Further Reading: Building and Leading the Security Function

Curated, annotated resources to deepen this chapter. Each entry notes which learning path it serves most (🛡️ SOC, 🏗️ Engineer, 📋 GRC, 📜 Cert) and its citation tier. Start with the suggested order below; you do not need to read everything before Chapter 38.

This is a leadership-and-organization chapter, so the most valuable sources are SOC operating-model frameworks, security-team building, and the human-factors literature on burnout — not configuration guides. Read for judgment, not commands.

Suggested order

  1. Skim a SOC capabilities / maturity model (SANS or MITRE) to see what a complete SOC contains.
  2. Read the NIST CSF 2.0 Govern function and SP 800-61 sections on roles and team structure to ground the org-design and IR-leadership material.
  3. Read one accessible piece on SOC analyst burnout and the staffing gap (industry workforce study + a practitioner account) to make §37.3–37.4 concrete.
  4. Browse the MITRE ATT&CK site and one purple-teaming / adversary-emulation resource to prepare for §37.5 and the capstone.

Standards & primary documents (Tier 1)

  • NIST, Cybersecurity Framework (CSF) 2.0, Govern (GV) and Respond (RS) Functions (2024). 📋📜 The Govern function formalizes roles, responsibilities, and oversight — the governance backbone the org chart hangs on; Respond frames the response capability the SOC delivers. Read GV and RS overviews.
  • NIST SP 800-61, Computer Security Incident Handling Guide (incident-handling team models). 🛡️📋 Beyond the lifecycle (Chapter 24), it discusses team structures (central, distributed, coordinating), staffing, and the in-house-vs-outsource decision for incident handling — directly relevant to §37.1–37.2.
  • MITRE, ATT&CK framework (attack.mitre.org). 🛡️ The shared adversary-behavior language that is the backbone of purple teaming and of measuring detection coverage (§37.5, Chapter 36). You met it in Chapter 2; here it becomes a management instrument for tracking what the SOC can see.
  • MITRE, 11 Strategies of a World-Class Cybersecurity Operations Center. 🛡️📋 A comprehensive, freely available reference on building and running a SOC — staffing, tiering, automation, metrics, and organizational placement. The single best deep-dive companion to this chapter.

Books (Tier 1 / Tier 2)

  • Zimmerman, C., et al., MITRE SOC strategy writings. 🛡️ Practitioner-grade guidance on SOC design and operations from the team that maintains ATT&CK; pairs with the 11 Strategies document above. (Tier 1 for the framework; treat specific operational figures as Tier 2.)
  • Harris, S., & Maymí, F., CISSP All-in-One Exam Guide — Security Operations & Security & Risk Management domains. 📜📋 Covers SOC operations, sourcing/outsourcing decisions, roles and responsibilities, and security-program management at the depth the CISSP expects. Use alongside §37.1–37.3.
  • Chapple, M., & Seidl, D., CompTIA Security+ Study Guide — Security Operations. 📜 An exam-aligned tour of SOC operations, monitoring, and the managed-service models; a focused companion for certification candidates working §37.2.
  • Maslach, C., & Leiter, M. P., The Truth About Burnout (or their Areas of Worklife work). 📋🛡️ The foundational research framing of burnout as an organizational phenomenon (workload, control, reward, community, fairness, values) rather than an individual failing — the science behind §37.4. (Tier 2 as applied to SOCs: the model is well-established; the security-specific application is ours.)

Free online & talks (Tier 1 / Tier 2)

  • (ISC)² / ISC2, Cybersecurity Workforce Study (annual). 📋📜 The most-cited source for the security staffing gap — estimates of the global shortfall and the drivers of attrition. (Tier 2: treat the precise figures as a range that varies by year and methodology; the persistent direction is the point.)
  • SANS, SOC survey and SOC-management resources. 🛡️📋 Annual practitioner survey of how real SOCs are staffed, what they automate, what tooling they run, and where they struggle (notably staffing and burnout) — useful reality-checks on the abstractions in this chapter. (Tier 1 framework / Tier 2 figures.)
  • MITRE, Caldera and the adversary-emulation / purple-teaming ecosystem. 🛡️🏗️ Open-source automated adversary emulation that operationalizes the §37.5 purple-team loop against your own, authorized environment. Explore the concept now; apply only in a lab or with written authorization.
  • Google/USENIX SRE writing on blameless postmortems and on-call health. 🏗️🛡️ The site-reliability community's mature practice on sustainable on-call rotations and blameless culture transfers almost directly to the SOC; an excellent cross-disciplinary source for §37.4 and §37.6.

Tools & practices to explore (in your own lab / org only)

  • A SOC capability self-assessment. 📋🛡️ Use the MITRE 11 Strategies or a SOC-CMM-style model to score your (or a case-study) organization's SOC across staffing, process, automation, and metrics. The best first exercise in this chapter needs no software — only honesty.
  • A runbook + escalation-runbook template. 🛡️🏗️ Practice the §37.4 skill: write one runbook and one escalation chain for a single alert type, then mark which steps could be automated with SOAR. This is the document → prove → automate progression in miniature.
  • A purple-team exercise tracker (ATT&CK coverage sheet). 🛡️ A simple matrix mapping techniques to detected / logged-not-alerted / not-visible and tracking coverage over successive exercises — the §37.5 + Chapter 36 measurement habit made tangible.

⚖️ Authorization & Ethics reminder: Purple-teaming and adversary-emulation resources describe offensive techniques run against your own systems. Apply them only to environments you own or are explicitly, in writing, authorized to test — and remember the §37.6 note that the team holding standing access to everything must itself be held to the highest ethical and oversight standard (Chapter 39).