Q&A: Supporting SOC Teams and Avoiding Burnout


We know that burnout is a problem for many people across the cybersecurity industry. We also know that in order to be the most secure we can be, we have to support those who secure us, whether that’s through burnout prevention or career progression. Ciaran Luttrell, Senior Director, EMEA SOC Operations, at eSentire, takes a personalised approach when it comes to supporting his large SOC team. We spoke to Ciaran about managing SOC teams, the importance of teamwork, and why career progression is a long-term process for the Cyber Mindfulness Corner.

Q: How big is the Security Operations Centre (SOC) that you are responsible for?

A: We’re quite a large group, we have over 100 security analysts between our two locations. Overall, our SOC is structured like many others into a Three Tier structure, with analysts, analyst team leaders and then more senior experts that have specialities in different areas. The team leaders report to our Three SOC Managers, who then report to myself in our European SOC and my counterpart in our Canadian HQ.

Because of the size that we are, we have invested significantly in our dedicated learning and development team made up of professionals who know how to create course content and structure courses for security people. The result from this investment is that we have a very well organised onboarding plan for security analysts. We cover all the fundamentals of our technology and our platform with instructor-led training sessions, and then we go into each service. We keep the class sizes small, ideally no more than five people. The first one normally takes three weeks and then that culminates in an assessment.

We want to validate that people have met the learning outcomes that are part of the course, and they can put those lessons into practice in a real world scenario. We give them test investigations to do and watch how they apply the lessons that have been completed. For us, it was about providing that more in-depth approach, rather than showing those new analysts the documentation and runbooks, and expecting them to meet their key performance indicators. We also continue to update our recruitment process, to make sure that we’re hiring the best talent that’s going to be successful with us.

 

Q: What have you put in place to help your team members around career progression and personal development?

A: We have done significant work on this, so we are well structured and that really helps analysts be consistent – because you’re dealing with different people, different geographies, different cultures, all kinds of variables. To respond to this, we want to use data around performance, so we can be sure that we are looking at what is really there, rather than what we might perceive. When you standardize it this way it’s much more organised and it’s much easier to spot if analysts need help in a particular area or are doing really, really great work.

We also looked at career progression as a long-term process – we have invested in people, so we want to keep them for as long as they are happy and feel like they are achieving the right results for them, as well as for us.

 

Q: What lessons have you learned over time around running SOC teams?

A: We looked at the ratio of analysts to team leads. Our team leads are the people managers that we have in the SOC, they’re involved in hiring, development, and progression for analysts. When we looked at our teams, we found that we needed to increase the number of team leads to support our staff effectively. What this did was free up time, so that we could then put a more consistent framework for all our team leads and the analysts underneath them.

This helped us standardise how our team leads work with our analysts, how they interact with them, and the kind of data that we can capture from those conversations. Before, it would have been up to each team lead as to how they captured those interactions with the SOC analysts they were responsible for, and some of them would be much less structured. So we created a template that we use across all of the team leads for, for running things like one to one meetings and we continue to evolve this template.

Why does this help? It makes it easier to track conversations and what gets agreed to, so we can follow the metrics over time. In those conversations, the team lead and the analyst will be looking for outliers in the data around the work that is taking place, for example in filter rates, alert rates and investigation audit data. If there is an outlier, then they can do a bit of a deeper dive and find out why that outlier exists.

For us, we can then see how our analysts across the SOC are performing generally, how they’re doing in terms of the results of their audits, and where there might be more training needed. We can then also look at career progression and where we have SOC analysts who can progress forward. Basing this on data relies on having that ability to understand and take actions using that data where we need to.

 

Q: How can you work on your management and people skills when it comes to areas like preventing burnout or stress?

A: This is a tough job. It depends on the person involved, and understanding their personality and what their goals are. This will affect how you approach these kinds of conversations. For some, you might just need a quick conversation with them to find out how they’re getting on, then change their work plan for the next little while to give them a bit of a breather, or offer them time off if they need it. For others, this might be a deeper conversation.

For example, we had one person who joined our SOC from a completely different industry. He had been a carpenter before he decided to make a career change. However, he brought his old work mindset with him as he joined the team, and that was, “You don’t take holiday in your first year.” He was used to working incredibly hard but not taking time away, and he wanted to be a success, but we could see that he was at risk of burnout. We had a conversation with him about how he was approaching things, and we let him know that it was OK to take time off; in fact it was mandatory. He needed to hear that it was OK to take time to decompress, so that he could be a long-term success.

 

Q: How important is data in managing your team?

A: Metric data helps you manage your team and ensure that you are comparing the work that people are carrying out. In our team, some analysts have progressed quite quickly because they’re being incredibly successful, and others will just take a bit longer to reach various milestones. For us, we don’t approach this as something that you have to get done in a certain time-frame.

It’s much more about showing your development based on a holistic view of all available data, quantative and qualitive. When you work with analysts, they love it that they can understand their position based on the data around their work and they really thrive in our career development program. This program evaluates analyst eligibility for progression each quarter based on defined goals, a committee approach is used to review analyst performance and approve or decline team lead promotion recommendations. If an analyst isn’t ready for promotion just yet, they will be given very targeted feedback on their areas for improvement and they won’t have to wait long to be reconsidered. Smaller and more regular salary increases are also given for completing internal certifications, so analysts can see progression quite quickly.

We give our analysts access to all the same metrics that we have so that they can see what we see, and we make everybody else’s metrics available to each other as well. We decided to make things fully transparent and, you know, incentivise a little bit of competition. If people want to compare themselves to other people, they can do that. We find the really good analysts, who love their work and are engaged, they’re the ones who are logging in and looking at the metrics the most. If you are data driven, then you are able to kind of compare and contrast yourself. You know what good looks like.

We can also see the mix of work that people take on – so, for example, you have case work and incidents to examine. Some of those security investigations might be very involved, whereas others would involve more triage and passing requests on to others for their response. We want to make sure that our staff are working on more balanced work, rather than some taking on all the deep in-depth work and others looking at cases that are easier.

 

Q: Any other points that you would like to share with your security peers?

A: Communication is one of the biggest skills that security professionals can develop. These kinds of soft skills can augment your technology proficiency, and make you much more effective in your role, and support others in achieving their goals.

However, communication is based on context. I’ll give an example – our team covers both reactive threat detection and incident response, and proactive threat hunting. Our SOC team can cover both of these areas, but the majority of our analysts start around reactive situations. We had a great analyst who wanted to expand their career and move more into threat hunting, and we wanted to encourage that too. So, as they started threat hunting they found something that warranted a customer notification. They wrote up the alert using our standard templates and passed it to the customer, however despite our best intentions the customer did not respond positively.

When we investigated we determined that in the customer’s eyes, the way the issue was reported to them was the same as the reactive security notifications that they were used to receiving and actioning. While the notification made it clear this was a potential issue that warranted further investigation, rather than something that was a live breach, it caused confusion and consternation. We decided to amend our communication approach to clearly delineate between threat hunting results and detection & response alerts and clearly state the expected actions. We used it as an opportunity to improve our overall communication approach, and help our analysts develop their communication skills too.



Source link