Man working in a SOC

8 Ways to Reduce Security Operations Turnover

How to Reduce SOC Turnover and Maintain Your Security OperationsTalent

Security talent is increasingly difficult to come by. As the demand increases for top security experts, the ability to maintain SOC employees remains a challenge. In our blog, 12 Things to Know Before Building an In-House SOC, we talk about the demands that shift work can have on sleep cycles and social lives. While turnover is inevitable to some extent, there are things that your organization can do to reduce the turnover in your SOC.

1. Provide the right security tools.

Legacy tools and technology can be extremely frustrating in a SOC. Especially for Analysts who are up to speed on the latest developments in the cyber industry. Make sure your team has the proper systems and tools in place to cope with the problems they’re experiencing on a day-to-day basis and lets them deliver maximum efficiency. Before implementing tools, have analysts give feedback as well so you can make sure to implement technologies that fit the unique needs of your SOC.  

2. Tune the Tools.

This might sound obvious, but nothing makes an analyst feel like they should move on more than seeing the same false positives flying by and not being able to do anything about it. So, make sure that they can do something about it. Whatever the process is, the turnaround time between identifying false positives and not seeing them anymore needs to be small. This interaction between human and machine is one of the key benefits of having a SOC and greatly improves your security. 

3. Provide training.  

As threats across the cybersecurity landscape continue to increase, Analysts need to be equipped to identify an ever-expanding array of malicious activity. Over half of the SOC professionals surveyed said that they received less than 20 hours of training over the course of a year. In an industry like IT Security, this cannot be considered enough to keep up with the diverse set of adversaries that are out there. Proper training and continued education make SOC analysts more confident in identifying incidents and keep them engaged with their purpose as analysts. Training your analysts on topics like automation resident in your network can also greatly increase their efficiencies and help advance your SOC forward. 

4. Provide coherent guidance.

Just as important as providing training, it is important to provide solid guidance to SOC employees as well. One great way to do this is by setting clear expectations upfront with employees that give them leeway to make decisions. Let them know what is generally expected in their day-to-day role, but more importantly, what the long-term goals are for the organization. This can be difficult in a place that changes as much as a SOC, but if you stay flexible while maintaining that clear vision of the long-term, your employees will likely feel more fulfilled and have something to work towards.

5. Focus on mentorships.

Another great way to do this is through mentorship. Whether through an informal or formal mentor program, more senior analysts can (and should) be providing guidance to newer employees. They are one of your best resources for helping employees overcome challenges, pick up on trends, and drive overall collaboration. This interaction is also a key portion of building a team that works and stays together.  

6. Offer upward mobility.

As true in any job, people want to feel like they are making progress. Giving them something to pursue will help incentivize them to stay and can help you plan for their inevitable departure from the role they are in now. The benefits of hiring from within apply to security organizations just as much as any other. The intimate knowledge they have gained about your environment should not be wasted. If someone is unhappy working in the SOC and has the aptitude for something else, it is better to recruit them into other roles within the organization according to a plan than to lose them as a better option pops up. 

7. Offer stable supporting roles.

Additionally, not every function in a SOC needs to be on a 24/7 shift schedule. There are plenty of tasks that need to be done that don’t need that kind of coverage, and analysts know this. If you have a good grasp on how your costs align with your analyst's workload, you can better align your resources to offer more flexibility in certain positions. This can allow certain functions to be less demanding and help you flex with your workforce instead of breaking it.  

8. View the SOC as a recruiting network.

No matter what the function, security talent is always hard to come by. SOC Analysts can be a good recruiting network to pull from or use to fill gaps. After spending time working in operations, SOC Analysts can be tapped and recruited into other security roles laterally or up, as highlighted in the last two points, but they also defiantly have friends that are in the same line of work. So, the better you do everything detailed here, the more likely they are to stay longer and even do some recruiting for you. It’s also a good idea to incentivize employees to help recruit by providing a decent referral bonus for any successful hires.  

Security Operations Experts 

If you can’t already tell, all of these things are easier said than done and need a deft hand to implement daily. Selecting the right tools takes understanding and sometimes firsthand experience. Playing with the alignment of requirements to costs takes past lessons learned. Proper direction and mentoring take experienced, dedicated professionals. While you might have some of these, the cost, focus, and time it takes to develop can be more than you have to invest. Couple that with regulatory requirements, and this effort only becomes more difficult, but this investment isn’t just the right thing to do —it is imperative.  

MindPoint Group has experience building and managing SOCs for some of the most secure organizations in the world and can help you focus on what you do best by doing what we do best. Schedule a free discovery session to learn more.

More from Our Cybersecurity Experts