Working in a SOC is so stressful that two-thirds of employees want to leave

UnixGuy · July 31

"Inadequate budgets, a lack of visibility into network activity, and the pressures of managing a never-ending stream of operational data have turned security operations centres (SOCs) into highly stressful workplaces where 65 percent of workers are considering changing careers, according to new research that paints a damning portrait of current SOC practices.

Fully 73 percent of 554 IT and IT security practitioners, surveyed in the Ponemon Institute’s Devo-commissioned improving the Effectiveness of the Security Operations Centre study, said the increasing workload that SOC staff face was causing burnout, while 71 percent blamed the 24/7/365 on-call culture and 69 percent said there were just too many alerts to chase.

Respondents also named a range of other problems that made 70 percent agree that working in a SOC is “very painful” – including the inability to recruit and retain expert personnel (68 percent), inability to capture actionable intelligence (55 percent), lack of resources (53 percent), and “complexity and chaos” within the SOC (49 percent)."

Full Article: https://www.cso.com.au/article/664803/working-soc-stressful-two-thirds-employees-want-leave/

Thoughts?

chrisone · August 1

A few thoughts/bullet points from my own experience. I don't care to fully articulate or elaborate on each topic lol
but...

alert fatigue
others not pulling their weight (probably due to lack of skills plus not "wanting" to improve skills)
management not encouraging training
hire a MSSP/MDR for night shift
switch to pure red team (where I am headed)
buy fireeye! (seriously these things weed out the false positive and give you very accurate none BS alerts)
IPS (maybe pro-active IPS devices are better after all? they do the work for you )
management should give SOC members 1-2 hours of threat hunt sessions (SOC engineers need to be in an "active defense" mindset and not always in a reactive boring alert mindset)
hire a snort/suricata experience infrastructure engineer to tune the damn thing! (I can't stand shops who expect SOC analysts to be infrastructure engineers and for infrastructure engineers to attend to alerts!) Its like asking your mechanic to be your driver too!
more orchestration
playbooks (what should we react to and what we should let go)
go cloud, everyone will eventually be in the cloud

honestly I don't care to respond to any criticism lol everyone has a way of doing things but the industry and these types of articles are proving my point.

Swift6 · August 1

Not surprised by these findings. While practices vary depending on the organisation, the ever increasing volumes of data don't make it any easier.

There is no one fits all solution.

LonerVamp · August 2

Definitely a thing. By the time an organization is of a size to have a SOC, they probably have enough infrastructure and users and endpoints and data floating around from years or organic growth that getting visibility into what you'd need is probably futile without a very narrow (read: achievable) scope.

Part of the problem is probably around management of the SOC and its tooling/purpose. I suspect many SOCs have lots of low level people, and then maybe a few "higher level" managers who really aren't more than glorified resource managers rather than security planners.

PC509 · August 2

It sounds like the major issues could be fixed by management, but we all know how that goes. Give them the tools they need, the abilities they need (network visibility), and company resources (budget). With that, you could train the SOC analysts to not want to jump ship right away and probably keep a pretty good, trained team. Those that don't leave to go elsewhere will become engineers or fill other positions in the same company.

I think the majority of issues when it comes to these things are not due to the job itself, but due to managements lack of attention to the job. It can be stressful, but so is working on a car with a crescent wrench and a hammer. Doable, but you're swearing the whole time. Give them the right tools, the right training, and have their back. These numbers would change quite a bit.

LonerVamp · August 2

To be fair, you only should spend as much money on security as you need to...

PC509 · August 2

LonerVamp said:

To be fair, you only should spend as much money on security as you need to...

True. Some of those high profile breaches spent as much as they needed. Post-breach, their budget increased quite a bit, not including the cleanup of the breach itself.

JDMurray · August 2

There is a creeping "sticker shock" with information security budgets in modern, corporate organizations. The people and technology costs required to secure just email for a Fortune 500 company is considerable. Many organizations are reluctant to allocate the budget needed to mitigate their security risks, or feel they need to get their money's worth from that budget by having their security people also work non-security roles (netops, help desk, etc.). Both will cause situations that lead to the burn-out of SecOps people.

Organizations are also slow to understand how security automation and orchestration can help improve their security posture. This is not a quick or cheap thing to implement. It requires both full understandings of all the normal activity occurring on your network and ongoing tuning to be effective. Lastly, network operations teams typically design their network(s) to be easy to diagnose and repair--which is usually not conducive to a network being internally secure. This leads to a deluge of noise that makes it difficult to determine the occurrence of true, malicious security incidents. Once again, mental fatigue and disillusionment with the SecOps role results.

JDMurray · August 2

Oh, if anyone has a copy of that Ponemon study, I would like to know what organizations are having such problems with their SOC processes that "their SOC team would benefit from stress management programs and psychological counseling."

UnixGuy · August 2

So there is a shared sentiments that incompetent management is the problem. When we say 'organisations don't understand the importance of security', this translates to senior management don't have security as a priority (until a breach happen) and when they do, they don't do it right.

JDMurray · August 2

For those interested in solutions rather than just finger-pointing, have a look at the SANS Common and Best Practices for Security Operations Centers: Results of the 2019 SOC Survey webcast and PDF (July 2019).

The biggest obstacles to effective SOC performance in this survey are:

A lack of skilled staff
A lack of automation and orchestration
Too many unintegrated tools
A lack of management support
A lack of processes and playbooks
A lack of enterprise-wide visibility
Overhyped technologies (AI & automation solves staff shortage problems, etc.)

Working in a SOC is so stressful that two-thirds of employees want to leave

Comments