Amid all the dismal headlines that have become routine reading for security professionals (such as this study, which referenced cybercrime as one of the greatest challenges to humanity in the coming decades), one positive development has emerged: the increasing comfort among infosec practitioners to discuss how they’re feeling about their jobs.
Those feelings are, of course, rooted in the overwhelming expectations and burdens that come with the high-pressure responsibility of repelling cunning and unpredictable adversaries across a widening attack surface – not to mention the stress that can result if something is overlooked or if a mistake is made. Still, it’s a good thing when the people on which organizations rely to protect them open up about important subjects like mental health and burnout. Everybody benefits.
The security operations center is not immune to this burgeoning crisis, which has seen multiple sessions at the most recent RSA and Black Hat conferences devoted to its importance. Inside the SOC, many of the common factors that can strain a security individual’s psyche are on full display: sophisticated threat assaults, disparate detection tools firing off countless alerts – and a lack of adequate skills to deal with it all.
A study released in May by the Information Systems Security Association and Enterprise Strategy Group surveyed 267 security professionals to assemble a Top 10 list of primary security stressors. Among those that directly impact security analysts are:
- “The overwhelming workload”
- “Constant emergencies and disruptions that take me away from my primary tasks”
- “The fear of getting something wrong”
- “Sorting through the myriad of security technologies used by my organization”
The rest of the list indirectly affects SOC pros as well:
- “Keeping up with the security needs of new IT initiatives”
- “Finding out about IT initiatives/projects that were started by other teams within my organization with no security oversight”
- “Trying to get end-users to understand cybersecurity risks and change their behavior accordingly”
- “Trying to get the business to better understand cyber risks”
- “Keeping up with internal and regulatory compliance audits”
- “Monitoring the security status of third parties my organization does business with”
The role of the security professional will always be packed with pressure. That’s part of the job, and for many, part of the allure too. Curiosity, problem solving, a greater moral imperative … whatever motivates you about security also brings with it its fair share of turmoil. But misery has no place in that equation.
Here are four tips for turning the unsustainable into the sustainable, helping to ensure you (or your direct reports) maintain their satisfaction – and sanity.
1) Hope for the Best, But Expect the Worst
First things first: a mental health reminder: You can’t do it all on your own, nor should you be expected to. Attacks are going to happen, adversaries are going to slip into your network and responses aren’t going to be perfect. Data-loss incidents aside, the day-to-day grind of being a security professional will also take its toll. But you must manage expectations and not let your job consume you. As security researcher and mentor Chris Sanders argues in his essay “The Cult of Passion”: “If you fall victim to the thought that information security must be your life, you will eventually burn out. There is this myth that we all must be the best … [B]y constantly trying to be the best it breeds things like imposter syndrome, self-doubt and depression.”
2) Define Processes and Procedures
Now onto the more tactical. Having go-to plans will help keep you less flustered when the inevitable calamity unfolds. That includes, of course, having policies and processes around things like escalation and shift hand-offs, but also custom playbooks, which are an essential SOC tool that will allow you to immediately kick into gear a response when a particular threat use case arises, from a phishing attack to a potential rogue insider event and everything in between.
3) Prioritize Effectively
So many alerts are vying for your attention at any given time, but you can’t handle them all, and many turn out to be false positives. What ends up happening is a phenomenon known as “alert fatigue.” If your front door bell incessantly rang, and every time you opened the door nobody was there, you’d eventually stop getting up from your couch. That same goes for the SOC.
As a result, you’re best served taking a risk-based approach that involves paying careful attention to the alerts that are most relevant to your business and are prioritized by potential impact. This is where machine learning can come to the rescue, as well as solutions that can group related alerts into threat-centric cases.
4) Manage Crises Together
With security now an integral part of the overall business, the actions of your team are likely experiencing deeper scrutiny than ever. But the repercussions of a security incident aren’t solely for your shoulders to bear. Multiple stakeholders from across the organization play a vital role in the response and recovery process, and creating a consolidated way to communicate and make decisions will help remove many of the concerns, questions and general stress that would be exclusively strewn in your team’s direction without it.
5) Centralize Your Work on a Single Platform
In the same way that marketing professionals rely on platforms like Marketo, HR professionals turn to Workday and sales professionals leverage Salesforce, security operations practitioners also require a single, flexible platform that offers visibility, integration and control. Constantly switching between different platforms to achieve different tasks can drive anyone to the brink and increases tension levels. A security orchestration, automation and response (SOAR) workbench acts as a force multiplier and addresses all the things burning you out: security stack sprawl, alert overload and the constant pressure to do more with less. A happier SecOps professional can automate the tedious stuff and concentrate on business-enabling security projects that play to their strengths and passions.
Dan Kaplan is director of content at Siemplify and a former security reporter and editor.