For most enterprises and Chief Information Security Officers (CISOs), 2020 was a year like no other—and hopefully one of a kind. But even under the best of circumstances, uncertainty will spill over into 2021, impacting budgeting, planning, staffing, and investments for years to come. For many, the much-discussed “New Normal” will mean Work from Home becomes Stay at Home on a trial or indefinite basis. Home routers become “branch offices” means an exponentially larger and less secure attack surface with more employees sharing connections with gamers and real-life applications. It may also mean Security Operation Centers (SOCs) activities themselves will be handled virtually with troubleshooting and maintenance handled by analysts working remotely. Whoever stays “at large,” the job of securing the enterprise, and bridging those perennial cybersecurity skills gap, stands to get even harder throughout 2021.Download eBook: Smarter Operations For Smarter Security
Budget constraints figure to compound the issue. A recent SANS survey shows 40 percent of security managers are uncertain about their hiring plans and plans themselves are on hold or emergency-only.
3 Ways to Keep the Skills You Have
The first obvious step in bridging cybersecurity skills gap is to hang onto the talent you already have. Dark Reading cites the average retention period for a junior SOC analyst among Managed Security Service Providers (MSSPs) at between 12 and 18 months. Enterprises who can’t offer as clear an advancement path may fare even worse.
More often than not, retaining your best analysts – and the tribal knowledge they possess – costs less and is easier than allowing a high turnover or attrition rate to persist and having to constantly start over with new people who represent unknown quantities. Since it can take up to a year to fully onboard new analysts, going the extra mile to keep the best ones increases your odds of recouping investments in recruitment and training.
So how do you improve retention? We suggest adopting or investing more aggressively in three key areas to keep experts fulfilled and engaged; namely, paying them well, alleviating conditions that make working in the SOC a drag, and providing a path for analysts to upskill and increase their own worth.MSSP vs. SOC as a Service: Which Do You Need (And Does It Even Matter)?
While many SOC analysts are somewhat fulfilled, stress levels run high, and fatigue from performing repetitive tasks sets in quickly. Finding a new job is easy to do (and stands to get easier) and likely represents a bigger bump in pay than your standard annual increase.
If you plan to run your own SOC, a sizeable investment in talent should be considered “table stakes.” According to Salary.com, the average SOC Analyst salary in the United States is $88,505 as of September 2020 with the salary range typically falling between $75,129 and $106,410. If it takes a minimum of 25 analysts to staff the average 24/7 SOC, you’re looking at somewhere around $2.5 million per year in salaries alone to maintain a solid staff, not including investments in ongoing training to keep your expertise current, and employees engaged.
As an alternative, engaging an MSSP or SOC-as-a-Service provider can normalize investments. As an added benefit, it can also promote higher retention of your own skilled experts by making their lives easier.
Last but not least, with an Intelligent SOC approach, tribal knowledge gets captured and operationalized to offset the impact of analyst turnover.
Mitigate the Grind
A Ponemon Institute survey asked enterprise security professionals what makes working in the SOC so painful. The answers were plentiful and somewhat predictable:
While we won’t go so far as to say that offloading some of the drudgery would make working in the SOC a virtual Happy Hour, adopting Intelligent SOC-as-a-Service addresses many of these pain points head-on. The most tedious tasks – chasing alerts and weeding out the positives—get offloaded and increasingly become automated. So, too, do more specialized efforts like configuring and maintaining your SIEM to net the greatest value.Can SOC-as-a-Service Maximize the Value of Your SIEM?
Netenrich’s Intelligent SOC combines both artificial intelligence (AI) and expert analysis – the best of machines and the best of humans. This powerful and dynamic combination makes it easier to identify, prioritize, and remediate critical alerts in a fraction of the time, with less and less manual intervention.
Netenrich goes beyond basic noise and false-positive reduction to operationalize and capture tribal knowledge. Intelligent SOC leverages advanced AIOps and combines real-time and historic problem, people, and process insights to correlate and contextualize security events.
Vulnerability assessments, pen tests, and Netenrich’s own Threat & Attack Surface Intelligence provide comprehensive internal and external risk perspective, with the platform learning with each transaction. The end result? Faster resolution, fewer criticals, outages, and alerts.
An Intelligent SOC built on Resolution Intelligence can begin streamlining complexity in new ways, including breaking down silos between NetOps, SecOps, and CloudOps to deliver complete and actionable context. This promotes smarter resolution with the right people on the right teams engaging to solve problems at the right time.Is Your SOC Intelligent?
Providing a clear path for L1 and L2 SOC analysts to evolve promotes higher satisfaction and retention. Dark Reading writes:
The greatest mistake organizations make is defining these as fixed roles (jobs). Tier 1 work is repetitive and monotonous, and intellectually unchallenging. In addition, anyone who has ever stared at an alert console for months on end can attest to the fact that it also conditions analysts to pay less attention, which has a negative impact on effectiveness and efficiency.
One way to enable rapid progression is to offload the mind-numbing, yet essential grind of A Day in the Life of an L1 SOC Analyst. Intelligent SOC-as-a-Service offloads the job of sifting through endless alerts to find the dozen or less per day that warrant deep exploration. Rather than having junior professionals learn on the job for a year and then jumping the ship, offloading the basics lets you focus more expertise on more challenging and impactful activities, like incident response (IR), threat hunting, breach and attack simulation, red/blue/purple team exercises, and advanced analytics.
Members of your team become more skilled and more challenged. They remain engaged with less chronic frustration from long nights and alert fatigue. Security experts have more cycles and wherewithal to break through silos and collaborate with cloud and DevOps teams around digital transformation.
As, literally, and added bonus, Dark Reading also suggests investing in training certifications based on employment tenure and offering annual step-up bonuses that reward retention.
Supplementing skills as needed
While helping to improve your security analysts’ job satisfaction, and hopefully retention rates, functional sourcing through SOC-as-a-Service also better aligns investments in cybersecurity skills with your business priorities through:
- Capabilities “a la carte”: The ability to try, buy, and scale capabilities without cultivating specialized expertise makes you stronger. This means consuming outcomes and functions like vulnerability assessments, pen tests, and ongoing Threat & Attack Surface Intelligence as needed. Scalable, pay-as-you-grow investment lets you react faster as needs or events warrant (like we just witnessed in 2020).
- Tribal knowledge: Intelligent SOC-as-a-Service leverages the best of both machine and human intelligence. This means operationalizing tribal knowledge to speed response, instead of having it walk out the door.
- Predictability: Run costs for the SOC become more stable without operating budgets or hiring plans needing to be adjusted.
Mid-market enterprises in particular benefit from using external service providers—if they choose the right provider. The ultimate value of Intelligent SOC goes beyond traditional managed detection and response (MDR) by adding more operationalized intelligence, external risk perspective, skilled expertise, and lasting Ops transformation – what you need, when you need it.
*Three-month ASI trials will be provided to qualifying customers with one-year Intelligent SOC engagements.
Subscribe To Our Newsletter!
The best source of information for Security, Networks, Cloud, and ITOps best practices. Join us.
Thank you for subscribing!