Information overload, burnout, talent retention impacting SOC performance

While most security teams believe that security operations centres (SOCs) play a pivotal role in cyber security programs, several challenges are impacting SOC performance within businesses, according to a new report.

Among these are information overload, worker burnout, and talent retention. The data comes from cyber security firm Devo following an independent survey of global SOC leaders (553) and staff members (547), and it adds evidence to reports of security operations becoming harder for teams to perform.

SOC teams face numerous pain points, leaders and staff consider quitting

In its 2022 Devo SOC Performance Report, the firm discovered that SOC professionals experience significant challenges while performing their duties as SOC leaders and their teams wrestle with several ongoing issues that hamper performance.

What’s more, Devo’s findings suggest that some of the key SOC complications facing organisations date back to the start of the global COVID-19 pandemic in early 2020.

Almost a third (31 per cent) of both SOC leaders and staff cited information overload as a significant factor in workers’ pain, with 34 per cent of staff stating that increasing workload is causing burnout. An inability to recruit and retain expert personnel (27 per cent leaders, 30 per cent staff) was also flagged as a major issue.

Being on call 24/7, 365 days a year (27 per cent leaders, 27 per cent staff) was mutually troublesome, while leaders cited limited SOC investment in overall cyber security budget (25 per cent), and workers pointed to an inability to prioritise threats (31 per cent), difficulty in operating across too many tools (31 per cent), and too may alerts to chase (31 per cent).

These issues impact SOC effectiveness, the report continued, with a lack of visibility into the attack surface (60 per cent leaders, 45 per cent staff), lack of skilled personnel (50 per cent leaders, 48 per cent staff), and too many false positives (30 per cent leaders, 35 per cent staff) the top causes of ineffectiveness cited by respondents.

Perhaps most alarming, 69 per cent of SOC leaders and 72 per cent of SOC staff stated that it is either very likely or likely that these pain factors would cause experienced security staff to quit an organisation’s SOC function. Indeed, 48 per cent of staff and 36 per cent of leaders admitted to having considered leaving their current role due to challenges associated with working in the SOC.

SOC pros call for stress support, automation, vacation time

Along with detailing their chief pain points, respondents were also asked what steps organisations should take to alleviate the challenges experienced SOC teams face. Stress management programs and psychological counselling (41 per cent), help in prioritising incidents and tasks (37 per cent), and automation of workflow (37 per cent) were among the top suggestions made by SOC staffers.

As for leaders, advanced analytics/machine learning (39 per cent), better support and recognition from senior leadership (38 per cent), and more paid time off/vacation time (35 per cent) were among the top answers.

Security operations “more difficult” than two years ago

The issues highlighted in Devo’s report echo findings from recent research from ESG that details five reasons why security operations are becoming more difficult for SOC teams to perform. The findings revealed that 52 per cent of security professionals believe security operations are more difficult today than they were two years ago. 

The five reasons cited for this were:

• A rapidly evolving and changing threat landscape
• A growing attack surface
• The volume and complexity of security alerts
• Public cloud usage
• Keeping up with the care and feeding of security technologies

ESG’s findings serve as a key reminder to CISOs that, as threats, IT, alerts and tools expand  SOC modernisation must be designed to make the SOC team more productive so they can scale the amount of work they can do, which means more intelligent technology, better training and structured repeatable processes.

SOC challenges ring true with SOC pros

Many of the issues highlighted in both Devo’s and ESG’s research echo thoughts shared with CSO by SOC professionals when asked about the biggest challenges and frictions impacting SOC performance.

John Lodge, SOC Manager at Socura, says alert fatigue is a particular problem.

“As well as causing fatigue for the analysts, repeating false positives also draws attention from and potentially delays responses to real active threats,” he tells CSO.

The main solution to this is with effective tuning, he adds.

“Key challenges to overcoming this are getting investment from analysts to ensure tuning opportunities are exploited as soon as possible," Lodge says.

"In cases where tuning is not possible, automation should be used so as much manual work is taken off the analyst as possible. Again, the challenge here is making sure the initial effort is put in to automate these actions before the false positives build up.”

First-time fix challenges are also significant, Lodge says.

“When escalating an incident, we ideally we want to be able to have resolved the incident with the tools and information at our disposal. In some cases, this is not possible as further context is required," he adds.

The challenge is to ensure that, in all cases, we have carried out as much investigation and response as possible.

“The solution to this revolves around analyst training and effective playbooks," he says. "The combination of both these things ensures the analyst has already carried out exhaustive investigation before presenting the issue, and it also helps to standardise the responses.”

Lastly is the issue of working shift patterns and finding the time to spend on one-to-one training time with analysts due to the fact they rotate between nights and weekends, Lodge adds.

“Day shift hours are also typically the busiest," he explains. "One approach we are using to overcome this challenge is to book time out in advance to review previous incidents.

"This time will act both as a quality control measure but also as a training opportunity. Booking this time out weeks ahead of the time means the schedule remains clear and the team are aware this time has been set aside.”