SOC burnout

January 25, 2019

Professional burnout syndrome is hardly a new problem. When people get tired of monotonous tasks, the mind starts to wander. As a result, they become less attentive, less focused. In any field of activity, this is undesirable and leads to a drop in productivity. But in cybersecurity, the consequences can be catastrophic — especially if the person in question is a security operations center (SOC) worker.

Companies have two options when it comes to setting up an SOC: create one in-house or bring in outside professionals. We have extensive experience in this area, having both our own SOC and a client service center. Moreover, our experts provide services to third-party SOCs and get to see how things go in other organizations. Armed with our own formulas for maintaining staff professionalism, we decided to share our thoughts and experience on the topic of burnout.

Let’s start with the unpleasant part: The very nature of the work of an SOC threat analyst is a direct route to professional burnout. What’s more, the better the security situation at the company, the shorter the road. The job basically entails looking for anomalies in incoming data, day after day. If an anomaly is detected, things get a bit more interesting — there’s an incident to investigate, data to collect, risk and damage assessments to be made. But at companies with state-of-the-art solutions guarding servers, workstations, and the entire information infrastructure, juicy cyberincidents are not all that common.

So the expert sits and stares at data streams, an activity not dissimilar to searching for a black cat in a dark room. In our case, we always assume that the cat is there somewhere, but in practice that doesn’t help relieve the monotony. We should note that our SOC is a far more preferable workplace than an internal center inside a run-of-the-mill company. Because we have many clients, something is bound to happen somewhere to spice up the daily routine.

What happens to burned-out employees? They grow lethargic, distracted, and generally discontented with themselves and those around them. If they take their job seriously (which practically all SOC employees do), they will be additionally burdened by a sense of having let their colleagues down. Realizing that something’s amiss, they go online to see what psychologists of various stripes have to say on the matter. The advice there is the usual stuff: “You have to admit to yourself that your heart’s not in it, remember what you liked in childhood, not be afraid to change your line of work.” Maybe some people find these clichés helpful. One thing is for sure, however — the SOC would be negatively affected if the employee followed them.

How to solve the problem

From the company’s point of view, the main consequence of staff burnout is a drop in team performance. There are many ways to overcome this problem, although not all are humane and not all are applicable in practice.

If you can’t stand the heat, get out of the kitchen

Some companies believe that burnout is a personal problem. They provide employees with vacation time and medical insurance, all according to the law (if such laws exist in their country). After a rest, the workers are expected return to work rejuvenated. Performance still down? It’s a pity, but you’re out.

Maybe in some fields this approach is justified, but at a cybersecurity monitoring center, it doesn’t fly. The SOC analyst needs to be replaced by another specialist (harder than it sounds) and trained up, and even then it will be a while before the newcomer’s performance matches that of the previous, albeit burned-out, guy. Sometimes companies take on people without relevant experience, but with the potential to be turned into a top-notch expert. To then ditch them because of burnout would be a waste of all the time, energy, and resources spent on their development, for which reason most don’t.

Internal transfer

Information security is not only about SOCs — far from it. Even at companies outside the field of information security, there are positions for experienced analysts. Rapid response teams, for example. So a transfer to another position inside the organization could be the solution. That way the analyst is taken out of their routine, and the company does not suffer brain drain.

But in terms of SOC performance, it’s irrelevant whether the employee was transferred internally or given the boot; the SOC headcount is still down by one. It’s worth mentioning that at Kaspersky Lab this happens a bit differently — before any burnout, other departments hijack SOC employees, precisely because they have accumulated practical experience; they’ve learned how attacks take place and understand how to counteract them.

Automating routine operations

As detection and incident investigation tools improve, human tasks are inevitably transformed, and yesterday’s frontline SOC analyst is today’s quality controller overseeing the work of the robot analyst, who never tires, never burns out, and never complains. These new control functions are a fresh experience, at least at first, for the analyst, raising the analyst to a new level, forcing them to step out of the comfort/boredom zone and stimulating new interest in the tasks being solved and their work in general.

Much has already been said about machine learning (ML), so it’s hard to come up with any earth-shattering revelations on that score. Suffice it to say that ML-based assistants are pretty good at handling some narrow tasks with clear quality criteria. They certainly cannot replace frontline employees, but they increase throughput and allow human resources to be redeployed as robot trainers, controllers, and developers. ML may still be hype in some quarters, but for us it is already an integral part of daily operations.

Internal rotation

It is impossible and undesirable to replace all people with robots, and so we operate a rotation system inside our SOC. After all, analyzing endpoint data streams is hardly the only task in our SOC.

For a start, there is the systematization of threat data; the practical knowledge gained by an analyst on the back of incidents can and must be used to prevent reoccurrence. And this segues into another task: enhancing SOC tools. Our SOC, for example, includes a research group plus infrastructure support and development specialists. Not wholly interchangeable positions, you might think, but all of our development activity is aimed at automating operations, so the analyst’s practical experience is absolutely vital. By periodically changing employees’ tasks, we minimize burnout, simultaneously enhancing the SOC toolkit and helping colleagues. At the same time, management gets to understand which areas genuinely hold employees’ interest; this interest is the cornerstone of high efficiency, and thus the performance of the whole team.

This method is not universal. If your SOC employs only 2–3 people, the rotation options will be limited. Incidentally, this is another reason to consider hiring outside data-monitoring experts. However, we would still recommend thinking about how to make their tasks more diverse. They might just be able to resolve some other issues you’re having, which could be enough to save them from boredom-related burnout, too.

In short, if you decide to train your own SOC analysts, we strongly advise trying to keep hold of them. It’s not only love that’s hard to find, easy to lose, and impossible to forget.