The cybersecurity skills shortage means that many organizations are in urgent need of talented and experienced security professionals. This has been intensified by the pandemic, with security teams stretched to breaking point trying to secure new remote working regimes against the influx of opportunistic cyberattacks.
There is a human cost to this high-pressure environment and new research from SIRP shows that the additional burdens placed on security operations center (SOC) teams due to COVID-19 has affected staff churn rates. In fact, a significant number of security analysts are considering leaving their current roles to work in less stressful environments.
To help retain and attract new recruits, organizations need to explore how to take the strain off overworked security analysts and the role that security orchestration and automation and a risk-based approach to security operations can play in alleviating workloads.
Looking for pastures new
Keeping staff turnover to a minimum is a key HR objective of any organization, but particularly when the company’s security is at stake. A high staff turnover means more costs and time spent on the recruitment process and onboarding, all of which eat into a SOC’s limited budget. Conversely, seasoned professionals who have been at an organization for some time know exactly how their SOC works and what sort of risks to look out for that are particular to their organization, which makes them more efficient at their jobs.
Yet our findings show that SOC analysts who are well embedded within their organization in a specific role are few. The average amount of time spent in the same post across all pay grades is just 30 months. While this might indicate that analysts are being promoted through the ranks, it is more likely that they have left their position, as around half are thinking of doing so within the next year. Whatever the reason there is still a pressing need to fill the roles they have vacated.
This situation is particularly acute at entry level roles, where half of junior analysts plan to leave just three months after starting and not one of them plans to stay in their current role for longer than 18 months. What’s more, across the board, nearly half of security analysts are considering leaving their role before the first year is out.
In order to attract and retain skilled staff, organizations are also having to spend more on wages and the average salaries for most security roles have steadily increased over the last few years.
Frustration and alert overload
Understanding the reasons behind this employee churn is an important first step and one of the main considerations is the number of alerts that analysts have to deal with. The average SOC receives between 800 and 1,000 alerts daily, with analysts having to pivot between an average of 12 different security solutions to deal with them. Such activity consumes around one fifth of an analyst’s working day and, inevitably, eats into the time that could be dedicated to highly engaging, higher-value activity.
This is clearly an area that is turning analysts off from their roles, with many feeling frustrated by having to deal with mundane tasks. COVID-19 has lent to this sense of frustration, as analysts are spending more time on unproductive tasks since the start of the pandemic. The impact of the economic downturn is also taking hold, with analysts reporting reduced staff levels and that the pressure of their role has increased as they cover for other team members, alongside dealing with the different security needs of remote workers. The result of this is that disaffected staff are leaving to find less stressful and more fulfilling roles elsewhere.
A risk-based approach to incident response
Organizations need to act quickly if they want to stop valued analysts leaving in droves. First, to take the pressure off their staff, businesses should explore how technology can take the strain off teams.
Automation and orchestration can alleviate the heavy lifting by removing the need for analysts to pivot between different tools. Many SOC teams rely on Security Orchestration, Automation and Response (SOAR) platforms to streamline security operations and provide security analysts with actionable information. Fusing the outputs from disparate security tools into one interface saves security analysts from constantly switching between dashboards when tracking down and mitigating potential security risks.
However, if these platforms fail to incorporate sufficient threat intelligence and vulnerabilities context tied to the organization’s risk, teams cannot prioritize response in the most effective way. It’s highly likely that an organization’s threat landscape will have changed significantly during the COVID-19 crisis, which means they need to re-prioritize their responses.
A risk-based approach takes these changes into account, categorizing threats based on the risks to the organization and helping security teams to respond to alerts and vulnerabilities that need to be addressed first. Crucially, this can also reduce the time spent on responding to an incident.
Even before this crisis, SOC teams were under huge pressures and facing mounting stress. The rapidly changing threat landscape of the last few months has simply added to these challenges and led to higher levels of job dissatisfaction.
Making it easier for teams to do their job effectively and equipping them with tools to identify the most important threats can help to ease some of the pressures of their job. This can pay multiple dividends not only reducing the burden on their workloads, but also improving the efficiency of the team, as a whole, giving them a clearer view of the severity of threats they must deal with.