Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Perimeter

7/10/2019
10:00 AM
Edy Almer
Edy Almer
Commentary
Connect Directly
LinkedIn
RSS
E-Mail vvv
100%
0%

4 Reasons Why SOC Superstars Quit

Security analysts know they are a hot commodity in the enviable position of writing their own ticket. Here's how to keep them engaged, challenged, and happy.

Finding and hiring talented cybersecurity analysts is difficult enough. Keeping them on board after they're trained and acclimated to your organization's IT infrastructure and operations is an even bigger challenge. If high-performing security operations center (SOC) staff are unhappy or unfulfilled, they'll move on, and they have plenty of options.

According to ESG and ISSA's "The Life and Times of Cybersecurity Professionals 2018" (registration required), 44% of survey respondents were solicited by recruiters at least once a week and 76% were solicited at least once a month. My job keeps me in front of SOC staff, their managers, and (usually) up the org chart to the CISO. So, when someone leaves, I hear multiple perspectives on why so many analysts job-hop. Here's what drives them out the door:

1. No Room for Growth
The problem with managing smart, ambitious people is that they are smart and ambitious. The best cybersecurity analysts are highly intelligent and fast learners, and they love a good challenge. Unfortunately, the day-to-day operations of your SOC can get monotonous. Over time, this can leave your best people unsatisfied. Managers who balance the mundane aspects of the job with more strategic projects are much more likely to keep SOC staff engaged. You should also look for ways to reward and advance your highest-performing team members.

2. Burnout and Alert Fatigue
Your best analysts can fly through a mile-high stack of alerts at breakneck speed and never miss a thing. And how do you reward them? With more work. On the one hand, it's perfectly fair. You hired them for their expertise, efficiency, and ability to perform under pressure. But you also need to be aware of burnout and alert fatigue. Too many alerts create a particularly pernicious type of stress that occurs when a person has no control over the pace of incoming work — work that literally never ends. If an analyst feels she or he is stuck on a hamster wheel, they are unlikely to stay.

3. Lack of Executive Support and Engagement
It is difficult for analysts to remain motivated when they feel like the powers that be don't have their back. That support can take many forms, but one very clear indicator that security isn't a business imperative is if the organization fails to provide critical tools analysts need to do their daily work. Modern networks are way too complex for analysts to do their jobs without sophisticated tools. Don't set them up for failure. Make sure cybersecurity is a valued and part of your corporate culture — a culture that will motivate your best team members to stick around.

4. Money
Yes, money matters. Financial compensation plays a big role when analysts look for new opportunities. With zero percent unemployment and a growing skills shortage, upward pressure on salaries will continue for the foreseeable future; there's no way around this one. Keep up to date on salary and compensation trends and make sure you are competitive.

5. Not Enough Professional Development/Skills Training
Roughly 96% of the 267 cybersecurity professionals responding to the survey believe that organizations face a significant disadvantage against cyber adversaries if they don't keep up with their skills, and 66% say that keeping up with their skills is difficult to do because of the demands of a cybersecurity career. This conundrum is pervasive, but don't let training get pushed aside due to the grueling pressure and demands of a SOC. Budget and schedule training sessions as "non-negotiable" and get creative and fun about new ways to challenge team members and develop their skills. Ask any analyst. They will tell you that training keeps them engaged, challenged, and happy.

Next time the industry is aflutter about the latest attack strategy, give your team members a chance to jump in and learn to defend against it. Put their response skills to the test in as realistic a setting as possible. It will get their blood pumping and give them the pride and confidence of knowing that they are ready to face dangerous and capable attackers. Capture the Flag is a Black Hat tradition for a reason — competitions are essentially team trainings that bring people together and provide participants with a forum to practice and show off their skills.

Analysts know they are a hot commodity, in the enviable position of writing their own ticket. If you want yours happy at home in your SOC, keep them at the forefront of emerging trends and methodologies and make sure their contributions to the business are acknowledged.

Related Content:

 

Black Hat USA returns to Las Vegas with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier security solutions, and service providers in the Business Hall. Click for information on the conference and to register.

Edy Almer leads Cyberbit's product strategy. Prior to joining Cyberbit, Almer served as vice president of product for Algosec. During this period the company's sales grew by over four times in five years. Before Algosec, Almer served as vice president of marketing and ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
tdsan
50%
50%
tdsan,
User Rank: Ninja
7/19/2019 | 8:03:31 PM
Re: passion doesn't pay the bills
Interesting, I would tend to agree, the training and knowledge that we have amassed over the years, there needs to be a value put on this (monetarily). Individuals don't say anything when doctors charge such high fees for procedures and medical treatments. I am not sure why we are looked at any different.

Todd
TK_M
50%
50%
TK_M,
User Rank: Apprentice
7/19/2019 | 7:43:12 AM
passion doesn't pay the bills
"Yes, money matters"

In infosec, people are usually branded as "after money" and that "money doesn't matter as long as you are passionate". I'm glad to see some people don't shy away from the money issue
REISEN1955
50%
50%
REISEN1955,
User Rank: Ninja
7/12/2019 | 1:58:10 PM
Some common thoughts
It is the same job everyday regarding common points of problems such as users opening phishing emails - will they EVER learn????   Some days battling an uphill boulder that never comes to rest.  It is a mentally stressful job with so much riding on keeping the walls up and threats down.  And new threats, new methods of attack make education a MUST in this field - threats from 2003 don't cut it.  Lack of management support is real, the C-Suite believes that if it ain't broke, it don't need to be protected hence no budget numbers.  No tools.  No rusults = frustrating job.  $$ are a problem - CIISP can earn six figure if in right spot and five figure does not do it.  One good thing - outsource is rare, it is hard to outsource to WiPro and Infosys as happens witht the data center and desktop staff. 
Navigating Security in the Cloud
Diya Jolly, Chief Product Officer, Okta,  12/4/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
Navigating the Deluge of Security Data
In this Tech Digest, Dark Reading shares the experiences of some top security practitioners as they navigate volumes of security data. We examine some examples of how enterprises can cull this data to find the clues they need.
Flash Poll
Rethinking Enterprise Data Defense
Rethinking Enterprise Data Defense
Frustrated with recurring intrusions and breaches, cybersecurity professionals are questioning some of the industrys conventional wisdom. Heres a look at what theyre thinking about.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-19619
PUBLISHED: 2019-12-06
domain/section/markdown/markdown.go in Documize before 3.5.1 mishandles untrusted Markdown content. This was addressed by adding the bluemonday HTML sanitizer to defend against XSS.
CVE-2019-19616
PUBLISHED: 2019-12-06
An Insecure Direct Object Reference (IDOR) vulnerability in the Xtivia Web Time and Expense (WebTE) interface used for Microsoft Dynamics NAV before 2017 allows an attacker to download arbitrary files by specifying arbitrary values for the recId and filename parameters of the /Home/GetAttachment fun...
CVE-2019-19617
PUBLISHED: 2019-12-06
phpMyAdmin before 4.9.2 does not escape certain Git information, related to libraries/classes/Display/GitRevision.php and libraries/classes/Footer.php.
CVE-2012-1114
PUBLISHED: 2019-12-05
A Cross-Site Scripting (XSS) vulnerability exists in LDAP Account Manager (LAM) Pro 3.6 in the filter parameter to cmd.php in an export and exporter_id action. and the filteruid parameter to list.php.
CVE-2012-1115
PUBLISHED: 2019-12-05
A Cross-Site Scripting (XSS) vulnerability exists in LDAP Account Manager (LAM) Pro 3.6 in the export, add_value_form, and dn parameters to cmd.php.