N2K- The People Problem in SOC

The People Problem in SOC

The People Problem in SOC 1200 628 N2K

According to (ISC)2 Cybersecurity Workforce Study for 2020, the United States has a cyber workforce of approximately 879,000 people with an estimated workforce gap of 359,000. The study was conducted in the rise of organizations responding to COVID-19 from April to June–including transitioning to virtual work, layoffs, and hiring freezes–and despite the external pressure plus the rocketing demand of cybersecurity personnel over the following year remained relatively undeterred (a slight decrease from 50% in 2019 to 48% to 2020).

Related to SOC, it can take upwards of eight months to source one new analyst, only to lose them two years later. This blog explores some of the reasons behind the people problem in SOC and what IT security leaders can do about it.

The Role of the Security Operations Center

The Security Operations Center (SOC) acts as an organization’s digital watchtower, defending enterprise networks and sensitive information from threat actors. Also identifiable as part of the “Blue Team” or defensive operations, the SOC team’s main objectives can be categorized in three areas:

  • Prevent The primary goal of prevention is to ensure that the organization has the proper security controls and capabilities in place. These are some of the tasks conducted by SOC analysts in the Prevent phase: security control assessment, accreditation comparison, table-top exercises, and purple team exercises.
  • Detect – Detection consists of threat intel reporting, monitoring and analyzing reports, intrusion detection to assess a company’s exposure to cyber threats. These are accomplished via writing or running scripts such as signature detection or traffic pattern analysis.
  • Respond – The response function of SOC is responsible for threat hunting, cyber forensics, or incident response while minimizing breach impact on business continuity. If a threat is detected, some actions include shutting down or isolating breached endpoints, terminating compromised processes, or deleting vulnerable files.

Unfortunately, the security operations team carries all of the risk yet none of the reward. If the SOC is doing their job well, no one outside of the department knows or forgets they exist. However, as soon as anything goes wrong, they suddenly become the scapegoat for business executives. It can be a thankless job, but it remains critical to keeping the organization safe from outsider threats. 

So what’s the people problem?

On average, a new security analyst only stays with an organization for no more than two years. And if you take a look at the reasons behind this, you’ll see how it’s not just a single problem but a compounding issue within SOC.

Alert Overload = Burnout

Working in SOC presents its own sets of challenges for analysts. While the tasks required of IT security personnel are straightforward or even considered monotonous, it’s the overload of IOC alerts or indicators of compromise, and being on call 24/7/365 that is most taxing. 

The mean time to resolution (MTTR) on a security incident can be backlogged for weeks or even months. 22% of respondents to a 2019 ESG survey say resolution is reached within hours or days. Yet 42% of respondents say the average time to resolve can be months or over one year.

To combat this, two-thirds of respondents have implemented security information and event management (SIEM), user and entity behavioral analytics (UEBA), or automated repetitive and time-consuming tasks typically associated with Tier I and II analyst functions. However, to best maximize the investment in these technologies requires the same level of investment in the people who operate them.

Investing in tech over people

Due to years of limited skilled personnel and a depleted talent pool, companies outsource to Managed Security Service Providers or MSSPs in large numbers. 87.6% of organizations outsource at least one IT security function to an MSSP, the leading function being for monitoring services. 

While this method can save time and stress in the short term, outsourcing can become costly in the long run. On average, an in-house SOC team costs organizations $2.86 million annually. However, the cost increases to $4.44 million annually when outsourced to an MSSP.

There isn’t enough skilled talent

The lack of skilled talent is nothing new to the cybersecurity industry. 70% of IT security leaders claim it’s either difficult or extremely difficult to find and hire qualified SOC staff. On average, it takes 8 months to find and then 3.8 months to train one analyst.

Moreover, the rapid move toward cloud services has compounded the issue for employers in search of candidates with the relevant skills. 96% of organizations surveyed use cloud for their security operations, among 11 other tools or platforms simultaneously. That is a lot of technology!

Lack of formal training for SOC

One other factor contributing to burnout is the lack of formal training designed specifically for security operations. What tends to happen is once a new hire is brought on board, it is usually the higher-level Tier II or III analysts who lead training.

As aforementioned, people are burning out at alarming rates due to alert fatigue and being understaffed. To add on training to already strapped upper-level analysts’ duties can result in everyone burning out even faster.

The glaring issue with this is the cost-effectiveness of the SOC is diminished because those responsible for hiring and training say it takes them away from their dedicated responsibilities, adding to the backlog of IOCs, and otherwise putting the organization at greater risk.

What Organizations Can Do

All this to say, there is never one silver bullet to solve all the issues within security operations. But looking at it strictly from a people perspective, there are ways to build the cybersecurity talent needed and reduce burnout.

One way to achieve this is by creating a thorough leadership strategy about what goals the organization needs to have around the SOC so that it becomes a more relevant business unit with clear objectives. In addition to that, it’s taking training off the backs of upper-level analysts who are already under immense pressure, and find a trusted training partner to assist organizations with their new hire development strategy. 

N2K’s Critical Knowledge: SOC Analyst course is a 100% online program designed to develop Tier I analysts on the technical facets of the SOC in half the time, at a fraction of the cost, while minimizing security risk.