Of course, these are all solutions that will have to play out over years or decades. It’s not clear how to solve the tech skills gap in the short-term. That said, we’ve put a lot of thought into combating the competitive market for SOC analysts here at MKACyber after watching our customers struggle to find and retain security talent. To be clear: we aren’t bemoaning the economic realities of employing talented people. It’s ultimately a good thing that security talent have the freedom and mobility to work in a place that truly fits their needs and desires. But reality is reality. Carrots are everywhere right now for tech workers, and there don’t seem to be many sticks for employers.
On the SOC-floor, at least, we at MKACyber have a method for combatting the skills shortage: repeatable SOC processes and methodologies. There’s obviously more than one way to run a SOC. We could argue about what is the best way, but the most common way—we’ll generalize here a bit—is to set up a tiered hierarchy. In this schema, the analysts in the lowest tier are relegated to dashboard and alert monitoring, verification, and escalation. These analysts tend to be easier to find. As you move up the tiers or into the computer security incident response team, you get into more specialized investigation, hunting, incident response, remediation, or other activities. These analysts are usually more experienced and harder to find. Again, in general, the higher tiers tend to have the more fulfilling work.
The tiered SOC model is often unorganized as well, driven by the intuition of the most senior, talented, or experienced analysts. This can be gratifying, depending on tasking, but it can also mean that certain analysts get to do the satisfying work while others do the monotonous work. Beyond that, disorganized SOCs can be hectic and stressful places to work, with leadership continually sending mixed or even negative messages. At the end of the day, a disheveled SOC is a SOC that isn’t going to provide a sufficient defense, advancing a culture of despair that perpetuates the problem of staff turnover.
Our W@TCHTOWER platform automates a lot of what would be considered tier one work, while codifying repeatable processes for the work generally associated with higher tiers. In this way, our SOCs—the internal one and the ones we run for our various customers—don’t operate on a tiered model. We organize our SOCs around teams, which we call W@TCHTOWERs, and from the second an alert sounds, rotating teams of MKACyber and our customers’ analysts follow our process workflows from triage all the way through mitigation and remediation where necessary. These proven methodologies basically empower us to up-level our analysts from tier ones to tier twos and so on, while they are simultaneously learning the higher SOC-work functions. At the same time, no one is saddled exclusively with monotonous work, which keeps analysts happier in their jobs for longer.
If you’re looking for a way to bring more life into your SOC, while helping improve the day-to-day work that your SOC analysts go through, consider W@TCHTOWER.