By Shailendra Shyam Sahasrabudhe, Country Manager, India, UAE and South East Asia, Cymulate
Despite an ongoing focus on filling positions of cybersecurity professionals, skilled roles remain a challenge to retain and fill. According to Cybersecurity Ventures, the global cybersecurity job vacancies grew by 350 percent, from one million openings in 2013 to 3.5 million in 2021. The number remains at 3.5 million in 2023 too. Despite organizations increasing their hiring efforts to source SOC analysts, they are finding it difficult to recruit due to the skills shortage, and difficult to retain employees already on staff due to burnout.
Burnout is a condition where an employee finds themselves no longer mentally, and sometimes even physically, able to perform their job operations. The contributing factors vary per industry, but the result is always the same. Good employees who have contributed to the organization leave, and there aren’t enough skilled applicants to replace them. While the phenomenon is not unique to cybersecurity, the specifics of how SOC analysts routinely work has led to an increase in burnout incidents in recent years. Security Magazine has even named burnout “One of the biggest threats to a cybersecurity team.”
Pain experienced by analysts impacts SOC performance
Businesses are highly complex in the current digital era with ever-changing technology and tools adding to complications caused by an expanding threat landscape. With the increase in digital transformation initiatives and the complexities that come with it, threat actors are taking full advantage of the vulnerabilities such expanding landscapes cause, impacting SOC performance. Cybersecurity teams have to manage first-party controls such as operating systems, applications Virtual Private Clouds, and more. There are third-party security controls like the Firewalls, Web Gateways, Email Gateways, EDR/XDR platforms, and others to be governed as well. All these moving parts cause huge number of alerts – often with limited visibility into the infrastructure from the SOC itself. SOC analysts are overwhelmed and become more and more frustrated as they are not able to both keep up with security demands and keep their organization within their targeted risk profile.
Cyber incidents that are frequent, high impact, and very sophisticated; and this stressful environment is contributing to the burnout at unprecedented levels, further compounding staffing shortages. A recent Tines survey noted that over 70% of SOC analysts self-reported signs of burnout over the past year.
Identifying Barriers to SOC Analysts’ Productivity
The Times survey was aimed to secure an understanding of SOC analysts’ day-to-day responsibilities; including everyday tasks, challenges, and factors that contribute to their job satisfaction. The responses were not very positive,
– 66% of security analysts believe that half of their tasks to all of their tasks could be automated.
– Reporting, monitoring, and detection are top tasks consuming analysts’ time. Over 50% of an analyst’s time is devoted to reporting, which includes anything from capturing notes and metrics to analyzing team performance or demonstrating value to leadership.
– Spending time on manual work is an analyst’s top frustration.
– Coding – which consumes time – is the top skill needed to succeed as a SOC analyst.
The results indicate that manual and automatable operations are not only contributing to overall burnout, but also that time which could be spent coding and performing security reviews is being cannibalized by these manual operations. Organizations have to explore ways to optimize security analysts’ operations to help keep their staff for the long term and not having to keep looking for replacements in an already restricted talent pool.
Easing SOC Analyst Frustrations
When equipped with the appropriate tools, the challenges faced by security analysts can be overcome. More importantly, implementing security validation to proactively test tool efficacy will enable SOC analysts to optimize security operations and reduce the number of alerts that need to be addressed.
a. Optimizing automation capabilities
SOC analysts experience significant workload pressure in manually performing time-consuming tasks. This can be addressed by a reliable Exposure Management and Security Validation platform enabling them to automate scheduled and production-safe assessments and promote continuous improvement. SOC analysts can now fine-tune threat detection and incident response playbooks by performing specific threat activity to ensure detection and control systems are working as expected. Furthermore, they can validate SIEM correlation rules and quickly discover gaps to accelerate mitigation.
The Exposure Management and Security Validation platform’s dynamic customizable dashboards can automatically analyze all data collected from assessments so that analysts need not spend their time manually compiling the data and then analyzing it.
b. Simplifying the processes
An efficient way to cut down on manual work is to simplify the processes and utilize a good Exposure Management and Security Validation platform’s security tool integrations. These include SIEM integration, EDR or XDR integration, SOAR and GRC integration, Vulnerability Management integration, and Ticketing integration.
The platform should also reduce the need for coding. This can be done by providing out-of-the-box templates for assessments and automating security testing, updating pre-packaged threat intelligence-led assessments every day, and operationalizing the MITRE ATT&CK® Framework to easily create meaningful and life-like attack scenarios. The ability to extend the built-in resources also allows SOC teams to use their own code where desired, for those team members who excel in the creation of new simulation components.
c. Prioritizing for reducing the risks
The continuous integration of the Exposure Management and Security Validation platform combined with vulnerability management solutions provides SOC teams with the visibility and context they require to create an action plan based on prioritization. Prioritizing the remediation of attackable vulnerabilities first creates a clearly defined plan and places the focus of the team where it is needed most. By identifying where security controls can or already do compensate for vulnerabilities; teams know what to modify, what to change, and what can be deferred to concentrate on other priorities. This integration enables SOC analysts to know exactly where they need to focus their efforts to make the most impact.
d. Support by increasing productivity
By delivering a framework to improve analysts’ adversarial skills, teams can be more focussed and increase their productivity. The use of Purple Teaming methods will also provide the SOC analysts with an open attack framework to craft and automate joint testing exercises that leverage and scale adversarial expertise. SOC analysts can create, store, modify, and execute both simple and sophisticated assessments. They can practice purple teaming to accomplish more with their limited adversarial skillsets, improve them and become better defenders.
e. Automate reporting
By having the testing and analysis platform bring together all the data necessary to prioritize and remediate issues, such systems also have all the data necessary to report on those activities. Automation of reporting operations can free up tremendous amounts of time that would otherwise be dedicated to manual operations, both easing burnout concerns and allowing for more time to focus on critical tasks which cannot be automated.
Burnout is a significant issue in the cybersecurity industry. For each SOC analyst who walks away from the field, there is one more opening in the team that cannot be easily filled with a limited talent pool available. By using automation and proactive analysis, organizations can reduce the overall workload on SOC analysts from multiple full-time jobs down to just one per analyst. This leads to more effective teams who can test and remediate more issues in more environments more often, without an increase in headcount, and without the ever-present risk of burning out the team you have today.