Devo CEO Walter Scott writes about using data to manage companies for excellence in operations, financial results, and employee engagement.
As CEO, you are ultimately responsible for every function in your organization. I am CEO of a data analytics and security company, and although I didn’t train to be a cybersecurity expert, I am responsible for the success of our security operation — just as I am for sales, finance, marketing, etc.
Cybersecurity is one of the most important functions in any enterprise. It protects business data, including customers’ personal information, and helps keep the company’s reputation intact. Cybersecurity professionals face stress and other challenges that CEOs need to understand — and fix — before they compromise the business.
Corporate leaders often don’t think about cybersecurity risks until it’s too late. Businesses continue to be hit by increasingly sophisticated cyberattacks, some so severe they have been extinction events for companies. That’s why you can’t allow cybersecurity to be managed just by the “security people.” It must be part of every CEO’s day-to-day job. If your company experiences a security breach, it is your responsibility.
To highlight the areas of security operations that require attention, my company recently published the second annual Devo SOC Performance Report, based on a survey of about 600 IT and IT security practitioners. A security operations center (SOC) consists of professionals who monitor for, investigate and respond to security incidents. Based on the results of the survey conducted by Ponemon Institute, the report shows a lot of work is needed to improve SOC effectiveness and reduce the pain of security analysts.
SOC teams are critically important to an organization’s reputation and success. Unfortunately, our research shows that too many businesses still don’t place sufficient emphasis on cybersecurity and the people who do the work. This causes burnout, turnover and related issues that could lead to a crisis from which your business may not recover. Every senior leader should ask not only how this affects their customers, the company’s bottom line, and the supply chain, but also how these actions affect their digital and physical security.
Some Good News, But Not Enough
The majority of survey respondents (72%) say the SOC is a key to their organization’s cybersecurity strategy. But while most respondents believe the SOC is “very important” or “essential,” SOC analyst work is still “very painful,” according to 78% of respondents. And 60% say the stress of SOC work has caused them to consider changing careers. Even worse, 69% of respondents say it is “very likely” or “likely” that experienced SOC analysts would quit. This puts the security of your business at risk and is a clear call to action for CEOs to improve the situation. If your SOC team fails because they are overworked, under-resourced and badly managed, that’s your failure.
The problem of SOC analyst stress is becoming widely reported. CRITICALSTART, a leading provider of managed detection and response services, recently published The Impact of Security Alert Overload, which found that “70% of respondents investigate 10+ security alerts each day, up dramatically from  when only 45% reported investigating more than 10 each day.” That increased workload causes fatigue and burnout while compromising organizational security.
Another recent study, The Life and Times of Cybersecurity Professionals 2020, by ESG and ISSA, found that cybersecurity work takes a toll on people: “The pace and stress of a cybersecurity job can lead to personal consequences—29% of respondents say that they’ve either experienced significant personal issues as a result of cybersecurity job stress or they know someone else who has.”
Turf wars and organizational silos also cause analyst pain. Sixty-four percent of respondents in our company’s report say a huge impediment to SOC success is internal battles over who is in charge of what. Connect the dots and you’ll realize that an organization rife with in-fighting is more vulnerable to the potentially devastating effects of a successful cyberattack. When cybercriminals or nation-states attack, they want data they can sell, use for espionage or for other illicit purposes. A SOC team’s job description is simple: Don’t let that happen. And that’s a tough enough job without politics making it harder.
What A CEO Can Do
Addressing these challenges requires improving communications and information sharing among your organization’s security, IT and other teams.
The problems affecting SOCs are exactly why CEOs and CISOs need to talk often. Once everyone starts sharing information, barriers disappear, collaboration begins and your organization’s security improves.
Other changes to help reduce analyst burnout and improve SOC effectiveness include:
- Full visibility: SOC analysts can’t secure what they can’t see. Analysts must have full visibility into all of the data they need to secure. Seventy-eight percent of SOC Performance Report survey respondents from highly effective SOCs (rated as a seven or above on a 10-point scale) cite lack of visibility as the biggest analyst pain point.
- Give analysts the right tools: There are many cybersecurity technologies on the market. The key to a successful SOC isn’t having the most tools — it’s having the right ones. Challenge your security leaders to seek input from front-line staff about which tools will enable them to do their best work. And make sure those tools integrate seamlessly.
- Align the SOC with business needs: Forty-five percent of respondents say their SOC isn’t in step with the needs of the business, according to our company’s report. This frustrates analysts and makes security far less effective. Empower your SOC team to focus on the threats that matter most to your business.
- Invest in people: SOC analysts overwhelmed by long hours, too many alerts and lack of visibility into the attack surface are much more likely to quit. Make your SOC a place where skilled professionals want to work. Invest in training to give analysts a career path. Put people first and you won’t lose the analysts you have or be forced to try to fill openings where there are more jobs than qualified candidates.
Now that you can see how SOC analysts’ pain can compromise your organization’s security, it’s time to fix the problems.
Featured in Forbes | August 28, 2020