What do you call an overworked security analyst? A security analyst. This riddle is tinged with sadness because it’s true. Being anxious and overwhelmed is a security analyst’s natural state of being, and that’s due to a confluence of factors.
Security alerts are rising: Each new security point product spins up useful but voluminous data that security teams must parse through for correlations, pattern spotting and response actions. With expanded threat surfaces due to remote jobs, cloud adoption and portable devices, security teams either lack visibility over their environments or are unsure how to coordinate among their environments.
There’s a skills gap: Recent research by my company highlights continuing problems with hiring, training and retaining security professionals. Our report found that it takes eight months to fully train security analysts and around a quarter of employees change jobs within two years. Roughly 79% of respondents cited "not enough people" as a challenge.
It’s a tough beat: The cybersecurity trenches are a tough, unforgiving place. Security analysts need to keep one eye on the day-to-day -- battling alerts and managing their tool stack -- and the other eye on long-term skilling and preparation for new attacks their organization will undoubtedly face. Add to this working odd hours under time pressure and with real ramifications attached to every mistake.
A relegation of importance: This isn’t true of every organization, but security teams are sometimes treated in an aloof, isolated manner by business-focused teams and the executive branch. Every employee wants to feel valued by their company; divorcing security teams’ contributions from the overall business and considering them more a stepchild than a part of the family does no one any favors.
There are well-accepted methods to keep employees happy, such as compensation and work-life balance -- methods that certainly don’t need more articles about them! Due to the unique capabilities of security teams and the specific challenges they face, organizations need to go the extra mile and pay attention to their happiness and growth.
Training: Pair And Conquer
Cybersecurity has a broad spectrum of roles on offer, such as malware analysts, network engineers, incident responders, security operations center (SOC) managers and more. These roles need skills and competencies that, coupled with time pressures security teams face, often lead to employees focusing on a narrow range of capabilities rather than diversifying their portfolio.
One way organizations can mitigate this tunnel vision -- especially during training -- is by pairing employees with different skill sets together and letting them shadow each other during daily operations. This pairing will ensure more holistic onboarding and, with time, lead to security employees learning a broader range of useful capabilities.
Security teams are curious by nature and want to spend their day learning something new.
Don’t Skimp On Tools
When security teams express the need for a tool that helps improve their lives, they often need to speak the business language and lead multiple rounds of presentations to bring all stakeholders on board. While these discussions are not unimportant, it requires an inordinate amount of work for security teams outside the scope of what they’re supposed to do.
Chances are if security employees are recommending a tool, they’ve already analyzed its merits thoroughly and have a good idea why it’s the right tool to help the organization. Some tools may not display conventional return on investment numbers but will free up analyst time or offer better quality data -- intangible but critical benefits that can fall by the wayside in the face of popular metrics.
Business and security teams should meet in the middle for tool evaluations rather than security teams force-fitting their evaluations with corporate parlance to please the balance sheet. If organizations trust security teams’ intuition and are cognizant of non-measurable technical benefits that security tools bring, maybe product portfolios won’t balloon as much as they do.
Foster A Security Culture
Society has already been through the "every company is a tech company" phase, but if that holds true, then every company is also a security company. Ensuring the fidelity and integrity of digital assets is as important as creating products because both activities serve the end users. Organizations should make an active effort to afford security the importance it deserves from top to bottom.
How an organization executes this culture is subjective, but admitting its need is the first step. Some illustrative tactical examples of fostering a security culture are:
• Security training and awareness programs that are regular, engaging, conducted across teams and tied to accountability.
• Following Secure Development Lifecycle (SDL) processes with each software update.
• Identifying and rewarding individuals (within and outside of security teams) who display proactivity and good security behaviors.
• Sharing security successes and learning from security failures.
Measure Carefully, Measure Well
The wealth of security metrics made possible by big data is a double-edged sword. Organizations need to be discerning when deciding what metrics to measure while judging the performance and success of their security teams. A few pointers:
• Consider different tiers of metrics. While end results (e.g., number of breaches, response times) are important, they shouldn’t be the only metrics dictating employee performance because they might be contingent on factors outside the employee’s direct control. Metrics should span the funnel of the incident lifecycle to get a more granular picture.
• Consider the security product stack. What if a high number of open incidents (a worrying metric) is due to many false positives and duplicates that analysts must manually address? That’s a tool deficiency more than a personnel issue. While measuring, organizations must consider whether security teams are hamstrung by infrastructure and product restrictions.
• Don’t just measure issues that are visible -- measure issues that were rendered invisible because of the security team’s proactivity.
There’s no one-stop list to make security teams happy, but if organizations take concrete steps to highlight the importance of their security employees, train them across a range of skills, measure their performance in a humane manner and give them the tools they need, maybe anxiety will cease to be their default state.
