Burnout is a condition that transcends industries. But Amanda Berlin, CEO of Mental Health Hackers, a nonprofit whose mission is to educate about the mental health risks faced by those in the infosec field, suggests three unique factors are at play when it comes to burnout impacting security operations professionals:
1) Perceived Lack of Business Value
Security operations, regardless of industry, do not produce revenue. (They) negatively impact profitability, and until very recently, has been treated as a necessary burden by executives. Ironically, however, headline-grabbing breaches have begun to change perceptions regarding the importance of SOCs, but prioritizing the wellness of SOC analysts has generally not improved.
Even in outsourced or managed SOC operations, costs are kept to a minimum by the purchasing organization. Contracted SOC analysts are often tasked with monitoring multiple enterprises in separate virtual machines to keep management costs low. Due to cost concerns, many SOC analysts are young professionals, or people who have changed occupations, and are in the early years of their information security careers. Culturally, this affords analysts little voice in the direction of security operations, and the day-to-day working life of the analysts. Since SOC analysts are in high demand, these professionals often move from company to company for compensation increases, better working conditions or scheduling considerations.
2) Emphasis on Detail
A SOC analyst’s tasks require strict attention to detail. Even small changes in the data indicators presented can affect how the analyst will triage the alert, begin an investigation, generate a ticket or raise an alert. SOC analysts are pressured to sift through hundreds of alerts, looking for the right indicator of compromise. Playbooks are often ambiguous, or non-existent in some enterprises, leaving the analyst to fend for themselves. As previously mentioned, SOC analysts are often young professionals working at the bottom end of the information security wage scale. However, modest pay or limited experience does not mean reduced accountability. SOC analysts are expected to be perfect, or nearly perfect in their ability to find the next malicious campaign. Poorly tuned alerts or substandard architecture can also add to the SOC analyst’s challenges, as an analyst may need to sift through hundreds of false positive alerts. False positive alerts breed complacency. Complacency leads to missed indicators of compromise.
3) Windowless Blues
Many SOCs occupy the least desirable office space an organization may spare. It is not unusual to find a SOC located in a basement, or tucked into a cramped corner, or lacking in newer office furniture and amenities enjoyed by profit-generating parts of the business. Although some companies are bucking this trend, many SOCs are treated as governmental SCIFs (sensitive compartmentalized information facility) and are contained in rooms devoid of natural light. SOC analysts are denied the ability to look outside at a tree, or interact with the world around them. The ability to disconnect, even for a few moments at a time, can do wonders for the mental health and grounding of SOC analysts. LED (blue range) screens, and sterile artificial light also have their own psychological effects on SOC analysts.
This is an excerpt from our new e-book on burnout in the SOC. To read it, visit here.
Dan Kaplan is director of content at Siemplify.