Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Perimeter

7/10/2019
10:00 AM
Edy Almer
Edy Almer
Commentary
Connect Directly
LinkedIn
RSS
E-Mail vvv
100%
0%

4 Reasons Why SOC Superstars Quit

Security analysts know they are a hot commodity in the enviable position of writing their own ticket. Here's how to keep them engaged, challenged, and happy.

Finding and hiring talented cybersecurity analysts is difficult enough. Keeping them on board after they're trained and acclimated to your organization's IT infrastructure and operations is an even bigger challenge. If high-performing security operations center (SOC) staff are unhappy or unfulfilled, they'll move on, and they have plenty of options.

According to ESG and ISSA's "The Life and Times of Cybersecurity Professionals 2018" (registration required), 44% of survey respondents were solicited by recruiters at least once a week and 76% were solicited at least once a month. My job keeps me in front of SOC staff, their managers, and (usually) up the org chart to the CISO. So, when someone leaves, I hear multiple perspectives on why so many analysts job-hop. Here's what drives them out the door:

1. No Room for Growth
The problem with managing smart, ambitious people is that they are smart and ambitious. The best cybersecurity analysts are highly intelligent and fast learners, and they love a good challenge. Unfortunately, the day-to-day operations of your SOC can get monotonous. Over time, this can leave your best people unsatisfied. Managers who balance the mundane aspects of the job with more strategic projects are much more likely to keep SOC staff engaged. You should also look for ways to reward and advance your highest-performing team members.

2. Burnout and Alert Fatigue
Your best analysts can fly through a mile-high stack of alerts at breakneck speed and never miss a thing. And how do you reward them? With more work. On the one hand, it's perfectly fair. You hired them for their expertise, efficiency, and ability to perform under pressure. But you also need to be aware of burnout and alert fatigue. Too many alerts create a particularly pernicious type of stress that occurs when a person has no control over the pace of incoming work — work that literally never ends. If an analyst feels she or he is stuck on a hamster wheel, they are unlikely to stay.

3. Lack of Executive Support and Engagement
It is difficult for analysts to remain motivated when they feel like the powers that be don't have their back. That support can take many forms, but one very clear indicator that security isn't a business imperative is if the organization fails to provide critical tools analysts need to do their daily work. Modern networks are way too complex for analysts to do their jobs without sophisticated tools. Don't set them up for failure. Make sure cybersecurity is a valued and part of your corporate culture — a culture that will motivate your best team members to stick around.

4. Money
Yes, money matters. Financial compensation plays a big role when analysts look for new opportunities. With zero percent unemployment and a growing skills shortage, upward pressure on salaries will continue for the foreseeable future; there's no way around this one. Keep up to date on salary and compensation trends and make sure you are competitive.

5. Not Enough Professional Development/Skills Training
Roughly 96% of the 267 cybersecurity professionals responding to the survey believe that organizations face a significant disadvantage against cyber adversaries if they don't keep up with their skills, and 66% say that keeping up with their skills is difficult to do because of the demands of a cybersecurity career. This conundrum is pervasive, but don't let training get pushed aside due to the grueling pressure and demands of a SOC. Budget and schedule training sessions as "non-negotiable" and get creative and fun about new ways to challenge team members and develop their skills. Ask any analyst. They will tell you that training keeps them engaged, challenged, and happy.

Next time the industry is aflutter about the latest attack strategy, give your team members a chance to jump in and learn to defend against it. Put their response skills to the test in as realistic a setting as possible. It will get their blood pumping and give them the pride and confidence of knowing that they are ready to face dangerous and capable attackers. Capture the Flag is a Black Hat tradition for a reason — competitions are essentially team trainings that bring people together and provide participants with a forum to practice and show off their skills.

Analysts know they are a hot commodity, in the enviable position of writing their own ticket. If you want yours happy at home in your SOC, keep them at the forefront of emerging trends and methodologies and make sure their contributions to the business are acknowledged.

Related Content:

 

Black Hat USA returns to Las Vegas with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier security solutions, and service providers in the Business Hall. Click for information on the conference and to register.

Edy Almer leads Cyberbit's product strategy. Prior to joining Cyberbit, Almer served as vice president of product for Algosec. During this period the company's sales grew by over four times in five years. Before Algosec, Almer served as vice president of marketing and ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
tdsan
50%
50%
tdsan,
User Rank: Ninja
7/19/2019 | 8:03:31 PM
Re: passion doesn't pay the bills
Interesting, I would tend to agree, the training and knowledge that we have amassed over the years, there needs to be a value put on this (monetarily). Individuals don't say anything when doctors charge such high fees for procedures and medical treatments. I am not sure why we are looked at any different.

Todd
TK_M
50%
50%
TK_M,
User Rank: Apprentice
7/19/2019 | 7:43:12 AM
passion doesn't pay the bills
"Yes, money matters"

In infosec, people are usually branded as "after money" and that "money doesn't matter as long as you are passionate". I'm glad to see some people don't shy away from the money issue
REISEN1955
50%
50%
REISEN1955,
User Rank: Ninja
7/12/2019 | 1:58:10 PM
Some common thoughts
It is the same job everyday regarding common points of problems such as users opening phishing emails - will they EVER learn????   Some days battling an uphill boulder that never comes to rest.  It is a mentally stressful job with so much riding on keeping the walls up and threats down.  And new threats, new methods of attack make education a MUST in this field - threats from 2003 don't cut it.  Lack of management support is real, the C-Suite believes that if it ain't broke, it don't need to be protected hence no budget numbers.  No tools.  No rusults = frustrating job.  $$ are a problem - CIISP can earn six figure if in right spot and five figure does not do it.  One good thing - outsource is rare, it is hard to outsource to WiPro and Infosys as happens witht the data center and desktop staff. 
US Turning Up the Heat on North Korea's Cyber Threat Operations
Jai Vijayan, Contributing Writer,  9/16/2019
MITRE Releases 2019 List of Top 25 Software Weaknesses
Kelly Sheridan, Staff Editor, Dark Reading,  9/17/2019
7 Ways VPNs Can Turn from Ally to Threat
Curtis Franklin Jr., Senior Editor at Dark Reading,  9/21/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
7 Threats & Disruptive Forces Changing the Face of Cybersecurity
This Dark Reading Tech Digest gives an in-depth look at the biggest emerging threats and disruptive forces that are changing the face of cybersecurity today.
Flash Poll
The State of IT Operations and Cybersecurity Operations
The State of IT Operations and Cybersecurity Operations
Your enterprise's cyber risk may depend upon the relationship between the IT team and the security team. Heres some insight on what's working and what isn't in the data center.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-16680
PUBLISHED: 2019-09-21
An issue was discovered in GNOME file-roller before 3.29.91. It allows a single ./../ path traversal via a filename contained in a TAR archive, possibly overwriting a file during extraction.
CVE-2019-16681
PUBLISHED: 2019-09-21
The Traveloka application 3.14.0 for Android exports com.traveloka.android.activity.common.WebViewActivity, leading to file disclosure and XSS.
CVE-2019-16677
PUBLISHED: 2019-09-21
An issue was discovered in idreamsoft iCMS V7.0. admincp.php?app=members&do=del allows CSRF.
CVE-2019-16678
PUBLISHED: 2019-09-21
admin/urlrule/add.html in YzmCMS 5.3 allows CSRF with a resultant denial of service by adding a superseding route.
CVE-2019-16679
PUBLISHED: 2019-09-21
Gila CMS before 1.11.1 allows admin/fm/?f=../ directory traversal, leading to Local File Inclusion.