Recently The Wall Street Journal published an article titled “Cyber Chiefs Watch Their People for Burnout as Pandemic Rolls On, which posited that IT security teams are burning out even more quickly than before the COVID-19 pandemic. With IT security teams supporting a vastly new remote workforce—and an even wider attack surface—that increases sophisticated cyberattack attempts by adversaries, the scales have tipped even more but not in the security operations center (SOC) teams’ favor.
They are managing dozens of, if not far more, security solutions, and manually sorting through hundreds or even thousands of security alerts in order to close the gap between detection and response, fueling the growing epidemic of analyst burnout and putting enterprises at risk. Traditional security information and event management (SIEM) solutions used by many organizations and security teams are inadequate and failing to meet the growing needs of security analysts and the SOC, especially now.
Despite gains in budget and a strategic priority for SOCs, burnout, overload and chaos persist in many organizations. Major reforms in security operations are critical now more than ever. In June 2020, the Ponemon Institute revealed its second annual SOC Performance Report that surveyed nearly 600 IT and IT security practitioners in organizations that have a SOC and are knowledgeable about their organizations’ cybersecurity practices. The survey, conducted from March 11 to April 5, 2020, found that nearly 80% of the respondents said working in a SOC is very painful.
Additionally, 60% say the stress of working in the SOC has caused them to consider changing careers or leaving their jobs. Even worse, 69% of respondents say it is very likely or likely that experienced security analysts would quit the SOC.
Further reading
Here are six best practices to consider if you believe your SOC team is burning itself out. This is industry information provided by Julian Waits, GM of Devo’s cybersecurity unit.
Data Point No. 1: Advocate on behalf of your team.
The CISO is the bridge between the SOC and the C-suite. While most CEOs and boards are becoming increasingly security conscious, it’s up to the CISO to effectively communicate why a SOC filled with burned-out analysts will compromise security and, in the long run, hurt the company’s bottom line. Equipping your SOC with technology that automates and streamlines the repetitive aspects of analysts’ workflow will benefit the entire organization.
Data Point No. 2: Broaden your analysts’ soft skills.
A shortage of talent and the challenge to retain skilled analysts comprise both sides of the platinum broken record of the security industry. Keep analysts engaged with practices such as job rotation and encourage them to learn more about the organization’s business will help them understand exactly what they’re working hard to protect.
Data Point No. 3: Fuel professional growth.
Helping your SOC analysts develop their technical as well as their business skills creates a culture of professional growth and advancement, not job hopping. Improve their presentation and communication skills by creating opportunities to present their work to non-technical colleagues and company leaders. This will enhance analysts’ skills and provide valuable exposure to important decision makers.
Data Point No. 4: Reevaluate your hiring practices.
Given the well-established shortage of talent, the idea of who we’re hiring to work in the SOC must change. If we insist on only hiring people with a certain degree from particular universities who have specific years of experience in exact roles with certifications X, Y, and Z, we will never solve the talent problem. It’s time to start looking at the qualities of an individual that indicate skills such as the ability to move quickly, innovate, think critically, and solve problems, rather than a rigid checklist of outdated milestones. Additionally, one thing the COVID-19 pandemic has taught us is there’s no need for geographical bias when it comes to hiring the best talent. With remote working, you can widen your net across the country and hire the best person for the job.
Data Point No. 5: Understand the increasingly important role of automation.
In a successful SOC, automation helps analysts work fast and more efficiently, so they can focus on the threats that pose the greatest risks to your organization. Automating evidence collection will significantly reduce duplication of effort during investigations and decrease threat fatigue for analysts. Analysts are people, too, and no one enjoys repetitive, unfulfilling work that requires little thinking or creativity. When analysts spend too much of their workdays robotically gathering information from multiple systems, it diminishes their ability to effectively triage and investigate increasingly complex threats. Analysts spend the same amount of time on triage and investigation regardless of whether a threat is real or not, or highly impactful to your business or not. This goes back to the importance of Data Point No. 1, advocating for your organization to invest in the right technology for the SOC and the people who work in it.
Data Point No. 6: Avoid silos in and out of the security team.
The smartest CISOs are those who build coalitions with their IT counterparts and executive management. When the security team receives an alert about a potential issue affecting the organization, they need to communicate with and seek approval from the affected group before they can get to work. That’s why it takes a cross-departmental management structure to ensure there’s a process in place—from alert to remediation—to ensure the SOC team can work effectively with any other team in the organization.