3 Ways to Retain Security Operations Staff
Finding skilled security analysts is hard enough. Once you do, you'll need to fight to keep them working for you. These tips can help.
The shortfall in security professionals, and most notably security operations center (SOC) analysts, has been well documented. However, hiring skilled security analysts is only part of the problem. Even if an organization is able to recruit security analysts, retaining them in the long term is an even greater challenge. The foundational market forces of supply and demand enable these professionals to easily jump ship, often achieving a higher salary and title in the process.
During my time at Gartner, informal feedback I received from managed security service providers (MSSP) indicated that the average retention period for a junior SOC analyst was between 12 and 18 months. It's important to bear in mind that MSSPs are generally able to offer a better career advancement path for SOC employees than most enterprises.
Nevertheless, using the right techniques, retention can be improved. Here are the top three ways to attract and retain SOC analysts.
1. Convert Roles to Duties, and Then Rotate Them
The primary roles in a SOC, with some variation, are shown in Figure 1.
Figure 1.
Role | Duties |
Tier 1 | Alert queue monitoring, incident qualification, triage and escalation |
Tier 2 | Incident investigation, remediation advice |
Tier 3 | Detection and use case optimization, hunting and investigation, threat intelligence analysis |
The greatest mistake organizations make is defining these as fixed roles (jobs). Tier 1 work is repetitive and monotonous, and intellectually unchallenging. In addition, anyone who has ever stared at an alert console for months on end can attest to the fact that it also conditions analysts to pay less attention, which has a negative impact on effectiveness and efficiency.
Meanwhile, staff retention in Tier 2 and Tier 3 roles is higher, which results in fewer new openings and promotion opportunities for junior analysts. Once junior analysts have successfully worked in a SOC for 12 months or more, they can easily find more senior roles with another organization.
Each one of the Tier 1 through 3 roles can easily be rotated, with analysts working in each position for one-week intervals. This approach distributes both the interesting and tedious work across the team, which improves alertness and provides everyone the opportunity to perform some intellectually challenging and interesting work.
In addition to increasing retention, this rotation provides every analyst the opportunity to become familiar with the various roles required to operate a SOC. This cross-functional training helps mitigate skills gaps and maintain operational continuity if someone leaves the organization or is on paid time off.
2. Offer Phased Training and Certifications
Providing training certifications is another great retention mechanism, if offered based on employment tenure. For example, a new analyst may be offered a certification course such as the GIAC Certified Intrusion Analyst after 6 months of active employment, the GIAC Forensic Analyst after 12 months, and the GIAC Certified Forensic Examiner after 24 months.
I've used GIAC here as an example, but SANS and other companies also offer similar courses. Correctly applied, such a system can help increase analyst retention rates from 12 to 18 months to up to 5 years. Alternatively, analysts across a team can be provided different certification courses in each phase. This will ensure that the team has a broad and comprehensive skill set, and the analysts that have attended a given course can train the remainder of the team to transfer knowledge.
Figure 2. Example Training Plans
Employment Time | Analyst 1 | Analyst 2 | Analyst 3 | Analyst 4 |
6 months | GIAC Certified Intrusion Analyst | GIAC Certified Intrusion Analyst | GIAC Certified Intrusion Analyst | GIAC Certified Intrusion Analyst |
12 Months | GIAC Certified Forensic Examiner | GIAC Reverse Engineering Malware | GIAC Network Forensic Analyst | GIAC Cyber Threat Intelligence |
24 Months | GIAC Reverse Engineering Malware | GIAC Network Forensic Analyst | GIAC Cyber Threat Intelligence | GIAC Certified Forensic Examiner |
36 Months | GIAC Network Forensic Analyst | GIAC Cyber Threat Intelligence | GIAC Certified Forensic Examiner | GIAC Reverse Engineering Malware |
48 Months | GIAC Cyber Threat Intelligence | GIAC Certified Forensic Examiner | GIAC Reverse Engineering Malware | GIAC Network Forensic Analyst |
3. Offer Step-up Retention Bonuses
Offering increasing retention bonuses for each year of employment rewards analysts for their loyalty and gives them an incentive to stay with the organization. The increase from an entry-level to a midcareer level analyst is between 20% to 30%, so a good bonus strategy will ensure that a similar increase is achieved over a 3- to 5-year period.
In combination, these three strategies can significantly improve and increase SOC analyst retention, reduce the cost of recruiting and training new analysts, and minimize the negative impact of employee turnover on operations.
Related Content:
About the Author
You May Also Like