Cybersecurity suffers from a certain asymmetry: attackers only need to succeed once to achieve their goals, while defenders must stay at the top of their game at all times. That means organizations need to do everything they can to put security analysts in the best possible position to succeed.
Yes, that includes ensuring advanced detection and remediation tools are at their disposal. But it also means looking at other strategies to increase the analyst experience. These would include creating or improving processes to identify knowledge gaps, common mistakes, or identifying opportunities to offer analysts the education and training resources they need to do their jobs effectively and grow their skills and experiences.
While the idea of applying technology to improve worker effectiveness and productivity is hardly a revolutionary concept, unfortunately, such principles aren’t always easy to apply to cybersecurity. But when we break down security operations into phases of operations, we can start to measure how effective analysts are and that can offer a proxy for analyst experience. Are they acting quickly enough? Taking the right steps? Do they have the right tools at their disposal to address risks or active threats effectively? These are just a few questions we could ask of our security operators. When asking questions, we should know what actions we plan to take based on the measurements we get back.
That’s the sort of critical thinking that organizations must apply if they want to understand and then potentially address problems that might affect analyst performance. Ensuring that analysts feel the organization has invested in their success can not only help improve performance, but avoid problems like inattentiveness and burnout.
While technology can help improve analyst performance, it can also improve the overall analyst experience as well. There are a wide range of areas where we can apply technology to produce measurable improvement in both the efficiency and overall performance of analysts. Here are five ways to start:
Improve the onboarding process. How long does it take to train a new security analyst? What percentage of employees need additional training? If employees frequently struggle to master certain skills or procedures, it’s time to look critically at the onboarding process and identify areas for improvement.
Identify knowledge gaps. By tracking a set of metrics that, for example, might show the overall time needed to work different classes of alerts, organizations can identify knowledge gaps for individual analysts and provide them with appropriate training. This leads to improved results for the employer and additional knowledge and experience for the employee. It can also help organizations identify and offer professional development opportunities proactively.
Avoid repetitive tasks. Repetitive, manual tasks are one of the most commonly cited causes of burnout in the cybersecurity industry. Organizations should measure how much time analysts are currently spending on tasks that could be automated with the right tools in place. It’s also worth noting less experienced analysts are often the ones that end up assigned these undesirable tasks. Automation can help prevent new analysts from becoming disillusioned, allowing them to focus on more important work and accelerate their professional development.
Challenge all assumptions. Imagine an analyst looks at a login from a country they haven’t seen before. Determining whether it’s an attacker or a traveling employee requires looking at data, business systems, or interacting with various people—that’s a lot of valuable time spent on validation. Is that time well-spent? It’s useful to challenge assumptions. As a useful analogy, imagine being in charge of physical security for a bank and want to prevent unauthorized people from entering the vault. There’s one security guard -- where do they get put? Probably not in the parking lot inspecting every car. Probably not in the lobby, checking each customer. More than likely they would sit them in front of the vault door. A similar thought exercise makes sense when it comes to security resources. Instead of spending time reviewing each login from an unusual country, organizations could spend that time applying controls like 2FA or conditional access policies. Looking for precursors to suspicious activity can help, but using technology to create pinch points may result in greater ROI.
Keep the focus on the analysts. Never forget that analysts are the lifeblood of any good security operation. Automated tools are great, but they can’t stand alone – they’re most effective when used to augment and amplify the decision making capabilities of talented analysts. And applying benchmarks to measure analyst performance and identify areas for professional development can create a win-win scenario, both improving results and generating opportunities for career advancement.
Today’s organizations can’t overlook the importance of the analyst experience. Putting analysts in a position to succeed leads to better results for everyone involved.
Peter Silberman, chief technology officer, Expel