Information overload, burnout, talent retention impacting SOC performance

While most security teams believe that security operations centers (SOCs) play a pivotal role in cybersecurity programs, several challenges are impacting SOC performance within businesses, according to a new report. Among these are information overload, worker burnout, and talent retention. The data comes from cybersecurity firm Devo following an independent survey of global SOC leaders (553) and staff members (547), and it adds evidence to reports of security operations becoming harder for teams to perform.

SOC teams face numerous pain points, leaders and staff consider quitting

In its 2022 Devo SOC Performance Report, the firm discovered that SOC professionals experience significant challenges while performing their duties as SOC leaders and their teams wrestle with several ongoing issues that hamper performance. What’s more, Devo’s findings suggest that some of the key SOC complications facing organizations date back to the start of the global COVID-19 pandemic in early 2020.

Almost a third (31%) of both SOC leaders and staff cited information overload as a significant factor in workers’ pain, with 34% of staff stating that increasing workload is causing burnout. An inability to recruit and retain expert personnel (27% leaders, 30% staff) was also flagged as a major issue. Being on call 24/7, 365 days a year (27% leaders, 27% staff) was mutually troublesome, while leaders cited limited SOC investment in overall cybersecurity budget (25%), and workers pointed to an inability to prioritize threats (31%), difficulty in operating across too many tools (31%), and too may alerts to chase (31%).

These issues impact SOC effectiveness, the report continued, with a lack of visibility into the attack surface (60% leaders, 45% staff), lack of skilled personnel (50% leaders, 48% staff), and too many false positives (30% leaders, 35% staff) the top causes of ineffectiveness cited by respondents. Perhaps most alarming, 69% of SOC leaders and 72% of SOC staff stated that it is either very likely or likely that these pain factors would cause experienced security staff to quit an organization’s SOC function. Indeed, 48% of staff and 36% of leaders admitted to having considered leaving their current role due to challenges associated with working in the SOC.

SOC pros call for stress support, automation, vacation time

Along with detailing their chief pain points, respondents were also asked what steps organizations should take to alleviate the challenges experienced SOC teams face. Stress management programs and psychological counseling (41%), help in prioritizing incidents and tasks (37%), and automation of workflow (37%) were among the top suggestions made by SOC staffers. As for leaders, advanced analytics/machine learning (39%), better support and recognition from senior leadership (38%), and more paid time off/vacation time (35%) were among the top answers.

Security operations “more difficult” than two years ago

The issues highlighted in Devo’s report echo findings from recent research from ESG that details five reasons why security operations are becoming more difficult for SOC teams to perform. The findings revealed that 52% of security professionals believe security operations are more difficult today than they were two years ago. The five reasons cited for this were:

• A rapidly evolving and changing threat landscape
• A growing attack surface
• The volume and complexity of security alerts
• Public cloud usage
• Keeping up with the care and feeding of security technologies

ESG’s findings serve as a key reminder to CISOs that, as threats, IT, alerts and tools expand  SOC modernization must be designed to make the SOC team more productive so they can scale the amount of work they can do, which means more intelligent technology, better training and structured repeatable processes.

SOC challenges ring true with SOC pros

Many of the issues highlighted in both Devo’s and ESG’s research echo thoughts shared with CSO by SOC professionals when asked about the biggest challenges and frictions impacting SOC performance. John Lodge, SOC Manager at Socura, says alert fatigue is a particular problem. “As well as causing fatigue for the analysts, repeating false positives also draws attention from and potentially delays responses to real active threats,” he tells CSO. The main solution to this is with effective tuning, he adds. “Key challenges to overcoming this are getting investment from analysts to ensure tuning opportunities are exploited as soon as possible. In cases where tuning is not possible, automation should be used so as much manual work is taken off the analyst as possible. Again, the challenge here is making sure the initial effort is put in to automate these actions before the false positives build up.”

First-time fix challenges are also significant, Lodge says. “When escalating an incident, we ideally we want to be able to have resolved the incident with the tools and information at our disposal. In some cases, this is not possible as further context is required.” The challenge is to ensure that, in all cases, we have carried out as much investigation and response as possible. “The solution to this revolves around analyst training and effective playbooks. The combination of both these things ensures the analyst has already carried out exhaustive investigation before presenting the issue, and it also helps to standardize the responses.”

Lastly is the issue of working shift patterns and finding the time to spend on one-to-one training time with analysts due to the fact they rotate between nights and weekends, Lodge adds. “Day shift hours are also typically the busiest. One approach we are using to overcome this challenge is to book time out in advance to review previous incidents. This time will act both as a quality control measure but also as a training opportunity. Booking this time out weeks ahead of the time means the schedule remains clear and the team are aware this time has been set aside.”

For ThreatX SOC Manager Neil Weitzel, the challenge the SOC team faces isn’t necessarily inundation or an inability to come up for air, but rather monotony. “The challenge with a monotonous workload – especially regarding the similar attacks and issues clients face and ask the SOC for assistance with – is that it can feel like a game of whack a mole, squashing the same issue in several areas. When team members’ job duties lack variety, they often don’t see career growth for themselves as they are not learning new skill sets or better understanding their interests,” he tells CSO. He adds that his team has therefore implemented a rotation system that allows team members to rotate across different roles: analysis, monitoring and dedicated project time. “Some days you might spend your time on the queue, but other days you’ll focus on threat intelligence or application security, or even working on training and research. I think it’s important to give your team the time to find their passion and give them the opportunity to home in on it so they can branch out into other roles or departments.”