First-time security analysts can’t wait to get the heck out of the Security Operation Centre (SOC). Half of the first time (entry-level) security analysts hired directly into a SOC want to leave within three months. None see themselves lasting more than 18 months, and the average survival rate is just 11 months.
However, the news is not quite as bad as those numbers suggest. As they gain experience, they are much more likely to hang in for longer. One year seems to be the point at which middle managers (32%) and junior managers (44%) all want to bail. What is not clear is if longevity is extended as people get promoted. Given the pressure on the SOC and the shortage of trained staff, this is bad news for the industry.
Faiz Shuja, Co-Founder & CEO of SIRP Labs said: “High rates of staff churn continue to plague under-pressure SOCs. This research clearly shows that organisations neglect conditions in their SOCs at their peril. The double-whammy of a global cyberskills shortage coupled with the pandemic has created melting-pot conditions where good staff are hard to keep and even harder to come by.
“Morale could easily be improved with more automation along with fast access to the right information, helping to improve productivity and reduce the amount of missed or false-positive alerts.”
Where does this data come from?
The details come from a survey commissioned by SIRP Labs and carried out by Sapio Research. The online survey involved responses from 250 SOC analysts and was carried out in July 2020. As such, there is a possibility that the overload from COVID-19 is playing a part in some of those responses.
The largest set of responses come from those working in companies with more than 5,000 employees (38%). Those most likely to respond were middle managers (61%).
Enterprise Times was given access to the underlying data to take a closer look at the reasons for people wanting to leave well-paid jobs.
Why are SOC analysts so despondent?
The easy answer is to say workload, and there is some evidence for this from the data. 9% work in a SOC where they see over 5,000 alerts per day. However, a closer investigation shows that 52% see less than 100 incidents per day. Of course, volume does not equal complexity, but even with a small team, 100 calls/incidents per day is not excessive.
The amount of time spent per day handling alerts also varies. The majority (73%) of entry-level analysts spend less than 5% of their time managing alerts. Interestingly, for all groups by job role in the SOC, 47% claim they spend no more than 10% of each day managing incidents.
Is part of the problem too much time chasing false positives? Only 18% of entry-level analysts say they spend more than half their time doing this. That figure changes with more senior analysts, but that may be due to them dealing with more complex alerts.
Is it the pressure that is causing analysts to leave? At senior levels, 31% complained about a pressure cooker environment compared to 18% of entry-level analysts.
The biggest reason for wanting out seems to be mundane workloads. Across every job role, time spent on mundane tasks that could be automated is driving people nuts. It is compounded by the frustration of things outside the control of the employee control and an inability to allocate time effectively. While these are understandable, they are no different from many other jobs that pay far less.
Has COVID-19 compounded these issues?
Unquestionably. In the early days of the global lockdown, SOC analysts were shifted to assist help-desks in enabling staff trying to work from home. The survey shows that middle managers (49%) and junior managers (44%) see a reduced workforce as the biggest impact of COVID-19. 42% of each group also sees more time spent on non-productive jobs as the next biggest impact. The issue of non-productive jobs also tops the list of changes for entry-level analysts (45%).
An increase in security incidents caused by remote workers was not an issue called out in this survey. It wasn’t asked as a question, and responses from the “other” field were not part of the dataset that Enterprise Times was sent.
SOC analysts want career development
Recruitment consultant, Stephen Semmelroth said: “Many certification brands promote the idea of SOC analyst as an entry into the world of cybersecurity. Candidates expect a high-tempo world in the SOC where they can cut their teeth technically and then move into a role that has a better work-life balance such as auditing or into the role they actually want like consulting, reverse engineering, tool development, or even business development once they get formally become a cyber professional in the SOC.
“SOCs with higher levels of automation tend to retain practitioners longer who get to see higher rates of true positives and spend more time analysing actual malware instead of jumping between unrelated systems looking for other indicators of compromise that correlate into a single story.
“Early in the pandemic, many companies pushed infrastructure changes to allow employees to work from home. Those changes were availability-focused, and now companies realise they don’t have the visibility or security wrapped around their new attack surface. This relatively new attack surface has kept first line SOC employees scrambling with increased alerts and (usually) an inability to affect positive change for their clients since most SOCs operate as an alert function rather than in a response capacity. This means that SOC analysts are often in a position where they know a client is being hacked but lack the ability to stop the attack itself: they know it’s happening but can’t do anything about it!”
Is there any light at the end of the tunnel?
Possibly. More than 60% of all employees said the average time they stay at one company was more than three years. This contrasts sharply with the other data that shows SOC analysts looking for an exit. It also suggests that the point at which people consider leaving is not cast in stone. It could be that they are struggling to get themselves established or that they want a better position. Surprisingly, the survey didn’t seem to look in more detail at this discrepancy.
Automation, which would solve much of the mundane workload is on the increase. Matthew Gyde, President and CEO of NTT Security Division, sees a lot of change, especially for entry-level analysts in the SOC. Machine learning is ideal for the mundane work that many entry-level analysts currently do. In this podcast, Gyde says: “The machine has primarily taken that role over and we can skill net new people into the organisation backwards far easier than we can forwards.”
Gyde went on to talk about retraining which should improve retention. He commented: “We’ve invested heavily in tools that people can use to load training systems into, educational programs and all that. We sit with individuals and work through learning paths. Maybe you’re a level one engineer in our SOC who wants to move to a level two. We can link those courses together, say, ‘Okay, over the next six months, do these courses. Make sure you turn up to work on time and do all the things because you’re more senior.’ That allows us a programmatic way to grow people within the organisation and give them opportunities.”
Enterprise Times: What does this mean?
Entry-level positions can always be frustrating. They often end up doing the scutwork, which is rarely interesting or exciting. The key is pushing through that to find something more interesting. The problem in the SOC, as highlighted by Semmelroth, is that many enter with new qualifications and a thirst for more knowledge. When they don’t get that, employers should not be surprised that they want to leave.
Of more concern here is that this is not just about entry-level analysts. There is a high level of dissatisfaction among more experienced analysts at the lack of automation. Given the volume of alerts, SOCs have been ahead of most business areas in automating the daily grind. However, it seems that there is still a long way to go, and that is something employers need to focus on.
Perhaps the biggest concern here is that the increase in security incidents caused by remote workers was not reflected in this survey. Other reports say that it has been a significant factor in increased workloads across the bulk of the security industry. Quite why it wasn’t called out here is a surprise.
Cybersecurity has a problem with a lack of skilled and experienced analysts. If their experience in the SOC is bad, a number will inevitably leave the industry and go elsewhere. CISO’s and senior SOC managers need to do a better job of making it a better place to work.