Even before the pandemic completely reshaped the world of recruiting with an explosion of remote work, it was always hard for most employers to attract and retain qualified cybersecurity professionals. Security pros are in high demand, expensive to hire, and—in the average security operations center (SOC)—time-consuming to bring up to speed.
High turnover can cause huge problems from both a business and security perspective. According to this article by Gallup, the cost to replace an employee is thought to range between 50% and 200% of the employee’s salary.
You need your SOC to be an appealing workplace for jobseekers, and when you have someone good, you want them to stick around. Unfortunately, the average SOC is the antithesis of a rewarding place to work. However, many of the problems that give cybersecurity its reputation as a high-turnover field are not found in SOCs that leverage security orchestration, automation, and response (SOAR) software.
As shown in this study in the Harvard Business Review, people stay in jobs for reasons like achievement, recognition, responsibility, and growth. Many SOC jobs, particularly those of Tier 1 analysts, are the exact opposite. Junior analysts often spend their entire day facing a never-ending queue of alerts, copying and pasting information for threat intelligence lookups. A startling number of alerts don’t ever get investigated, and the ones that do mostly turn out to be low-risk or false positives.
This type of work quickly becomes repetitive and mindless, with no meaningful connection to making the company safer. Security personnel in this situation don’t have time to proactively stop the alerts from piling up. They can only address the symptoms.
It’s no wonder why it’s hard to staff a SOC when this is the environment.
How does SOAR help solve this problem and turn SOCs into places that talented security pros want to work? First, it automates away most of the repetitive tasks that analysts hate. If you have a SOAR platform automatically enriching alerts with threat intelligence, assessing their risk, and correlating their IOCs against past incidents, you don’t need an army of Tier 1 analysts managing alerts. Many alerts can be auto-closed as false positives, and the ones that do require human attention are risk-scored and contextualized in a manageable queue.
So, if SOAR reduces burnout and dissatisfaction by automating mindless tasks, what do security teams do with their time instead? They do the kind of work that actually utilizes their expertise, allows them to improve their skills over time, and progressively makes their companies more secure.
Teams that use SOAR can build best-practices based workflows into playbooks, which include codeless integrations that orchestrate actions across other tools. SOAR also makes data for decision-making available to the whole team, such as threat intelligence, TTP correlation, links to IOCs from past incidents, and trend reports. These features help junior analysts contribute to more advanced tasks and prevent internal expertise from being limited to the most senior team members.
SOC managers and senior analysts also use SOAR to do more engaging work and make progress against the threats faced by their companies. These tasks might include threat hunting, optimizing playbooks, analyzing SOC metrics, mapping threats against the MITRE ATT&CK matrix, and taking the time to investigate the root causes of incidents.
If you’re involved with hiring and managing cybersecurity personnel, you’ll probably get a lot of value from The CISO’s Guide to SOAR, which you can download for free from our Resource Library. The guide breaks down how SOAR empowers security leaders to implement their automation strategies, optimize their budgets, and generate business value.