings up “coming or ranking first”, “exercising leadership” – a circular definition that provides little clarity – and finally “providing direction or guidance” and “given most prominent display.” This is in line with the definition of leader, who is – similarly trivial – “a person who leads,” “who directs,” or “has commanding authority or influence.”
Management is thus associated with administrating, executing, and supervising activities to accomplish a set goal. Leadership, while not as straight forward, is associated with providing direction and guidance. While a SOC is not a racing track and thus as SOC leaders we don’t necessarily need to come or rank first, we will come back to the motive of a leader being in front a bit later in this article.
Lastly, leadership is associated with influence – setting a direction is one thing, having others follow is clearly another. In Peter G. Northouse’s book, Leadership: Theory and Practice (2010), he defines leadership as “a process whereby an individual influences a group of individuals to achieve a common goal.” It is not sufficient for the leader to have goals of their own, leaders establish goals that are understood and shared by their followers. It takes “a mutual purpose” (Northouse, 2010) to bind a leader and their followers together.
Can You Be a Leader?
While there are many resources out there for managing a SOC, there is very little out there about SOC leadership. Unlike management, leadership appears as a less tangible and even mysterious field at times. This can make it harder to understand what needs to be done to excel as a leader and can leave aspiring leaders wondering whether they have what it takes or if they’re lacking some unknown trait that will forever prevent them from succeeding.
This feeling falls in line with what is called the “trait definition of leadership.” It suggests that being a leader requires individuals possess specific traits or talents and thus restricts leadership to those who possess these distinct qualities. The "process definition of leadership” on the other hand suggests that leadership emerges within the interactions of leaders and their followers, thus putting a larger focus on behavior. Following the latter perspective, leadership can be learned and cultivated and is therefore achievable by anyone willing to learn how to lead. This is the definition followed by Northouse himself.
This is good news for us. It shows that it is worth it to invest time and effort to become better leaders. But what can we do to achieve this goal?
Leading in Operations
The distinction between management and leadership is prominently captured by Peter Drucker`s famous quote from his book, The Essential Drucker: The Best of Sixty Years of Peter Drucker's Essential Writings on Management (2008):
“Management is doing things right; leadership is doing the right things.”
This means that management is more focused on the correct execution of work while leadership is concerned about selecting the right work in the first place. While a manager might be primarily concerned with what is being done and potentially how it is done to identify better ways of achieving the desired results, a leader will put more focus on setting these goals and direction. This vision of the future involves a thorough understanding of purpose – the reason why a team, department, or company exists in the first place and deriving from there which goals to have in mind as well as a roadmap on how they may be achieved. Simon Sinek honors this leadership principle when he places the “why” in the center of his Golden Circle of successful and inspiring leadership (Sinek, 2024).
By definition, the SOC is an operations function. Continuous operations can sometimes make work feel like an endless grind where we are fighting to keep the alert queue in check. For us as SOC leaders and managers, this means that we need to find a vision for our SOC that goes beyond daily operations. Given the high-level business purpose for the SOC, how is tomorrow’s SOC different from today’s? How could we further improve to better serve our constituency? Answering these questions in a top-down fashion can ensure you set meaningful goals tied to high level business impact. From there, you can derive initiatives that bring the team closer to achieving those goals that align with the priorities of your constituency.
The Leadership Bus
Imagine you are driving a bus full of passengers. What you need to do as a leader is to understand where to take the bus – it needs a goal, a direction to steer it towards. The driver’s seat is the ideal position for this, the steering wheel and all the controls are right there, and you can see the road ahead.
.png)
There is just one problem. As a driver, you have that small rear-view mirror to look inside the bus. Your primary focus will be the road, but you may occasionally check in to see whether everything is going well. You may think this is enough – after all, you will notice any emergencies and can react to them timely. Passengers on the bus, however, have a very different perspective than you.
.png)
Where are you? Passengers, especially at the back of the bus, are not able to see you at all. As we learned, there is no leader without a team to be led. You may have the best visions, strategic plans, and roadmaps, but if your team doesn’t see you or agree with your direction, they may all jump off before you even notice.
As a leader, you need to engage with visions and strategic planning. But leadership – following the process theory of leadership – emerges from the interaction of leaders and followers. As often as you can, you need to (safely) jump off that driver’s seat and interact with your team. You want to know how they are doing, what they are thinking, and if they are still on board.
This is closer to the leadership principle of leading from the front. Here, the term “front” does not refer to being ahead but to joining the team on the battlefield, being able to jump in and support when needed. While a leader doesn’t necessarily need to be able to perform all the specialized activities covered by the team, they should understand the responsibilities of each team member and know what it’s like to walk in their shoes. This helps leaders make more informed and empathic decisions and communicate them clearly and respectfully.
Leading, Not Just Managing a SOC
I believe that everyone who is willing to invest the necessary time, effort, and heart can learn how to be a leader. This article gives you a perspective on what leadership is and guidance on what is important for a leader of a SOC.
The SANS LDR551: Building and Leading Security Operations Centers course bridges the gap between merely managing a SOC and truly leading one, and provides numerous frameworks, references, and resources on how to do that. Combined with hands on labs and our Cyber42 leadership simulation, students will gain knowledge and experiences about how to build a healthy environment with the right mindset and culture that will help take your SOC team to the next level. If you want to learn more check out the LDR551 syllabus and free demo. We look forward to seeing you in class!
