back caretBlog

SANS on Building Effective SOC Teams Despite the Skills Gap

Effective Security Operations Requires an Inward Approach

SANS just released the results of a survey that confirms what we all suspected: Companies facing sudden budget constraints are rethinking their security operations hiring. Recent events being what they are, it makes sense that managers are citing fiscal limitations, not a lack of need, for any hiring halts.

Tactical hiring freezes require a different approach to drum up the critical skills necessary to prevent costly security breaches. Given the high stakes, it's worth considering other cost- and time-efficient strategies for bridging knowledge gaps and maintaining an effective security workforce.

The Factors at Play

The SANS survey illuminated a few other important trends. First, they found that attrition among security teams is even or slightly lower than industry averages, sitting at 4.8% for the technology sector and 0.9% for the banking and finance sector. This is good news if you consider the correlation between staff tenure and performance. The survey's analysis clearly spells out why:

"No matter how much technology is used, and no matter how well-documented security processes and playbooks are, security teamwork is needed to work across the business to avoid vulnerabilities, to quickly react to new threats and to develop new techniques and processes."

The survey also found that when companies do look to hire, less than half of the respondents have a metric to help justify resource needs. This means that, in all likelihood, attrition is the sole factor in determining when companies bring on new members, placing headcount over the actual, measurable workload and effectiveness of a team.

The common thread running through all this is the acquisition and development of key skills. Managers cite the need for new skills as another justification for hiring, and when they can't find what they need from applicants, they tend to pony-up for outside contractors to help bridge the gaps.

This all points to the conclusion that many companies, in the absence of proper metrics or a skilled applicant pool, may be better served by focusing their attention away from recruiting efforts and toward internal optimization.

What's Good for the Team is Good for Security

This is all to say that the easiest path toward a successful cybersecurity strategy lies within the lovable gang you've already got. This doesn't necessarily mean you have to give your payroll budget a massive boost. Please, pay your analysts well—they're an important part of your team and deserve great compensation—but know that SANS has seen evidence to show that throwing more money into salaries alone isn't enough to keep them around.

What actually helps keep staff on board is the chance to learn and develop new security tools, a clear-cut career path, and training to ramp up skills. Let's pause here and bust a quick myth: Training will not lead to churn. Your beloved team members probably aren't going to take their new-found knowledge to a higher paying job at one of your competitors.

There's evidence that highly skilled team members actually tend to hang around longer. SANS reports that funds for training is a commonality among teams who have been together the longest. This hints that companies who are relying on external consultancies to bridge skills gaps may reap rewards by diverting fiscal resources into staff education.

If the ability to experiment with new tools and techniques helps reduce turnover, it's worth giving staff space to innovate and test out software. At the very least, job satisfaction will improve. At best, you might end up novel discoveries that will save time and money. Coincidentally, ExtraHop has a demo available.

Current staff is also your best bet for mining security and operations talent. Existing employees within IT organizations have been deemed a top source of successful hires for security teams (remember, a clear-cut path for advancement keeps teams together longer).

Beyond that, staff referrals were reported as a leading method for identifying qualified new team members. It all tracks—you hired great people, they know other great people and can help you bring them on board without costly recruiting resources.

To learn more about how these trends relate to your security operations team, including which skills and tools are in demand, read the ExtraHop-sponsored SANS report.

ExtraHop Reveal(x) Live Activity Map

Stop Breaches 87% Faster

Investigate a live attack in the full product demo of ExtraHop Reveal(x), network detection and response, to see how it accelerates workflows.

Start Demo

Sign Up to Stay Informed