The SOC Chief is responsible for leading Security Operations Center (SOC) strategy, operations, personnel, processes, and mission execution. This role oversees daily and long-term SOC activities, including monitoring, triage, incident escalation, threat detection, reporting, quality assurance, and continuous improvement across the cyber operations environment.
The ideal candidate combines deep security operations expertise, strong leadership ability, incident response experience, and the capacity to communicate operational risk clearly to technical teams, program leadership, and senior stakeholders. This role ensures the SOC operates effectively, aligns with mission priorities, and delivers timely, accurate, and actionable security outcomes.
Key ResponsibilitiesSOC Leadership & Operational Oversight - Lead day-to-day SOC operations, ensuring monitoring, triage, analysis, escalation, and reporting activities are performed accurately, consistently, and within established timelines.
- Establish operational priorities, shift expectations, escalation paths, handoff procedures, and service-level expectations for SOC analysts and supporting teams.
- Ensure SOC activities align with program objectives, mission needs, regulatory requirements, operational risk priorities, and cybersecurity best practices.
- Oversee coordination among SOC Tier 1, Tier 2, Tier 3, threat hunting, threat intelligence, forensics, engineering, and program management personnel.
Incident Response & Escalation Management - Provide leadership during significant cybersecurity events, ensuring incidents are triaged, escalated, investigated, documented, and communicated appropriately.
- Coordinate incident response activities across analysts, engineers, forensic personnel, system owners, leadership, and external stakeholders as required.
- Review and validate major incident findings, severity determinations, escalation decisions, containment recommendations, and operational impacts.
- Ensure lessons learned, after-action reviews, and corrective actions are captured and used to improve SOC procedures and response effectiveness.
Detection, Monitoring & Threat Operations - Oversee the effectiveness of SOC monitoring, alert triage, detection use cases, dashboards, reports, correlation rules, and security analytics capabilities.
- Partner with threat hunters, threat intelligence analysts, Splunk engineers, security engineers, and detection teams to identify coverage gaps and improve alert fidelity.
- Support prioritization of new detection logic, data source onboarding, tuning efforts, threat-informed monitoring, and operational use-case development.
- Ensure SOC workflows support timely identification, analysis, investigation, and disposition of suspicious or malicious activity.
Process, Quality Assurance & Governance - Develop, maintain, and enforce SOC standard operating procedures, playbooks, runbooks, escalation guides, reporting standards, and quality-control processes.
- Monitor case quality, analyst documentation, ticket handling, alert disposition accuracy, and adherence to approved procedures.
- Define and track SOC performance metrics, operational trends, workload indicators, service levels, incident statistics, and continuous-improvement actions.
- Support audit readiness, compliance reporting, risk management, and governance activities related to SOC operations and cyber incident response.
Team Leadership & Workforce Development - Lead, mentor, and coordinate SOC analysts and operational contributors, supporting consistent performance, professional development, and mission readiness.
- Assign responsibilities, review work products, provide operational guidance, and ensure appropriate coverage for shifts, surge activities, and priority events.
- Identify training needs and coordinate with cyber training personnel to improve analyst skills, tool proficiency, process knowledge, and incident response discipline.
- Promote a culture of accountability, collaboration, technical rigor, documentation quality, and continuous learning across SOC personnel.
Stakeholder Engagement & Reporting - Serve as the primary operational point of contact for SOC status, incident escalation, operational risks, performance metrics, and mission-impacting issues.
- Brief program leadership, customer stakeholders, technical teams, and senior decision-makers on SOC activities, incidents, trends, risks, and recommended actions.
- Translate technical findings and operational activity into clear business, mission, and risk language for non-technical stakeholders.
- Coordinate communications with system owners, engineering teams, assessment teams, training teams, and program management to support mission outcomes.
Technology, Tooling & Capability Management - Provide operational input into SOC tooling requirements, including SIEM, SOAR, EDR, NDR, case management, threat intelligence, vulnerability, reporting, and collaboration platforms.
- Partner with Splunk, security engineering, architecture, and infrastructure teams to ensure tools support monitoring, investigation, reporting, retention, and escalation needs.
- Identify tool, data, workflow, and integration gaps that affect SOC effectiveness and recommend improvements or prioritization actions.
- Support acceptance, testing, operational readiness, and transition of new SOC capabilities into production use.
Continuous Improvement & Program Support - Drive continuous improvement of SOC operating models, procedures, metrics, playbooks, escalation processes, staffing approaches, and mission support capabilities.
- Analyze recurring issues, incident trends, false positives, workflow bottlenecks, and reporting gaps to improve SOC efficiency and effectiveness.
- Support planning, staffing estimates, schedule coordination, roadmap development, and program reporting for SOC-related initiatives.
- Stay current with evolving cyber threats, SOC operating practices, detection methodologies, incident response approaches, and security operations technologies.
- 8+ years of experience in cybersecurity, security operations, incident response, threat detection, cyber defense, or related technical roles.
- 3+ years of experience leading SOC operations, incident response teams, cyber operations teams, or similar security functions.
- Strong understanding of SOC workflows, alert triage, escalation management, incident response, threat hunting, threat intelligence, detection engineering, and security monitoring.
- Experience overseeing or supporting security tools such as SIEM, SOAR, EDR, NDR, IDS/IPS, firewalls, vulnerability management tools, ticketing platforms, and case management systems.
- Demonstrated ability to lead technical teams, coordinate cross-functional response activities, manage priorities, and ensure timely delivery of operational outcomes.
- Experience developing or enforcing SOPs, playbooks, runbooks, escalation guides, metrics, reports, and quality-control processes.
- Ability to analyze operational risk, validate incident information, communicate impacts, and brief technical and non-technical stakeholders.
- Excellent written and verbal communication skills, including experience producing operational reports, executive briefings, and incident updates.
