All vendors and companies talk about the security staff shortage, because it’s REAL. Though there is a large influx of tier-1 analysts who recently graduated, there are far more security jobs than these individuals can supplement. Even worse, the same questions keep lingering: why is keeping security analysts so difficult, and what do analysts want from their position?
As a security practitioner for last 20 years, there has been a never-ending stream of recruiters reaching out to tell me how they think I’m a great match for an awesome security analyst position for some fantastic company. Having been, and still being, on the front lines, I have some culminated knowledge that can help CISO’s and SOC managers recruit and, more importantly, keep security talent.
Taking the Lead
I’ve met hundreds of security managers across the country. We have all read HR articles on why employees leave, but leadership is a major factor. The successful teams have a clear differentiation with their approach. Security is still a manual process that needs to be enhanced with tech. Security analysts want to stop pulling their hair, and take a modern approach that allows them to do their jobs more efficiently. Thus, they get behind a leader that wants to find the right tools.
Step 1: Become a leader that understands the teams goals and hindrances, then decide on technology that will solve issues across the board.
In case you have not yet heard it enough, there are too many alerts! Place yourself in the shoes of your analyst. They are extremely overwhelmed. Their job is to meet your goal of lowering company risk. How exactly do they do this? Analysts review alerts and work with different divisions within the business to gain more visibility and understand these alerts. However, all this security data is a mess and scattered across different tools. Analysts may get frustrated with their own department due to this mess of data and that they have no real way of fully understanding it, thus it is hard to calculate company risk.
The Analyst Workflows
Having a limited number of professionals with a huge number of alerts leads to some funny workflows.
Step 2: Work with your team to understand what the current workflows are and how they might be improved.
Some years ago, I worked with a SOC manager that had an idea to turn the alert workflow on its head. He arranged the workflow where the tier-1 analyst was in more of an investigator role. The supervisors were the triage team and were able to quickly triage and assign alerts to the SOC analyst. Then, the analyst would do a deeper investigation and report back to the same supervisor if they found anything interesting. The supervisors are faster at filtering out some of the alert noise quickly and allow the analysts to be more involved in real alert investigation. However, this does not scale well, but the manager was willing to help the team and improve workflows. Be bold and understand how the team is working through events and other mundane paperwork.
Good analysts love their work and always want to understand more. Security management should encourage the team to learn more about different aspects of security. There are so many different areas the team can expand into (physical, application, engineering, etc.) and you can encourage learning without fear someone’s going to leave. Analysts are always going to leave but keeping them happier for longer will only only make the team stronger.
Step 3: If you invest in your analysts with additional learning resources, they are more likely to stick around.
Do not be afraid of turnover, especially in this industry. Encourage your team to take on new challenges and step out and learn. Security management should be encouraging and planning for this eventually. Let your team move up to other roles within your organization. I’ve hired inexperienced new analysts out of high school and college but in the interview I’d ask directly if they willing to stay one year. I talked them through the opportunity, what I was investing in them, and wanted to know if they would be committed also. This goes back to leadership and showing an interest in your staff only ties them closer to the team.
Step 4: Show you will invest in your employees to see if they will reciprocate.
Getting Analysts Involved
I am a firm believer that security is better when the people are connected. If your security analysts can build relationships to other teams (like the helpdesk/desktop, app developers, and business functions) it strengthens your team and gets the analysts out of their bubble. When the “feces hits the air oscillating” device, those are the times you need those relationships to get the job done. The CISO or manager shouldn’t be the only person who knows other team members. Encourage your analysts to build relationships with other teams. Why not treat another team to a pizza lunch meeting and expand your security team?
Step 5: Communication.
Analysts should be more than alert jockeys. Instead, turn your analysts into business analysts also. Have them go out and learn how another portion of the company works. Let the security management team make the introductions and build the dotted lines to other areas of the business.
For example, if your company writes code or has engineering specs, do the analysts know where that information is stored? Is that data stored onsite or in a cloud provider? Getting your analysts involved only makes your team understand the business and how it works better. This will also allow them to spot more false positives, and potentially understand the data they are looking at on a daily basis.
So often, analysts get stuck with the day-to-day alert triage and investigation. Let the analysts explore with different types of projects and have a due date. The projects can be related to engineering, applications, business functions, process improvements, etc. Have them focused on the business aspects so the entire team benefits. The end outcome will be a challenged analyst that makes the collective team smarter.
Step 6: Creativity is a necessity.
With the current workflows of the SOC, analysts are stuck with a very boring mundane task, one they will repeat hundreds of times each day: reviewing alerts. This means, without the help of technology, analysts start drowning in information and end up with “blinders” that could lead them to make mistakes or, worse, be a huge reason for them to change jobs every year or two. This is almost the equivalent of having to reread a single page in a book over and over because somewhere along the way, your brain wandered off. Give analysts the ability to be creative!
Technology is so important that it has two places in this blog. The typical security analyst has several tools at their disposal which sometimes causes more issues than its worth. Have the analysts learn a new technology only when there is immediate benefit. Challenge your members to reach new understandings of the capabilities already in house, while balancing what they truly need to do their jobs. Not all tools are created equal, and finding the balance between effectiveness, information, and results can be tough. Beyond those tools sold by security vendors, there are also internal tools in other departments that may work to extract important security data.
Step 7: Understand internal capabilities in order to choose the right security tools for your team.
Here at JASK, we use the technology to help the security analyst do their jobs. To learn about how our team can help you meet these steps to help your analysts, reach out at [email protected]