Closing the Tech Skills Gap in Security Operations Centers (SOCs)
It’s a well-known reality that the information security- and the broader technology-industry are suffering from a major tech skills gap. Here at MKACyber, we’re in the business of security operations, and SOC analysts, the life-blood of our business, like most tech talent, are in an enviable position. Demand for their skills is high and the supply of their skills is low. Unfortunately for the countless businesses out there that are desperate for tech-talent: it’s a seller’s market and businesses are buying.
There’s no easy solution to the tech skills gap problem in the short-, mid-, or long-term. In fact, the problem is far bigger than the security or even the tech industry; it’s a generational problem that will require generational solutions. In the long-term, permanently solving the tech skills shortage gap probably requires a fundamental redesign of the global education system. In the mid-term, countries are going to have to rethink how they handle immigration from countries that are doing a better job of educating the next generation of tech workers and how they can streamline the issuance of visas for people with in-demand skills. Good or bad, companies may need to outsource jobs, and local governments—likely in tandem with private sector partners—may need to invest in adult education and training programs designed to move labor from industries that are waning to others that are booming.
According to 2014 census data (hat tip to Planet Money for the below graphic), truck drivers (including delivery people) is the most common vocation in America. What happens if and when trucks start to drive themselves? There’s going to be a vast pool of talented drivers looking for work, and if we play our cards right, then we may be able to move them into in-demand tech roles, working to close the tech skills gap. The self-driving truck problem is a microcosm for the bigger issue here.
Of course, these are all solutions that will have to play out over years or decades. It’s not clear how to solve the tech skills gap in the short-term. That said, we’ve put a lot of thought into combating the competitive market for SOC analysts here at MKACyber after watching our customers struggle to find and retain security talent. To be clear: we aren’t bemoaning the economic realities of employing talented people. It’s ultimately a good thing that security talent have the freedom and mobility to work in a place that truly fits their needs and desires. But reality is reality. Carrots are everywhere right now for tech workers, and there don’t seem to be many sticks for employers.
On the SOC-floor, at least, we at MKACyber have a method for combatting the skills shortage: repeatable SOC processes and methodologies. There’s obviously more than one way to run a SOC. We could argue about what is the best way, but the most common way—we’ll generalize here a bit—is to set up a tiered hierarchy. In this schema, the analysts in the lowest tier are relegated to dashboard and alert monitoring, verification, and escalation. These analysts tend to be easier to find. As you move up the tiers or into the computer security incident response team, you get into more specialized investigation, hunting, incident response, remediation, or other activities. These analysts are usually more experienced and harder to find. Again, in general, the higher tiers tend to have the more fulfilling work.
The tiered SOC model is often unorganized as well, driven by the intuition of the most senior, talented, or experienced analysts. This can be gratifying, depending on tasking, but it can also mean that certain analysts get to do the satisfying work while others do the monotonous work. Beyond that, disorganized SOCs can be hectic and stressful places to work, with leadership continually sending mixed or even negative messages. At the end of the day, a disheveled SOC is a SOC that isn’t going to provide a sufficient defense, advancing a culture of despair that perpetuates the problem of staff turnover.
Our W@TCHTOWER platform automates a lot of what would be considered tier one work, while codifying repeatable processes for the work generally associated with higher tiers. In this way, our SOCs—the internal one and the ones we run for our various customers—don’t operate on a tiered model. We organize our SOCs around teams, which we call W@TCHTOWERs, and from the second an alert sounds, rotating teams of MKACyber and our customers’ analysts follow our process workflows from triage all the way through mitigation and remediation where necessary. These proven methodologies basically empower us to up-level our analysts from tier ones to tier twos and so on, while they are simultaneously learning the higher SOC-work functions. At the same time, no one is saddled exclusively with monotonous work, which keeps analysts happier in their jobs for longer.
If you’re looking for a way to bring more life into your SOC, while helping improve the day-to-day work that your SOC analysts go through, consider W@TCHTOWER.