Threat Intelligence
11/20/2017
10:30 AM
Oliver Rochford
Oliver Rochford
Commentary
Connect Directly
Twitter
LinkedIn
RSS
E-Mail vvv
50%
50%

3 Ways to Retain Security Operations Staff

Finding skilled security analysts is hard enough. Once you do, you'll need to fight to keep them working for you. These tips can help.

The shortfall in security professionals, and most notably security operations center (SOC) analysts, has been well documented. However, hiring skilled security analysts is only part of the problem. Even if an organization is able to recruit security analysts, retaining them in the long term is an even greater challenge. The foundational market forces of supply and demand enable these professionals to easily jump ship, often achieving a higher salary and title in the process.

During my time at Gartner, informal feedback I received from managed security service providers (MSSP) indicated that the average retention period for a junior SOC analyst was between 12 and 18 months. It's important to bear in mind that MSSPs are generally able to offer a better career advancement path for SOC employees than most enterprises.

Nevertheless, using the right techniques, retention can be improved. Here are the top three ways to attract and retain SOC analysts.

1. Convert Roles to Duties, and Then Rotate Them
The primary roles in a SOC, with some variation, are shown in Figure 1.

Figure 1.

Role

Duties

Tier 1

Alert queue monitoring, incident qualification, triage and escalation

Tier 2

Incident investigation, remediation advice

Tier 3

Detection and use case optimization, hunting and investigation, threat intelligence analysis

The greatest mistake organizations make is defining these as fixed roles (jobs). Tier 1 work is repetitive and monotonous, and intellectually unchallenging. In addition, anyone who has ever stared at an alert console for months on end can attest to the fact that it also conditions analysts to pay less attention, which has a negative impact on effectiveness and efficiency.

Meanwhile, staff retention in Tier 2 and Tier 3 roles is higher, which results in fewer new openings and promotion opportunities for junior analysts. Once junior analysts have successfully worked in a SOC for 12 months or more, they can easily find more senior roles with another organization.

Each one of the Tier 1 through 3 roles can easily be rotated, with analysts working in each position for one-week intervals. This approach distributes both the interesting and tedious work across the team, which improves alertness and provides everyone the opportunity to perform some intellectually challenging and interesting work.

In addition to increasing retention, this rotation provides every analyst the opportunity to become familiar with the various roles required to operate a SOC. This cross-functional training helps mitigate skills gaps and maintain operational continuity if someone leaves the organization or is on paid time off.

2. Offer Phased Training and Certifications
Providing training certifications is another great retention mechanism, if offered based on employment tenure. For example, a new analyst may be offered a certification course such as the GIAC Certified Intrusion Analyst after 6 months of active employment, the GIAC Forensic Analyst after 12 months, and the GIAC Certified Forensic Examiner after 24 months.

I've used GIAC here as an example, but SANS and other companies also offer similar courses. Correctly applied, such a system can help increase analyst retention rates from 12 to 18 months to up to 5 years. Alternatively, analysts across a team can be provided different certification courses in each phase. This will ensure that the team has a broad and comprehensive skill set, and the analysts that have attended a given course can train the remainder of the team to transfer knowledge.

Figure 2. Example Training Plans

 

Employment Time

Analyst 1

Analyst 2

Analyst 3

Analyst 4

6 months

GIAC Certified Intrusion Analyst

GIAC Certified Intrusion Analyst

GIAC Certified Intrusion Analyst

GIAC Certified Intrusion Analyst

12 Months

GIAC Certified Forensic Examiner

GIAC Reverse Engineering Malware

GIAC Network Forensic Analyst

GIAC Cyber Threat Intelligence

24 Months

GIAC Reverse Engineering Malware

GIAC Network Forensic Analyst

GIAC Cyber Threat Intelligence

GIAC Certified Forensic Examiner

36 Months

GIAC Network Forensic Analyst

GIAC Cyber Threat Intelligence

GIAC Certified Forensic Examiner

GIAC Reverse Engineering Malware

48 Months

GIAC Cyber Threat Intelligence

GIAC Certified Forensic Examiner

GIAC Reverse Engineering Malware

GIAC Network Forensic Analyst

3. Offer Step-up Retention Bonuses

Offering increasing retention bonuses for each year of employment rewards analysts for their loyalty and gives them an incentive to stay with the organization. The increase from an entry-level to a midcareer level analyst is between 20% to 30%, so a good bonus strategy will ensure that a similar increase is achieved over a 3- to 5-year period.

In combination, these three strategies can significantly improve and increase SOC analyst retention, reduce the cost of recruiting and training new analysts, and minimize the negative impact of employee turnover on operations.

Related Content:

Oliver Rochford is the Vice President of Security Evangelism at DFLabs. He previously worked as research director for Gartner, and is a recognized expert on threat and vulnerability management, cybersecurity monitoring and operations management. Oliver has also been a ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Syberguy
50%
50%
Syberguy,
User Rank: Apprentice
12/7/2017 | 5:23:46 AM
Re: Timely, and yet...
I agree, but this issue has been around in other industries for some time now; Whereby employers (organizations) are more focused on the bottom line and short term gains as well as pleaseing the stakeholders and bord members than actually engaging with their internal staff. This, in addition to pay, vacation, life balance, hours of work, environment and politics, adds fuel of discontentment throught the departments.

As an industry collaborator in various fields of IT and Healthcare, I see this trend continuing, especially with the added contridiction of contract work rather than employment.
Joe Stanganelli
50%
50%
Joe Stanganelli,
User Rank: Ninja
11/27/2017 | 4:16:07 PM
Re: Excellent article - applies to a number of different jobs
@REISEN: Also, it helps people learn the business -- and, assuming other things go well in the employer-employee relationship -- gets the employee more invested in the success of the company. I've seen that phenomenon work wonders, myself.
Joe Stanganelli
50%
50%
Joe Stanganelli,
User Rank: Ninja
11/27/2017 | 4:10:13 PM
Timely, and yet...
This is a great flip on a common theme in this sector: the dreaded "talent shortage" in cybersecurity.

Alas, it is hard for information-security professionals to feel any sense of attachment or loyalty to their employers if employers don't demonstrate loyalty or attachment in turn. When companies turn to cheap offshore or H1-B/L1 Visa labor and/or outsource to low-bidding vendors for strategic functions that should really be internal, one would be foolish to expect anything other than their cybersecurity personnel to be frequently updating their resume and shopping it around.
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
11/27/2017 | 1:28:39 PM
Re: Excellent article - applies to a number of different jobs
"more knowledge to learn - more stuff to do!  Paying off in many ways. "
This makes sense, when people build knowledge they feel more secure since they can find positions somewhere else easily.
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
11/27/2017 | 1:26:59 PM
Re: Excellent article - applies to a number of different jobs
"I recently left a nice paying job with no future and no learning"

We experience this a lot. It is not only money anymore, people are looking for satisfaction from their jobs.
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
11/27/2017 | 1:25:27 PM
Re: Excellent article - applies to a number of different jobs
" It is LEARNING new items"

Agree. Learning new things keep people busy and engaged.
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
11/27/2017 | 1:23:56 PM
Re: Excellent article - applies to a number of different jobs
" it fits for any number of corporate position and not just in IT alone"

I agree with this. It is hard to keep retention rate high in IT but also in other departments in the organization today.
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
11/27/2017 | 1:22:40 PM
3 simple steps
These 3 simple steps are quite well thought. Simple and effective I would say.
DonHarper
50%
50%
DonHarper,
User Rank: Apprentice
11/23/2017 | 4:44:09 PM
Re: Excellent article - applies to a number of different jobs
Great move you did there. Respect it.
REISEN1955
100%
0%
REISEN1955,
User Rank: Ninja
11/21/2017 | 8:40:47 AM
Excellent article - applies to a number of different jobs
If one takes the security aspect out of this essay, it fits for any number of corporate position and not just in IT alone.  You have to rotate staff in a department to cross-train and have people available not only for emergency fill-in when needed but for intellectual stimulation.  It is LEARNING new items that IT people and subset Security staff feel they have a good chair at the table.  Otherwise, they find another table in another restaurant.  I recently left a nice paying job with no future and no learning to move to a forensics department with far better salary BUT ALSO  more knowledge to learn - more stuff to do!  Paying off in many ways. 
5 Reasons the Cybersecurity Labor Shortfall Won't End Soon
Steve Morgan, Founder & CEO, Cybersecurity Ventures,  12/11/2017
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: Gee, these virtual reality goggles work great!!! 
Current Issue
The Year in Security: 2017
A look at the biggest news stories (so far) of 2017 that shaped the cybersecurity landscape -- from Russian hacking, ransomware's coming-out party, and voting machine vulnerabilities to the massive data breach of credit-monitoring firm Equifax.
Flash Poll
[Strategic Security Report] How Enterprises Are Attacking the IT Security Problem
[Strategic Security Report] How Enterprises Are Attacking the IT Security Problem
Enterprises are spending more of their IT budgets on cybersecurity technology. How do your organization's security plans and strategies compare to what others are doing? Here's an in-depth look.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2017-0290
Published: 2017-05-09
NScript in mpengine in Microsoft Malware Protection Engine with Engine Version before 1.1.13704.0, as used in Windows Defender and other products, allows remote attackers to execute arbitrary code or cause a denial of service (type confusion and application crash) via crafted JavaScript code within ...

CVE-2016-10369
Published: 2017-05-08
unixsocket.c in lxterminal through 0.3.0 insecurely uses /tmp for a socket file, allowing a local user to cause a denial of service (preventing terminal launch), or possibly have other impact (bypassing terminal access control).

CVE-2016-8202
Published: 2017-05-08
A privilege escalation vulnerability in Brocade Fibre Channel SAN products running Brocade Fabric OS (FOS) releases earlier than v7.4.1d and v8.0.1b could allow an authenticated attacker to elevate the privileges of user accounts accessing the system via command line interface. With affected version...

CVE-2016-8209
Published: 2017-05-08
Improper checks for unusual or exceptional conditions in Brocade NetIron 05.8.00 and later releases up to and including 06.1.00, when the Management Module is continuously scanned on port 22, may allow attackers to cause a denial of service (crash and reload) of the management module.

CVE-2017-0890
Published: 2017-05-08
Nextcloud Server before 11.0.3 is vulnerable to an inadequate escaping leading to a XSS vulnerability in the search module. To be exploitable a user has to write or paste malicious content into the search dialogue.