Finding skilled security analysts is hard enough. Once you do, you'll need to fight to keep them working for you. These tips can help.

Oliver Rochford, Director of Applied Research, Securonix

November 20, 2017

5 Min Read

The shortfall in security professionals, and most notably security operations center (SOC) analysts, has been well documented. However, hiring skilled security analysts is only part of the problem. Even if an organization is able to recruit security analysts, retaining them in the long term is an even greater challenge. The foundational market forces of supply and demand enable these professionals to easily jump ship, often achieving a higher salary and title in the process.

During my time at Gartner, informal feedback I received from managed security service providers (MSSP) indicated that the average retention period for a junior SOC analyst was between 12 and 18 months. It's important to bear in mind that MSSPs are generally able to offer a better career advancement path for SOC employees than most enterprises.

Nevertheless, using the right techniques, retention can be improved. Here are the top three ways to attract and retain SOC analysts.

1. Convert Roles to Duties, and Then Rotate Them
The primary roles in a SOC, with some variation, are shown in Figure 1.

Figure 1.

Role

Duties

Tier 1

Alert queue monitoring, incident qualification, triage and escalation

Tier 2

Incident investigation, remediation advice

Tier 3

Detection and use case optimization, hunting and investigation, threat intelligence analysis

The greatest mistake organizations make is defining these as fixed roles (jobs). Tier 1 work is repetitive and monotonous, and intellectually unchallenging. In addition, anyone who has ever stared at an alert console for months on end can attest to the fact that it also conditions analysts to pay less attention, which has a negative impact on effectiveness and efficiency.

Meanwhile, staff retention in Tier 2 and Tier 3 roles is higher, which results in fewer new openings and promotion opportunities for junior analysts. Once junior analysts have successfully worked in a SOC for 12 months or more, they can easily find more senior roles with another organization.

Each one of the Tier 1 through 3 roles can easily be rotated, with analysts working in each position for one-week intervals. This approach distributes both the interesting and tedious work across the team, which improves alertness and provides everyone the opportunity to perform some intellectually challenging and interesting work.

In addition to increasing retention, this rotation provides every analyst the opportunity to become familiar with the various roles required to operate a SOC. This cross-functional training helps mitigate skills gaps and maintain operational continuity if someone leaves the organization or is on paid time off.

2. Offer Phased Training and Certifications
Providing training certifications is another great retention mechanism, if offered based on employment tenure. For example, a new analyst may be offered a certification course such as the GIAC Certified Intrusion Analyst after 6 months of active employment, the GIAC Forensic Analyst after 12 months, and the GIAC Certified Forensic Examiner after 24 months.

I've used GIAC here as an example, but SANS and other companies also offer similar courses. Correctly applied, such a system can help increase analyst retention rates from 12 to 18 months to up to 5 years. Alternatively, analysts across a team can be provided different certification courses in each phase. This will ensure that the team has a broad and comprehensive skill set, and the analysts that have attended a given course can train the remainder of the team to transfer knowledge.

Figure 2. Example Training Plans

 

Employment Time

Analyst 1

Analyst 2

Analyst 3

Analyst 4

6 months

GIAC Certified Intrusion Analyst

GIAC Certified Intrusion Analyst

GIAC Certified Intrusion Analyst

GIAC Certified Intrusion Analyst

12 Months

GIAC Certified Forensic Examiner

GIAC Reverse Engineering Malware

GIAC Network Forensic Analyst

GIAC Cyber Threat Intelligence

24 Months

GIAC Reverse Engineering Malware

GIAC Network Forensic Analyst

GIAC Cyber Threat Intelligence

GIAC Certified Forensic Examiner

36 Months

GIAC Network Forensic Analyst

GIAC Cyber Threat Intelligence

GIAC Certified Forensic Examiner

GIAC Reverse Engineering Malware

48 Months

GIAC Cyber Threat Intelligence

GIAC Certified Forensic Examiner

GIAC Reverse Engineering Malware

GIAC Network Forensic Analyst

3. Offer Step-up Retention Bonuses

Offering increasing retention bonuses for each year of employment rewards analysts for their loyalty and gives them an incentive to stay with the organization. The increase from an entry-level to a midcareer level analyst is between 20% to 30%, so a good bonus strategy will ensure that a similar increase is achieved over a 3- to 5-year period.

In combination, these three strategies can significantly improve and increase SOC analyst retention, reduce the cost of recruiting and training new analysts, and minimize the negative impact of employee turnover on operations.

Related Content:

About the Author(s)

Oliver Rochford

Director of Applied Research, Securonix

Oliver Rochford has worked in cybersecurity as a penetration tester, consultant, researcher, and industry analyst for over 20 years. Interviewed, cited, and quoted by media, think tanks, and academia, he has written for SecurityWeek, CSO Online, and Dark Reading. While working at Gartner, he co-named the Security Orchestration, Automation, and Response (SOAR) market, worked on the SIEM Magic Quadrant, and also covered the European MSSP Market. Prior to joining Securonix, Oliver worked for Qualys, Verizon, Gartner, and Tenable. Oliver is a Director of Applied Research at Securonix.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like


More Insights