A security operations center (SOC) is an organization’s first line of defense against outside adversaries. Businesses’ overall cybersecurity programs should be judged on the effectiveness of their SOCs – whether in-house or outsourced. One of the most important measures to see if a SOC is successful is to look into hiring and staffing practices.
Exabeam’s annual 2020 State of the SOC report provides an inside look into recruiting and staffing SOC teams from organizations in the U.S., U.K., Canada, Germany and Australia. The report is a result of a survey of CISOs, CIOs, frontline security analysts and security managers and covers a wide range of topics, including common pitfalls, priorities, operational processes, technology and finance and budget.
Year after year, staffing remains a key issue, with this year’s report revealing nearly 40 percent of organizations feel their SOC is understaffed, often by fewer than ten employees. A small fraction of respondents (4 percent) felt their team needed more than 20 employees to be complete.
With these statistics and the widening technology talent gap in mind, cybersecurity leaders need to recognize that their SOC will only run smoothly with the right team in place. Recruiting should be narrowed in on this idea. Below, we dive into some of the staffing themes from this year’s State of the SOC report.
Hard and Soft Skills
The report revealed that 33 percent of security organizations are still struggling to find talent with the necessary skills. Part of the reason for this could be that hiring managers are not focusing on the right areas.
Hard skills remain critical when it comes to searching for cybersecurity talent. Risk management, data loss prevention, incident response and network and system skills remain some of the most crucial with over 60 percent of respondents citing their importance. Threat hunting also stood out as a hard skill that is highly important but that SOC personnel feel they lack the ability to resolve. When hiring, CISOs should pay attention to candidates with experience in this area.
This year’s survey also revealed more and more SOC leaders are placing an emphasis on soft skills with the ability to work in teams taking precedence over formerly reported social ability.
Other soft skills hiring managers should be on the lookout for include:
When a candidate is being evaluated, it is important to look for all of these elements. Hiring for a SOC position needs to be a balancing act. During a cybersecurity incident, it is important for SOCs to have the soft skills to work together to mitigate damages of an incident and the techniques to solve the problem. Too much of one or the other can be detrimental in the event of a data breach.
Common Hiring and Retention Challenges
The good news from this year’s survey came from SOCs across the U.S. and U.K., stating significant improvements in being able to identify candidates with the right expertise and recruiting costs. However, over a quarter of companies are struggling with competing offers and companies and professionals moving to freelance work.
Some of the reasons for a lack of retention include heavy competition from specialists, high stress, low wages and being overworked. These sentiments have consistently been reflected YoY since the start of the State of the SOC report. The good news is that despite these factors, 60 percent of respondents are citing workplace benefits, high wages and a positive culture overall as driving high employee retention rates. If a SOC is suffering from lower retention rates, they should consider discussing employee packages with the organizational leaders and HR to deter SOC employees from leaving the company.
Employees retention can differ by role. While just over a quarter of CIO/CISOs, SOC managers and frontline employees all felt overworked, there were several differences across each role. Over 60 percent of frontline workers cited an undefined career path as the top reason why they would leave a company, with high stress levels (45 percent) closely behind. Only 9 percent of frontline employees felt they lacked the tools needed for work compared to nearly a quarter of CIO/CISO respondents. Nearly half of all SOC managers surveyed said that heavy competition for security specialists would be a driving force for why they would leave a company, echoed similarly by 45 percent of CIO/CISOs.
The same pattern was also identified when respondents were asked to share the top reasons they would most likely stay in a role. In-house training was measured equally amongst the three surveyed groups with 30 percent of respondents in each category saying it was a top reason. All of the groups had the majority of respondents pick good pay as a top factor. Nearly 40 percent of CIO/CISOs emphasized the importance of a positive culture and work environment. The same percentage of SOC managers valued challenging work. Over 40 percent of frontline workers identified a low stress work environment as a reason to stay in their role.
How Can Hiring Managers Use This Information?
SOCs are critical in the fight against cybercrime. Therefore, it is important for hiring managers to examine patterns in order to recruit and retain the right talent. By dissecting motivations and the skills needed for each job in the security center, organizations across the globe can be fully prepared to stop hackers in their tracks.
Sam Humphries, security strategist, Exabeam
Samantha has 20 years of experience in cyber security, and during this time has held a plethora of roles, one of her favourite titles being Global Threat Response Manager, which definitely sounds more glamorous than it was in reality. She has defined strategy for multiple security products and technologies, helped hundreds of organisations of all shapes, sizes, and geographies recover and learn from cyberattacks, and trained many people on security concepts and solutions.
In her current role as global product marketing team at Exabeam, she has responsibility for EMEA, Data Lake, compliance, and all things related to cloud.
Samantha authors articles for various security publications, and is a regular speaker and volunteer at industry events, including BSides, IPExpo, CyberSecurityX, The Diana Initiative, and Blue Team Village (DEFCON).