Why people matter in Cyber Defence
What is Cyber Defence?
Cyber defence represents a multifaceted strategy encompassing network security, incident response, and safeguarding critical infrastructure. It extends its protective mantle across diverse sectors, including government agencies and private enterprises.
The primary objectives revolve around thwarting, identifying, and promptly mitigating threats, ensuring that the integrity of systems and sensitive data remains intact. In an era marked by the escalation of cyber threats in both scale and sophistication, the imperative for robust cyber defence has become all the more pronounced, serving as a vital bulwark against potential breaches and their far-reaching consequences.
The Skills Shortage in Cyber Defence
One of the main issues facing the IT security industry at the moment is the lack of skilled security analysts. We constantly hear of the IT skills gap and of the massive shortfall that seems to grow and grow with each passing year.
For the last decade it seemed to be that developers were the most in demand group of IT personnel, especially those in esoteric but widely used technologies such as SAP, Oracle, and the like. However, for the last 3 years the focus has begun to shift. Today the demand for security analysts is insatiable. You want a job in IT? Well just say you’re willing to be a SOC analyst and you’re in.
Why is this?
Well there is a problem at the heart of all SOCs. SOC analysts arrive, stay for a while, and then the good ones leave. Why should they do this? I see three primary reasons for such a high turnover of staff:
- The salary of SOC analysts is appalling for the IT sector
- The roles are tedious for 90% of the time – limited technologies and limited tasks breed boredom
- The working hours often include night shifts
All these things conspire to put good analysts off.
A good SOC analyst needs to have a range of technical skills and knowledge, and enquiring mind-set, and be willing to put the hours in.
These are just the same skills a good IT architect needs and a good analyst can quickly jump ship and become an architect… and earn double their salary. Who wouldn’t want to do this and live a more normal lifestyle to boot?
How do companies address this issue in Cyber Defence?
Well instead of increasing the salary of analysts to reflect their importance, instead of providing interesting alternative work and training that supports the cyber defence of companies, and instead of designing integrated SOC capabilities that enable an analyst to make a real-time difference, they recruit graduates straight of out of university who will be grateful for the salary and their first job.
They perpetuate the problem instead of trying to solve it.
The consequence of this behaviour means that most SOCs are under skilled, under resourced, de-motivated, and have broken operational processes due to a lack of continuity. Organisations pay lip service but don’t invest in their Operations team. As I said previously the reasons for this parlous state lie back, deep, in the mists of time (well the 70s and 80s at least).
How do good SOCs keep their staff?
In essence a good SOC team consists of staff who are trained, paid well, kept motivated to defend their company, and who believe they can make a difference by using integrated systems and carrying out analysis across all security data sources quickly and efficiently resulting in informed, evidenced based, recommendations to the business to address cyber threats and attacks.
A modern SOC team has clearly defined roles but actively supports the progression and rotation of staff across these roles to help expand knowledge and reduce the risk of boredom and complacency. A modern SOC team focuses on more than just protective monitoring. It actively researches threats to the business, it actively seeks intelligence, and it develops playbooks that are meaningful and frequently reviewed for accuracy.
A good SOC team carries out continuous service improvement, incident reviews and simulations to ensure that staff are aware of the causes of problems and how to address them in the future. If companies believe in investing in people then these are the people to invest in.
In short a good SOC team is full of committed security analysts who are using tools that encourage, and not hinder, anomaly detection and security analysis. Who enjoy making a difference.
Without an engaged team (I’m sure we use to get called Nerds and Geeks) it is not possible to defend a business. It is these staff who have knowledge, skills, awareness, and commitment that will understand the threat to the business and make specific informed decisions on how to address them. If your people are bored, pressured, untrained, and de-motivated and sat on the graveyard shift then you are beaten.