Standing up a SOC requires more than technology. We outline the key roles, team structures, and hiring sequences that set security operations centres up for success.
← Back to Insights
Standing up a Security Operations Centre requires more than technology. Many organisations focus their SOC build on tools first and talent second — the result is expensive tooling sitting idle while teams scramble to hire analysts who can actually operate it.
The talent strategy matters as much as the technology. Get the hiring sequence wrong, and you'll face alert fatigue, poor triage decisions, and rapid burnout. Get it right, and you build a resilient operation that actually prevents incidents.
A mature SOC requires a layered team:
SOC Manager: Strategic oversight, process design, stakeholder management.
Senior Analysts (L3): Complex investigations, threat hunting, mentoring, and technical direction.
Mid-Level Analysts (L2): Triage, escalation decisions, and response coordination.
Junior Analysts (L1): Alert monitoring and initial response.
Supporting roles include threat intelligence analysts, detection engineers, and incident response specialists. The exact mix depends on your organisation's size and threat model, but this layered approach ensures both coverage and expertise.
The order in which you hire is critical. Start with the SOC Manager and at least one senior analyst. These two people shape the processes, tooling decisions, and culture of the entire operation.
Once they are in place, build out the mid-tier (L2) analysts before scaling the L1 function. This matters because junior analysts who lack senior oversight quickly become alert-fatigued and disengaged. They make poor triage decisions, miss genuine threats, and leave within 18 months.
Conversely, a strong L2 and L3 tier can manage a smaller L1 team effectively. They mentor junior staff, catch mistakes, and create a sustainable operation. This is the foundation for retention.
SOC roles are demanding. Shift patterns, constant alert exposure, and the pressure of live incident response contribute to industry-wide burnout. Yet many organisations treat retention as a problem to be solved only after analysts have already left.
The organisations that retain talent invest in:
Clear career progression paths. Junior analysts need to see a route to senior roles and beyond. Without it, they leave.
Training budgets. Encourage certifications, conference attendance, and rotation through different SOC tiers to build breadth and depth of knowledge.
Competitive shift premiums. Night shift and weekend work has real cost to employees. If you're asking people to work unsociable hours, the compensation needs to reflect that.
Technical autonomy. Analysts stay when they have agency to make decisions, solve problems, and shape the tools they use daily.
Standing up a SOC is not a one-time recruitment exercise. It requires continuous investment in people — in training, career development, compensation adjustments as the market evolves, and the systems that keep high performers engaged.
For CNI organisations, this is also a competitive advantage. Teams that are well-trained, fairly compensated, and intellectually engaged outperform larger teams of burnt-out, underpaid analysts every time. And in a market where security talent is scarce, retention matters as much as recruitment.
The demand for experienced CISOs in critical national infrastructure far outstrips supply. We examine what's driving the gap, how organisations can compete for scarce talent, and why traditional hiring approaches are failing.
AI spending on network automation will reach $20 billion by 2028. For CNI operators, deploying AI effectively requires professionals who understand both the technology and the operational context of critical infrastructure.
Trusted by security leaders at
"I can't recommend Gyles and the team at Foundations enough. We struggled to find a suitable candidate for 5 months, Foundations found 3 perfect candidates in 24 hours."
Manager of EMEA & APAC Network Engineering, Equinix
