How to prevent SOC team burn out
Professional burnout is not a new problem and exists in an array of industries from banking and sales to healthcare and manufacturing. Burnout refers to diminished interest in work and is characterised by exhaustion, cynicism and inefficacy. When people get tired of monotonous tasks, the mind starts to wander. As a result, employees become less attentive and less focused. They also grow lethargic, distracted, and generally discontented with themselves and those around them.
In any field of activity, this has repercussions, not only for the individual but it has the potential to lead to a drop in productivity for the business too. However, in cyber security, the consequences can be catastrophic — especially if the person in question is a Security Operations Centre (SOC) worker. Unfortunately, SOCs have been plagued by high analyst turnover due to burnout, as the very nature of the work (analysing huge volumes of data looking for anomalies, often having to work 24/7 shifts being two key factors) has a direct impact.
Burnout in SOCs leads to frequent hiring and training of new analysts and the changeable nature also makes it hard for analysts to know each other well, which in turn affects team camaraderie, which eventually affects how the entire team responds to security incidents.
So, what can be done to help?
The investment made in education and training of individuals in a society is a resource in itself, more important than capital and natural resources. Security analysts are the human capital of a SOC and proper investment in their continuous improvement is key for efficient operation. Although tools and processes improve the efficiency of operations, it is the security analysts who make the final decision when analysing a threat. Hence it is imperative for a SOC to spend adequate resources in developing and maintaining an effective team of security analysts.
If the analysts are not adequately skilled, it affects their confidence in dealing with the security alerts. Over time the lack of confidence will manifest itself as frustration, especially when their job demands them to do more than their skills level permits.
- Opportunities for growth
Learning on-the-job is one of the dominant ways through which an analyst achieves growth. An analyst, by handling different types of security incidents, learns new skills and improves their knowledge on security analysis. This learning improves morale as it gives a sense of purpose and accomplishment. Mundane daily activities will lead to lower creativity development. Lower creativity means the analyst will use the same set of skills everyday in the job which in turn inhibits intellectual growth.
Are you providing enough opportunities for growth for your team? Are your analysts given the chance to learn from more experienced role models?
Has your analyst outgrown their current role; have they reached saturation point in their learning process? If so, consider reassigning them to another position that is more challenging. This will ensure that the learning process never stops ensuring growth and good morale and ultimately retaining the resource rather than losing them to another organisation.
Analysts feel that they need to be adequately empowered to perform their job efficiently and feel empowered when they are given opportunities - writing new threat detection content or contributing to new tools development. Analysts feel enthusiastic when they see the impact of their effort. As such, empowerment plays a major role in boosting the morale of the analysts and SOC managers have to keep in mind this important factor.
- Reflection and Automation
Repetitiveness leads to lower creativity - by automating repetitive tasks, skilled human analysts will have more freedom to engage in more sophisticated investigations. By periodically reflecting and reviewing internal procedures and processes, opportunities for automation of operational bottlenecks may be spotted. Automation frees up analysts to engage in interesting and challenging investigation tasks thereby helping to mitigate burnout.
- Help them adjust to shift work
The nature of a SOC means that some analysts have to work on 24/7 shift rotations – some cope well, some do not. Whilst we can’t change the inbuilt characteristics of individuals, we can provide hints and tips to make lifestyle changes that may make shift work more tolerable.
Some key things to consider which might promote sleep as recommended by http://www.hse.gov.uk/humanfactors/topics/shift-workers.htm
- go for a short walk, relax with a book, listen to music and/or take a hot bath before going to bed;
- avoid vigorous exercise before sleep as it is stimulating and raises the body temperature;
- avoid caffeine, ‘energy’ drinks and other stimulants a few hours before bedtime as they can stop you going to sleep;
- don’t go to bed feeling hungry: have a light meal or snack before sleeping but avoid fatty, spicy and/or heavy meals, as these are more difficult to digest and can disturb sleep;
- avoid alcohol as it lowers the quality of sleep.
When we feel overwhelmed, the first things that suffer are our diet, exercise regimen, sleep and social life. To remedy burnout, take charge of making time for healthy activities outside of work.
6 ways to improve your alertness at work:
- take moderate exercise before starting work which may increase your alertness during the shift.
- keep the light bright;
- take regular short breaks during the shift if possible;
- get up and walk around during breaks, outside if possible;
- plan to do more stimulating work at the times you feel most drowsy;
- keep in contact with co-workers as this may help you both to stay alert.
- Bring the team together
Having a team that feels connected, supported and engaged is another key to keeping your SOC thriving and not burning out. Disgruntled analysts will bring others into the fold if they’re given the opportunities and ammunition to moan. If your analysts feel supported and feel like they’re valued they will work better together. Giving the team opportunities to socialise together and bond will help them in the SOC.
Analysts are a high value resource – we must do what we can to retain the and avoid losing them to the burnout!
Sources and further reading:
- A Human Capital Model for Mitigating Security Analyst Burnout - https://www.usenix.org/system/files/conference/soups2015/soups15-paper-sundaramurthy.pdf
If you are a SOC Analyst, or work within a SOC team, and are considering an external move, you can contact Sophie for an informal discussion on 01242 507771 or email@example.com