Quiz: Building and Leading the Security Function

DataField.Dev

Quiz: Building and Leading the Security Function

A 26-question self-check covering the chapter's organizational, operational, and leadership concepts. Several questions are tagged with the certification domain they map to — [Sec+] for CompTIA Security+ and [CISSP] for the (ISC)² CISSP — so certification candidates can self-assess. Answers and one-line explanations are at the end; try the whole quiz before checking.

Section 1 — Multiple choice (1 pt each)

1. [Sec+] The team responsible for continuous monitoring, detection, triage, and initial response to threats across an organization is the: A. red team B. Security Operations Center (SOC) C. GRC function D. change advisory board

2. Approximately how many full-time analysts are needed to keep a single SOC seat staffed 24/7, once you account for leave, sickness, and training? A. 1–2 B. 3 C. 5–7 D. 12–15

3. [CISSP] The near-universal structural fix that gives a CISO independence from the delivery-vs-security conflict of reporting to a CIO is: A. a larger budget B. a dotted line to the board's Audit/Risk Committee C. a vendor contract D. moving the SOC offshore

4. In the three-tier SOC model, the tier that proactively hunts for undetected threats and builds new detections so future occurrences are caught automatically is: A. Tier 1 B. Tier 2 C. Tier 3 D. the help desk

5. [Sec+] A service provider that brings its own detection technology and analysts and takes response actions on your behalf (not just alerting) is best described as: A. an MSSP B. an MDR provider C. a SIEM vendor D. a penetration tester

6. The classic complaint about a traditional MSSP is "alert shipping," which means: A. it deletes alerts B. it forwards alerts for you to investigate and act on, so you outsourced the watching but not the working C. it ships physical appliances D. it only works business hours

7. [CISSP] A documented, step-by-step procedure an analyst follows for a specific task (e.g., "investigate an impossible-travel login") is a: A. playbook B. policy C. runbook D. standard

8. The chapter calls the runbook "the unit of automation" because: A. runbooks cannot be automated B. a runbook is a procedure already written down step-by-step, which is the prerequisite for automating it with SOAR C. automation replaces all runbooks D. runbooks are written in Python

9. [Sec+] A collaborative exercise in which an offensive team emulates ATT&CK techniques while the defensive team detects in real time and immediately closes each exposed gap is called: A. a red-team engagement B. a tabletop C. purple teaming D. a bug bounty

10. In a purple-team exercise, a technique that is "logged but not alerted" indicates that the fix needed is: A. add a new log source / sensor B. write or tune a detection rule on data you already have C. fire the analyst D. nothing — it was caught

11. [CISSP] During a serious incident, the team most needs its leader to act as the: A. best individual technician B. incident commander providing calm and judgment C. note-taker D. media spokesperson

12. The hardest transition in security leadership described in the chapter is from: A. analyst to consultant B. doing the work (best individual contributor) to building the system and people that do the work C. blue team to red team D. on-prem to cloud

13. [Sec+] Which model multiplies a small central security team's reach by embedding non-security employees in business units with a dotted line back to the CISO? A. fully centralized B. fully distributed C. hybrid with security champions D. fully outsourced

Section 2 — True / False with justification (1 pt each)

For each, mark T or F and give a one-sentence reason.

14. "Analyst burnout can be fully resolved by the same detection-tuning that fixes alert fatigue."

15. [Sec+] "A two-person on-call rotation is a sustainable long-term arrangement for a SOC."

16. "In a talent shortage, retaining a trained analyst is generally cheaper than replacing one."

17. "Purple teaming ends with a report of what the blue team missed, but does not change the detections during the exercise."

18. "Where the CISO reports in the org chart has no meaningful effect on program maturity."

19. [CISSP] "An in-house SOC built around two irreplaceable senior analysts is an example of a single point of failure that defense in depth exists to avoid."

Section 3 — Fill in the blank (1 pt each)

20. A complete security program covers five functions: security operations, incident response/ hunting, security engineering/architecture, __, and security leadership.

21. [Sec+] The structural shortfall between the cybersecurity professionals organizations need and those available in the labor market is called the security __ gap.

22. The acronym SOAR stands for Security Orchestration, __, and Response.

23. The strategic choice of whether to staff a SOC internally, outsource it, or combine the two is called _ vs _ .

Section 4 — Short answer (2 pts each)

24. [CISSP] Explain why "org design is a security control," referencing the CISO's reporting line and the concept of a control owner from governance (Chapter 26).

25. A mid-size company cannot afford to staff 24/7 monitoring in-house but has a highly specialized, regulated environment where deep context is essential. Recommend a sourcing model and justify it, naming what you would keep in-house and what you would buy.

26. [Sec+] Distinguish alert fatigue from analyst burnout, name the layer at which each is fixed, and explain why a leader must work both.

Answer Key

Click to reveal answers and explanations

1. **B** — the SOC. 2. **C** — 168 hours/week ÷ ~40 per analyst ≈ 4.2, plus slack for leave/training → 5–7. 3. **B** — the dotted line to the board gives independence to raise suppressed risks. 4. **C** — Tier 3 hunts and builds detections to push work back down to Tier 1. 5. **B** — MDR brings its own tech/analysts and *responds*, not just alerts. 6. **B** — "alert shipping": you outsourced the watching but kept the working. 7. **C** — a runbook is the task-level procedure (a playbook is the incident-class strategy). 8. **B** — a documented procedure is the prerequisite for automating it. 9. **C** — purple teaming (collaborative red+blue, gaps closed in real time). 10. **B** — the data exists but no rule fired, so it is a detection-engineering fix (vs. "not visible at all" = add telemetry). 11. **B** — the incident commander provides calm and judgment, not the best keystrokes. 12. **B** — from doing the work to building the system/people. 13. **C** — hybrid + security champions. 14. **F** — tuning fixes alert fatigue (a cause of burnout) but not burnout's organizational drivers (staffing, monotony, on-call, growth, leadership). 15. **F** — two people are each on-call half the time with no slack; it is a "burnout machine" (healthy rotation ≈ 4–6+). 16. **T** — replacement costs lost institutional knowledge, undocumented runbooks, and a coverage gap, all exceeding a recruiter's fee. 17. **F** — the defining feature of purple teaming is closing (and re-testing) gaps *during* the exercise, so it ends with improved detections, not just a report. 18. **F** — the depth/independence of the security leader strongly predicts maturity. 19. **T** — concentrating capability in two people who both quit creates exactly the single-point-of-failure that defense in depth avoids. 20. governance, risk, and compliance (GRC). 21. staffing (workforce). 22. Automation. 23. build; buy. 24. The org chart decides who has authority to make and enforce security decisions, whose budget funds them, and whether the person accountable for risk (the control owner / CISO) can be heard; a CISO buried under the CIO with no board access loses budget fights and cannot surface bad news, so the *structure* itself raises or lowers risk — making it a control, and tying directly to governance's assignment of accountable control owners. 25. Recommend a **hybrid / co-managed** model: buy 24/7 coverage (MDR or co-managed MSSP) for the hard-to-staff hours and high-volume Tier 1, while keeping in-house the work that needs deep environmental context and organizational authority — incident command, threat hunting tailored to the business, detection engineering, and regulator/legal relationships. Full outsourcing would lose the specialized context the regulated environment requires; full in-house cannot staff the clock. 26. *Alert fatigue* (Ch.21) is too many low-quality alerts dulling responses, fixed by *detection engineering* at the SIEM layer (higher-fidelity, enriched rules). *Analyst burnout* (this chapter) is chronic exhaustion/cynicism from volume, monotony, and stress, fixed *organizationally* (deeper staffing, automation, career ladder, meaningful-work rotation, sane on-call, attentive leadership). They are causally linked (unmanaged fatigue causes burnout), so tuning rules alone leaves the staffing/growth/on-call drivers unaddressed and hiring alone leaves the noisy alerts — a leader must work both layers. **Topics to review by question:** missed 1–6, 24–25 → §37.1–37.2; 7–8, 23 → §37.2, §37.4; 9–10, 17 → §37.5; 11–12, 31-type → §37.6; 13 → §37.1; 14, 19–20, 26 → §37.4 + §37.2; 15 → §37.4; 16, 21 → §37.3; 22 → §37.2; 18 → §37.1.