Exercises: Building and Leading the Security Function
These exercises move from structure to leadership judgment. Difficulty is marked ⭐ (recall/application), ⭐⭐ (analysis), and ⭐⭐⭐ (synthesis/open-ended). A dagger (†) marks problems with a full worked solution in Appendix: Answers to Selected Exercises — try every problem before you read one.
This is a leadership-and-organization chapter, so many exercises ask you to design, decide, or lead rather than to compute. Where a problem asks you to make an organizational call, there is rarely one right answer; the reasoning, the tradeoffs you name, and the residual risk you acknowledge matter more than the choice itself. Work in your own notebook or a private repository.
Part A — Org design and reporting (core concepts) ⭐
1.† In one sentence each, define SOC tiers, MSSP, MDR, and build vs buy (SOC), then write a single sentence that uses all four correctly in the context of a mid-size company standing up a security operations capability.
2. List the five core functions every complete security program must cover (regardless of size). For each, name the Meridian team member who owns it.
3. Meridian's CISO reports to the CIO. Name the structural conflict of interest this creates and the single structural fix Meridian uses to mitigate it. Why is that fix described as nearly universal in mature programs?
4.† For each reporting line, name one advantage and one risk: (a) CISO → CIO; (b) CISO → CEO; (c) CISO → CFO/General Counsel/CRO. Which is most natural for a regulated bank, and why?
5. Distinguish a centralized from a distributed (embedded) security model. Then explain what a hybrid + security-champions model takes from each, and why it is the only realistic option for a six-person team serving 1,800 employees.
6. True or false, with one sentence of justification: "The depth of the most senior security person in the org chart is, by itself, a reasonable predictor of program maturity."
Part B — The SOC, tiers, and automation ⭐⭐
7.† Walk an alert through the three-tier SOC model. For Tier 1, Tier 2, and Tier 3, state (a) the primary job, (b) what triggers an escalation out of that tier, and (c) one way that tier makes the next occurrence of the same alert cheaper to handle.
8. The chapter calls the tiered SOC "a feedback loop for making the SOC cheaper to run over time" rather than a status hierarchy. Explain what a naive SOC does with a growing alert stream and what a mature SOC does instead. What is Tier 3's role in that loop?
9.† Explain, with the arithmetic, why continuous ("24/7") coverage of a single SOC seat requires roughly 5–7 full-time analysts. Start from the number of hours in a week.
10. Define SOAR (expand the acronym) and explain two distinct ways it changes the staffing math and the tier model. Why does the chapter call automation "the single most effective intervention against burnout"?
11. A SOC manager proudly reports that 99% of alerts are closed at Tier 1. Give one good and one bad explanation for that number. What additional metric would you need to tell which is true? (Hint: consider §37.4's burnout warning signs.)
Part C — Build vs buy analysis ⭐⭐–⭐⭐⭐
12.† Build-vs-buy analysis. MidStream Credit Union has 600 employees, a fairly standard Microsoft-centric tech stack, a tight budget, and is located in a small city where security talent is scarce. It currently has one security analyst and no after-hours coverage. Using the factor table from §37.2, write a one-page recommendation: in-house, MSSP, MDR, or hybrid? Justify each factor, state the residual risks of your choice, and name what you would keep in-house regardless.
13. Contrast an MSSP and an MDR provider specifically by what each does with a confirmed high-severity alert at 2 a.m. Then name the single biggest governance concern an MDR engagement raises that an MSSP engagement raises less sharply (tie it to a chapter you have already read).
14.† The §37.2 war story describes a hospital whose two-person in-house SOC collapsed when both analysts left the same quarter. Identify the three specific failures that turned an ordinary resignation into a five-month blind spot, and for each, name the control from this chapter that would have prevented it.
15. ⭐⭐⭐ Design the decision, then defend it. Your CEO has read a vendor pitch and wants to "replace the SOC team with an MDR contract to save money." You believe a hybrid model is correct. Write the three-paragraph argument you would make: (1) what the MDR genuinely solves, (2) what must stay in-house and why, (3) the risk of going fully outsourced. Use the language of risk, not turf.
Part D — Staffing, retention, and the talent gap ⭐⭐
16. The chapter argues retention deserves more attention than recruiting in a talent shortage. Give two reasons replacing a trained analyst costs far more than a recruiter's fee, and tie each to a concept from this chapter (e.g., institutional knowledge, runbooks, coverage gap).
17.† Address the burnout. You inherit a five-person SOC with: a two-person on-call rotation, a rising false-positive close rate with falling investigation time, no documented career ladder, and your two best analysts updating their resumes. Write a prioritized 90-day plan (at least five concrete actions) to stabilize the team. For each action, name whether it attacks alert fatigue, burnout, or retention — and note that some attack more than one.
18. "Hire for aptitude, train for skills." List four sources of SOC talent outside the pool of already-certified analysts, and explain why an inflated entry-level job posting (degree + multiple certs + "3–5 years experience") is described as a self-inflicted wound.
19.† Distinguish alert fatigue (Chapter 21) from analyst burnout (this chapter). Explain how they are causally linked, why fixing one does not automatically fix the other, and name the layer at which each is properly addressed.
20. Name three warning signs of an overloaded/burning-out SOC that a manager paying human attention would catch but that a metrics dashboard alone might miss. Why does the chapter call burnout "a leadership-attention problem before it is a tooling problem"?
Part E — Write the runbook / write the policy ⭐⭐
21.† Write an escalation runbook. For Meridian, draft an escalation runbook for a single alert type: "an EDR alert that a domain-admin account logged in from an unrecognized workstation at 02:30." Include: the severity you assign and why, the acknowledgment time, the numbered investigation steps, the explicit escalation chain (who is next at each step), and the criteria that would pull in the IR lead and the CISO. Keep it to one page.
22. Write the policy. Draft a three-to-five-bullet on-call policy for a SOC that fixes the "burnout machine" anti-pattern. Address rotation size/fairness, what severity gates a 3 a.m. page, the escalation chain, and how on-call burden is compensated or offset.
23. Harden the runbook. Here is a (deliberately bad) draft runbook step a junior analyst wrote. Identify everything wrong with it and rewrite it so it would actually function at 3 a.m. for someone who has never seen this alert before:
Step 4: If the login looks suspicious, investigate it and escalate to someone if it's bad.
24. Explain why the chapter insists runbooks are "a survival tool, not bureaucracy." Give the three reasons a small team specifically depends on them, and explain the document → prove → automate progression.
Part F — Purple teaming and continuous improvement ⭐⭐
25.† Define purple teaming and explain the single framing change that distinguishes it from a traditional red-team-vs-blue-team engagement. Why does that change produce a measurably better defensive outcome rather than just a report?
26. List the five steps of a well-run purple-team exercise from §37.5. For step 3, explain the three possible outcomes for a given technique (detected and alerted, logged but not alerted, not visible at all) and how the required fix differs for each.
27.† A purple-team exercise emulates ten ATT&CK techniques. Results: 5 detected-and-alerted, 3 logged-but-not-alerted, 2 not-visible-at-all. (a) Which results are fixed by detection engineering and which by adding telemetry? (b) Which two should arguably be fixed first, and why? (c) How does the coverage metric (Chapter 36) let you show progress to leadership over successive exercises?
28. Explain why purple teaming is described as a retention tool (§37.3) as well as a detection tool. Which specific cause of analyst attrition does it counter?
Part G — Leadership ⭐⭐–⭐⭐⭐
29.† Marcus, the SOC manager, "worked hardest" by personally clearing the deepest tickets and taking the pager himself. Explain why this felt like leadership but actually harmed the team, and name the hardest transition in security leadership that he had failed to make.
30. In a serious incident, the chapter says the team needs its leader to be the incident commander, not the best technician. List four things an incident commander does, and explain why "judgment under uncertainty and the calm that lets everyone else work" is the scarcer contribution than technical skill.
31. ⭐⭐⭐ The chapter claims how a leader behaves in the 24 hours after a breach shapes culture more than any policy document. Explain the mechanism (what blaming an individual teaches the team to do), then write the two-to-three-sentence statement you would make in a post-incident debrief to build a blameless learning culture — and explain what you must do to make it credible rather than a slogan.
32. The ethics of the keys. The SOC team holds standing authorization to read any email, watch any session, and disable any account. Explain why this makes the SOC team itself a potential insider threat, and list three things leadership must do to keep that power accountable. Tie one of them to a chapter you have already read.
Part H — CTF-style challenge ⭐⭐⭐
33.† The green dashboard that lied. You are the new CISO. Your predecessor left a metrics deck that is entirely green: MTTD and MTTR are within SLA, detection coverage is 78% of the relevant ATT&CK matrix, and 97% of alerts close at Tier 1. Within two weeks, two of your five analysts resign. Using only the concepts in this chapter, explain how a dashboard can be all-green while the function is failing, identify at least four things the dashboard did not measure, and describe the first three actions you would take. (Part of the challenge is recognizing that the metrics were measuring the tools, not the team.)
Part I — Interleaved & forward-looking ⭐⭐
34. Interleaved (Chapters 24 + 26 + 37). Trace one ransomware alert from the moment it fires to the board briefing, naming which chapter's machinery operates at each step: the detection that fires (Ch.22/21), the runbook and escalation that route it (Ch.37), the IR lifecycle and incident commander that respond (Ch.24), the governance/RACI that says who is accountable (Ch.26), and the metrics that report it afterward (Ch.36). One or two sentences per step.
35. Interleaved (Chapter 30). Both Chapter 30 and this chapter use "security champions." Contrast the two uses — champions as an awareness/culture mechanism versus champions as an org-design lever — and explain how the same people serve both purposes.
36. ⭐⭐⭐ Forward to the capstone. This chapter's Project Checkpoint adds the org chart and SOC
operating model to Meridian's program. In two or three sentences, predict why Chapter 38 (the board
presentation) will treat the question "who runs all this, and can they keep doing it?" as just as
important to a board as "are we secure?" — and what evidence from this chapter's staffing.py /
metrics.py integration you would put on the slide.
37. Open reflection. The book has applied Theme 3 ("the human is the weakest link and the strongest asset") to end users throughout. This chapter applies it to the defenders themselves. Write half a page on how that reframing changes what you think "a strong security program" means — and whether you would now weight a team's sustainability differently than you did before this chapter.
Solutions to daggered (†) problems are in the Answers appendix. The remaining problems are deliberately open — bring them to a study group, your instructor, or your own team.