Why security analysts are prone to burnout and how to minimise SOC stress to retain competent personnel
Author: Rob van Os, cybersecurity expert & SOC product owner
It is a widely known fact that the cybersecurity industry is experiencing an immense skills shortage. A recent study by ENISA confirms that cybersecurity roles are among the hardest-to-fill jobs on the labour market.
The scarcity of well-trained security talent is especially felt in Security Operations Centres (SOCs), where burnout has surfaced as a major cause of resignation and staff turnover. According to the Ponemon Institute, 65% of SOC professionals have considered quitting their jobs due to stress. Employee burnout and high turnover rates have a real impact on a SOC’s efficacy.
Given the importance of Security Operations Centres in cyber defence, it becomes increasingly urgent to investigate the reasons behind SOC burnout and find ways to proactively mitigate analyst fatigue. This article explores what really causes cybersecurity analyst burnout and what organisations can do to maintain a healthy and effective SOC team.
The Problem: The Main Causes of SOC Burnout
The importance of preventing SOC analyst burnout is reflected in an increasing number of publications and studies. Siemplify, a large Security Orchestration, Automation and Response (SOAR) provider, dedicate a section of their website to SOC stress and coping strategies, and have also released an e-book on organisational solutions to reduce cybersecurity burnout (The Art of Recognizing and Surviving SOC Burnout: A Complete Manual for Security Operations Professionals). John Hubbard, a SANS instructor and experienced SOC consultant, gave an interesting talk on fighting SOC burnout to improve the SOC’s effectiveness (Virtuous Cycles: Rethinking the SOC for Long-Term Success). As a preliminary remark, we need to point out that both authors see SOAR tooling as part of the solution to countering SOC analyst burnout. But before looking at the solution, let’s first have a closer look at the problem.
The main job of security analysts is to conduct security monitoring activities. In order to monitor threats, analysts rely on automated tooling that creates visibility across the enterprise. These tools provide visibility at 3 levels: on end-points, in the network and through log collection. This was coined by Gartner analyst Anton Chuvakin as the nuclear (or visibility) triad. While the combination of these tools provides a powerful means of detecting adversaries in your environment, they are also prone to generate many alerts.
The burnout that analysts often face comes from working in a stressful environment. Security monitoring is a difficult task, because it involves going through large amounts of data and evaluating an increasing number of alerts to determine if there are signs of something more serious: a security incident. The SOC analyst is more or less the last line of defence: When preventative measures have failed, it is up to the analyst to find the needle in the haystack. Alert overload, combined with the fact that SOC analysts often work in shift schedules that impact their biorhythm, makes SOC analysts’ job quite stressful.
But burnout is not the only problem. While going through vast amounts of security alerts on a daily basis, security analysts also have to cope with the similarity of the alerts and the repetitive nature of the job. Performing monotonous tasks, many analysts become sensitive to boreout: they simply don’t feel challenged sufficiently. While somewhat different in nature, both burnout and boreout lead to similar results: employees that are unable to perform their task properly (or even at all), with health issues that not only put the analysts at risk, but also cause them to miss vital signals of security incidents that may have a tremendous impact on their companies. Employees are an organisation’s most valuable assets, and the SOC analyst is no exception.
Dealing with these issues requires a hybrid approach that involves technical measures, as well as changes to the SOC’s way of working. A basis for this is provided in Sundaramurthy et al.’s paper ‘A Human Capital Model for Mitigating Security Analyst Burnout’. The study, also referenced by John Hubbard, proposes a human capital model with 4 attributes (skills, growth, creativity and empowerment) for mitigating security analyst burnout. Chandran et al. argue that burnout stems from a vicious cycle in the aforementioned 4 attributes. The vicious cycle is fed by low skills, lack of empowerment, and lack of trust in the analysts. They also state that automation is part of the solution. In the following post, we will look at their proposed solution and other solutions to the burnout problem.
Want to learn more?
Check out our SOC Analyst training
The Solutions: Preventing SOC Burnout
In the previous part of this post, we’ve looked into the symptoms and root causes for security analyst burnout and boreout. In short, burnout and boreout occur from the high volume of similar events with a high false-positive rate. The work is repetitive in nature, yet analysts are expected to perform the job meticulously to avoid overlooking important signs. Furthermore, a tier-1 analyst’s tasks are typically assigned to low-skilled analysts who lack the trust and confidence to become empowered in their job. Skills and empowerment are 2 of the 4 attributes (the other 2 are creativity and growth) mentioned in Sundaramurthy et al.’s Human Capital Model.
In this post, we will look at solutions to the problem. The first thing to realise is the solutions to the analyst burnout / boreout problem are found in the people, process and technology domains of the SOC. Each of these domains is covered hereafter.
In the people domain, there are several measures that should be considered to prevent analyst burnout and boreout. These measures are:
- Design shifts with vigilance in mind. By creating a shift schedule that is designed for maximum vigilance, analyst get sufficient breaks and sleep to stay healthy and focused without being overloaded. More on the topic of vigilance in shifts can be found in Chapter 10 of the publication Improving Social Maturity of Cybersecurity Incident Response Teams.
- Stimulate training & certification. Trainings and certifications help analysts improve their skills and provide growth opportunities.
- Apply job rotation where possible. For example, it is possible to assign tier-1 analysts to threat hunting investigations. This provides them with the possibility to increase their skills and expand their knowledge. Doing both reactive security analysis (monitoring) and proactive security analysis (threat hunting) provides analysts with diversity in their daily operations. Job rotation also helps to make better all-round analysts.
In the process domain, the following recommendations should be considered:
- Exercise regularly. Exercises help remind the analysts that their job matters because if they do not monitor properly, the attack may go unnoticed. Red team exercises are preferred because they closely mimic a real attack.
- Use metrics to track improvement. When settings goals for avoiding analyst boreout and burnout, some metrics should be devised to measure improvement. Metrics often get overly complicated. Try to minimise the number of metrics and use a combination of quantitative, qualitative and timing metrics to track progress. Review the results regularly and make adjustments where required.
Lastly, the following recommendations apply to the technology domain:
- Make continuous improvement of the SIEM ruleset a priority. This will help to reduce the false-positive rate, which results in fewer events that need to be investigated This way, you can lower the pressure on your analysts. By providing analysts with the ability to tune use cases themselves (have a senior engineer approve these modifications!), analysts are empowered to make their own job more effective.
- Apply automation to avoid repetitive tasks. Automation has been mentioned as one of the solutions by Sundaramuthy et al. to avoid analyst burnout, as it helps analysts to become empowered and creative. Automation also increases performance and operational efficiency. Security Orchestration and Automated Response (SOAR) tooling can be used to support automation efforts.
As indicated, SOAR tooling can play a role in automation. It is important to realise that SOAR tooling is not a solution for all automation efforts. Instead, SOAR tooling helps to automate and standardise incident response workflows. These workflows, sometimes known as standard operating procedures (SOPs) or runbooks, can be implemented in a SOAR system for automated tasks and decision-making based on the output of those tasks. Using SOAR tools, repetitive tasks can be avoided and analysts can focus on the more interesting events and cases without being overflowed by too many alerts.
A common example use case for SOAR is the phishing use case: a phishing mail is forwarded by an employee to the SOC and sent to the SOAR system. The SOAR system will extract relevant information from the e-mail (headers, URLs, etc.) and perform automated analysis of the e-mail. This is done by checking if the extracted information against sites or lists contains known bad IPs and URLs. Additional information on the indicators in the e-mail can also be obtained (such as the domain hoster and the registration date). The result of this automated analysis is presented to the analysts, along with a recommendation for proceeding. If the mail is a verified phishing mail, the analyst can have the system perform automated tasks, such as send a reply to the reporter and remove e-mails from the same sender and/or with the same subject from all mailboxes within the enterprise.
As argued before in this post, technology is part of the solution and not the whole solution. Using SOAR effectively can help to reduce the pressure on analysts and make their job more effective and more interesting, creating room for more high-skilled activities such as threat hunting.
To conclude: addressing the analyst burnout / boreout problem requires a holistic approach based on people, process and technology. Measuring the progress made to tackle this problem using well-defined metrics is key to a successful burnout avoidance program. Combating the problem may not be easy, but remember that employees are the organisation’s most valuable assets.
About the author
Rob van Os is the author of the SOC capability maturity model (SOC-CMM), a practical model and assessment tool that enables the comprehensive evaluation of the performance and effectiveness of a Security Operations Centre.
Rob has over a decade of experience in security administration, security monitoring, security incident response, security architecture and Security Operations Centres. He is currently working as the Product Owner for a SOC in the Dutch financial sector and is responsible for day-to-day security operations and continuous operational improvement. He also spends part of his time developing cybersecurity courses for the SECO-Institute and teaching courses at the Security Academy.