Between the monotony of painstakingly searching for anomalies and the enormous responsibility of ensuring a company’s security, security operations center (SOC) employees endure constant stress. My hope is that sharing my experience as the head of a SOC that provides managed detection and response (MDR) service can help shed some light on SOCs in general, so I’d like to share my five steps to minimize stress and prevent burnout in the SOC.
Step one: Complete the team
Organizing your team is key. You need enough people to keep up with the work but not so many that they end up bored. You’re looking for a balance, and finding it is no mystery.
To begin, define the scope of the work you need and then break down the roles you need to fill: what security services you need in house and what to outsource. Use that breakdown to sketch out your target head count, keeping in mind that you’ll need internal professionals to manage outsourced functions;
- Start with six people, which is really the minimum a SOC needs to operate. That’s two for monitoring, one for investigation, one to function as architect and engineer, an administrator, and a SOC manager;
- Think in advance about mitigating the negative impact of turnover to minimize the effects of workload increases on team members.
Step two: Make work rewarding
Effective work tends to require motivation. Of course, you need to provide the conditions for growth and comfortable work, but also consider the very obtrusive potential of demotivating factors — so, for example, think about ways to make goals transparent and assessments clear and reasonable. People strive to reach new professional heights, and they excel when they find the work rewarding.
- Encourage leaders and reward effort rather than silencing newcomers or punishing failure;
- Ensure good working conditions, including adequate wages and benefits, social programs, time for physical activities, and healthy team relationships;
- Clarify goals, objectives, and the metrics by which you and the company measure employees’ work;
- Specify a transparent career path, making sure colleagues understand which team is responsible for what and how to achieve promotions or transfers.
Step three: Relieve stress
The job of a SOC analyst is stressful all by itself, making any pressure reduction particularly important. You can’t make the job a cakewalk, but you can take a few simple steps to help ease SOC workers’ loads.
- Let employees manage their own time. As long as having flexible hours doesn’t affect performance — which you addressed in step two — it shouldn’t cause any trouble;
- Exchange feedback with your team. Transparency and trust go both ways;
- Support your team. Workers should feel confident in the face of difficult situations and expect help from management or dedicated experts.
Step four: Inspire your teammates
Working in a SOC means being part of a team. Devote some time to analyzing the team, seeking optimal combinations of employees, understanding what tasks each of them performs best, and bolstering team spirit.
- Give employees varied, nonstandard tasks from time to time. That serves the dual purpose of keeping them interested and helping you learn each team member’s strengths and preferences;
- Give each team member a sphere of responsibility so they know their contributions are important and valuable;
- Provide opportunities for professional development, including networking and participation in training courses or webinars;
- Conduct collaborative team-building activities. As a manager, you may find the different structure of collaboration outside of a work environment reveals qualities that contribute to the team’s productivity.
Step five: Minimize routine
Overreliance on routine is a major contributor to burnout. Now, as I said at the start, monotony is part of the job, and you cannot get rid of most routine processes. That said, you can at least minimize the harm with a bit of intelligent outsourcing and task automation.
- Engage outside specialists in routine activities or tasks where sensible and productive;
- Implement tools and services to facilitate common IT security practices;
- Continuously research new areas, and automate everything you can.
Reallocating resources and tasks is never easy or automatic. Although offloading work sounds appealing, first consider the importance of keeping employees interested and motivated. Some functions may need to stay in-house for legal or other reasons, and for those that can move outside, you’ll need to ensure contracts clarify liability and consequences, not just responsibility. And before automating certain tasks, analyze the relevant work processes, consider user feedback, and identify any problems on the team to develop a realistic and appropriate plan.