SOC Analysts Quitting over Burnout, Lack of Visibility

Security operations center (SOC) analysts are so exhausted from increasing workloads and too many alerts, that a high number of them would consider leaving their jobs or changing careers.

That’s according to a new survey released by Devo Technology and conducted in partnership with the Ponemon Institute. Ponemon surveyed 554 IT and IT security practitioners in organizations that have a SOC and are knowledgeable about cybersecurity practices in their organizations. Their primary tasks are implementing technologies, patching vulnerabilities, investigating threats and assessing risks.

Devo’s Julian Waits

Julian Waits, general manager of Devo’s cyber business unit, tells us when examining what makes working in the SOC difficult, the primary theme that emerges is visibility. According to 65% of respondents, there is a lack of visibility into the IT security infrastructure that prohibits SOC success. The top reason for SOC ineffectiveness, according to 69%, is lack of visibility into network traffic.

“In addition, respondents have a difficult time identifying threats because they have too many indicators of compromise (IOCs) to track, too much internal traffic to compare against IOCs, lack of internal resources and expertise, and too many false positives,” he said. “These factors are leading 53% of respondents to rate their SOC’s ability to gather evidence, investigate and find the source of threats as ineffective.”

Finally, what’s making working in a SOC difficult is the lack of alignment, Waits said. SOCs are not aligned (49%) or only partially aligned (32%) with business needs, making it difficult to gain senior leadership’s commitment to providing adequate funding for investments in technology and staffing, he said. Further, the SOC budget is inadequate to support the necessary staffing, resources and investment in technology, as on average, less than one-third of the IT security budget is used to fund the SOC.

“For smaller and midsize organizations, MSPs and MSSPs can introduce efficiencies that can be difficult to achieve outside a more mature organization,” he said. “But size and maturity matter. Smaller organizations tend to outsource due to lack of in-house expertise and technologies, and to improve efficiencies such as in preventing, detecting and containing cyberattacks, [while] outsourcing decreases the larger and more mature the organization. More than half of organizations overall are outsourcing all or part of their SOC due to lack of in-house expertise and technologies, and to improve efficiencies. Sixty percent of respondents say the outsourcing of their SOC saves money, which is important because many respondents cited budgetary constraints as a problem in having a successful SOC.”

Organizations are shifting to the cloud, as 53% of respondents said what best defines the IT infrastructure that houses their SOC is mostly cloud (29%) or a combination of cloud and on-premises, while 47% said it is on-premises.

Some 51% said their companies invest in threat intelligence feeds. Of these organizations, 54% said the threat intelligence feeds combine open source and paid feeds. Some 60% of respondents in organizations that invest in threat intelligence feeds develop custom feeds based on a technology profile.

The exploits most commonly identified by the SOC are malware attacks (98%), exploits of existing or known vulnerabilities (80%), spear phishing (69%) and malicious insiders (68%).

There are three main steps towards alleviating SOC stress and burnout, Waits said.

“First, listen to your analysts: Leaders face a mandate to reduce the stress and pain that comes with working in the SOC,” he said. “The No. 1 recommendation from respondents is to …