Skip to content
    June 22, 2020

    SecOps Simplified, Part 4: Staffing – Haven’t I Seen This Movie Before?

    Security operations centers (SOC) are charged with a growing list of important security functions including: event triage, incident investigations, threat vulnerability management, security operations engineering and more. A sophisticated SOC with the aforementioned functions often takes a sizable number of people to staff when considering a 24/7 operation. 

    The enormous costs associated with staffing the SOC are often justifiable for highly-targeted businesses (science & technology, defense contractors, larger financial industry firms, and government agencies jump to mind), especially given the SOC’s critical role in the organization’s risk mitigation strategy. So, where does that leave small-to-medium sized businesses (SMBs)?

    Here’s the reality – staffing a modest infosec program, much less a 24/7 SOC, is rough on managers and SOC members alike. The biggest pain points in my experience center around recruitment, onboarding, and retention. But here’s the kicker – it becomes like the infinite loop in the movie Groundhog Day where managers find themselves dedicating valuable time to the hiring cycle more and more with less and less to show for it. It’d be nice to reclaim at least some of those resources, wouldn’t it?

    Recruitment remains a highly human-driven and time-consuming process for managers. Let’s briefly enumerate all the steps, people involved, and pause points. The simple act of developing and posting a job ad can take time. Human resources skills, processes, and their availability figure into the job ad getting posted too. Then the waiting starts while the ad hopefully attracts candidates. 

    But, let’s assume you get applicants – WAHOO! Several firms that I’m familiar with required four total interviews: call screening, technical phone screening, management phone screening, and on-site interview. That process takes weeks, and more likely months, to complete end-to-end. Now multiply that by the number of quality applicants that will all go through that process and you’ll realize recruitment carries an enormous cost in human-hours across a range of employees. 

    Hiring outside staffing firms, the better ones, can be helpful. They can shrink that time to complete that process somewhat, but they too carry a cost that’s often a poor fit for SMB. And, even an outside recruiting firm can’t alleviate the need to onboard the newly hired resource. 

    Onboarding is a struggle for organizations of all sizes.That duty typically falls to the manager, the employee’s peers, or some combination of the two. A bad onboarding experience slows a new hire’s time to value for the employer and even erodes the morale of the new employee. It’s a crucial step, but there’s a lot that can and often does go wrong at this staffing stage. 

    Dedicating training dollars to the SOC staff improvement is a must. It allows employees to grow professionally and deliver more value to their home organization. Sadly, it’s also often the first line item to cut from the infosec budget if things get tight financially. Company-funded employee training gets a bad rap in some circles. Organizations can be exploited for training dollars if there’s no policy dictating a contractual term of service. Yet, I’ve always worried about what kind of employee stays at a company that won’t invest in them. Companies should too. Staffing suffers when there is no meaningful training funds available.

    Staffing is made more difficult given the challenge of retaining productive employees. Tier 1 hires are initially affordable, but market demand for their skills rises quickly. It’s not unheard of for a high performing Tier 1 SOC analyst to command a 50% higher salary by the two year mark, if not sooner. Many companies struggle to compete with these external market forces and ultimately earn reputations as regional stepping stones for cybersecurity careers in the process. Good company culture and reasonable training investment helps retain productive employees, but it is by no means a given in the modern workplace.

    A modern SIEM can and should be a differentiating factor in alleviating the pain of infosec staffing. Blumira’s platform comes pre-packaged with: 

    • Customized threat detections
    • Analytic workflows designed to help guide customers through security investigations
    • Easily deployable tool integrations
    • A growing library of SOAR enhancements. 

    The product meets clients wherever they’re at in terms of an information security staff, whether they have a fully-staffed SOC team or system administrators with dual-hat responsibilities. 

    Related Content

    SecOps Simplified, Part 1: SIEM…Now Without the Headache!SIEMs are a vital part of your security strategy – but traditional ones are costly and painful. A modern SIEM should be easy to deploy and provide immediate security value.

    SecOps Simplified, Part 2: Security Tools – Is More Better?
    Are you maximizing your security tool ROI? How to perform better on pen tests and improve overall security on a budget by auditing effective solutions.

    SecOps, Simplified: Part 3 – Security Orchestration, Automation and Response
    Security Orchestration, Automation & Response (SOAR) solutions are the future – but there are limitations. Here’s how to leverage SOAR with lower overhead.

    Mike Behrmann

    Mike served at the National Security Agency for seven years where he focused on leading computer network exploitation operations and was later deployed to the FBI Detroit Division’s Cyber Task Force as a Threat Analyst. He joined NetWorks Group in 2015 where he and Matt Warner established the company’s Managed...

    More from the blog

    View All Posts