Day in and day out, they’re on the front lines of the war against cybercrime. Their hours may be long, and the work is sometimes tedious, but security operations center (SOC) analysts stand as an organization’s most powerful defense against data breaches, ransomware, hacking, and a host of other malicious acts. Their knowledge, expertise, and diligence keep sensitive customer data, valuable intellectual property, and coveted financial information safe.
They’re also in short supply. According to government data, there are currently over 300,000 unfilled cybersecurity positions in the United States. Researchers predict that there will be as many as 3.5 million cybersecurity job openings worldwide by 2021.
In a field with virtually zero unemployment, and where demand for workers far outstrips supply, business leaders must think carefully about what their organizations can do to win and retain top talent. Nearly one-third of the analysts surveyed in our “Voice of the Analyst” study were actively seeking a different job, and the average analyst’s job tenure is a mere 12 to 18 months.
Employers aren’t just losing security talent to other companies. Many promising junior employees are leaving the field of cybersecurity entirely. They’re doing so out of frustration, stress, or boredom with the monotony of the tasks assigned to them. This is especially true of entry-level analysts, whose SOC duties typically consist primarily of monitoring a number of alerts and deciding which events warrant further investigation and escalation to incident responders. “Monitoring” means spending many hours in front of a console, watching repetitive streams of log data, knowing that the vast majority of alerts are false positives, but to miss that “needle in the haystack” event linked to a real attack might cost them their career.
This is a problem, not just for CISOs or SOC managers, but for everyone with a vested interest in protecting digital assets, business processes, systems, and devices. Reducing attrition and recruiting the best and the brightest into the cybersecurity field will require collaboration across organizations and the industry as a whole. We all need to work together to make these jobs more attractive.
Monotony and Stress Lead to Burnout and High Turnover
As a former SOC manager, I have firsthand experience of the pressures and challenges the frontline analysts encounter on a daily basis. They spend enormous amounts of time chasing false positives or trying to figure out the relationships between different types of uncorrelated alert data.
At the end of the day, many SOC analysts leave work feeling like they haven’t accomplished much. Often the job can feel like a wild goose chase, and it’s extremely frustrating for analysts to think they’re not using their time and efforts wisely.
Many bright people enter this field because they’re passionate about technology, but even more common among them is a burning desire to do good, prevent crime, and defeat criminals. As one respondent in the “Voice of the Analyst” survey put it, “I like challenges and making a difference.” Another listed his motivations as “Fight[ing] evil; stop[ping] badness.” These attitudes are commonplace in the SOC.
The Right Security Operations Software Makes the SOC Analyst’s Job More Cognitively Challenging and Engaging
Among SOC analysis tasks, employees prefer those that require careful thought, investigation, and mental engagement. Although monitoring incoming alerts will probably always be among their responsibilities, SOC analysts experience greater job satisfaction—and have a more positive attitude towards professional development—when their duties are varied.
As Bart Bailey, Security Operations Manager at Windstream Communications explains:
“Analysts [shouldn’t] be asked to just stare at alerts all day.” He says, “They are more satisfied if they do eyes-on-glass monitoring part of the day, and work on other projects like tuning, acquiring new logs, and working with other teams with different perspectives [the rest of the time.]”
In other words, they’d rather act like detectives than mall cops.
With the Respond Analyst on board their team, they’re able to do exactly this. When security analysis software takes over the mundane aspects of the job, human SOC analysts are able to focus on its more interesting, complex, and “advanced” aspects—spending a greater percentage of their time on higher-value tasks that tend to be varied and exciting.
Security analysis software gives frontline analysts a fuller view of what’s going on across the whole IT environment. It enables them to see each alert, not as a discrete event—or a piece of data streaming across a console—but instead as part of the story that’s taking place. Ultimately, humans enjoy stories, puzzles, and riddles, and take pleasure in understanding and solving them.
Security Analysis Software Can Make Analysts More Effective
For any SOC analyst, detecting real intrusions is rewarding and validating. When employees are able to do so regularly and often, they’re more likely to feel that they’re making a real difference in their careers and for their organizations.
The sheer volume of alert data generated by sensors across any enterprise IT environment is simply too great for any human security analyst to monitor thoroughly and consistently. Nathan Light, Security Specialist at Windstream Communications, reports that before deploying the Respond Analyst in their organization, his SOC team was confronted with over 250,000 Intrusion Detection System (IDS) events per day. No matter how diligently they worked, or how well they tuned their platforms, they simply weren’t able to keep up with this alert volume. And the vast majority of these alerts were what Nathan calls “junk events”—false positives that further investigation would reveal to be meaningless.
This is why tools like the Respond Analyst have such strong potential to improve SOC analysts’ job performance.
Not only will they see fewer false positives when working with security analysis software, but the alerts that are generated are likely to be “of better quality,” as Nathan puts it, giving teams “a greater true positive detection rate.”
Because security operations software can consider every one of those 250,000 daily IDS events, there are fewer gaps in coverage, and significant anomalies are far less likely to be missed.
Adding the Respond Analyst to Your Team Gives Human Members More Time for Professional Growth and Development
When SOC analysts begin their careers, it is typically at a Tier 1 level, where they’re responsible primarily for reviewing and monitoring alert data. As they gain experience, they develop specialized skills—as threat hunters, forensic analysts, or malware experts, for instance.
Incorporating security analysis software into your SOC’s workflows can enable your analysts to develop their advanced analytical skills faster. Because they’re spending less time with the “low-level, boring alerts that no one wants to look at anyway,” they have more time to spend on the “projects that will make them better analysts.” They’re also likely to have additional time for the tasks that can have a measurable impact on risk reduction, and thus can save the entire organization—and its reputation—from the consequences of a successful attack.
As Nathan says:
Working with the Respond Analyst “breaks up the monotony, adds variety to what an analyst does, and gets them actively engaged in other aspects of security.”
When it comes to bringing in and retaining top talent, this is a win for the entire field of cybersecurity.
To learn how the Respond Analyst can become a valuable member of your SOC analysis team and can help improve job satisfaction among its human co-workers, contact us to schedule a demo today.
Gulia Narliyeva is an experienced cybersecurity professional with experience managing large-scale, enterprise-SOC teams. Gulia decided to take the leap to join Respond Software as a Technical Account Manager and now works with customers to deploy robotic decision automation software. Her hands-on experience building and managing security operations teams gives her a unique perspective on the best models to use for building a solid incident response team.View all posts by Gulia Narliyeva