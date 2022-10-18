Security operations centers (SOCs) play a pivotal role in defending against today’s incessant cyber-attacks. Yet the people manning those centers are often stressed, burned out, and demotivated. A recent survey commissioned by @devo_Inc revealed that 71% of security professionals are likely to quit due to a combination of challenges in the SOC.

It takes months to fill vacant positions, according to the survey, so understanding the causes of SOC staff burnout and how to resolve it is important. That’s what members of #CIO TechTalk community recently attempted to get to the bottom of in a recent twitter chat sponsored by Devo.

When asked if they’d experienced burnout as a security practitioner, participants virtually rushed the stage to affirm their negative experiences.

I'm waiting to see who says 'nope', actually. Stress and burnout are endemic in our industry, and companies need to evaluate that as they're considering how to retain #cybersecurity experts. We're already facing a hiring shortage of new folks. #ciotechtalk

Kayne McGladrey, CISSP@kaynemcgladrey

#CIOTechTalk - this is like asking "is the sky blue"? - of course. However, when it comes, how much, & the result of it differs from various practitioners. I'd say IR/IH & SOC probably are worse off than, say, compliance folx. It's a gradient & situational.

Amélie E. Koran@webjedi

In the past, travel was a major contributor to burnout, according to TechTalkers:

When I was doing #infosec consulting. Endless months on planes and in hotels can drain you and leave you in a state of burnout. Combine that with a difficult client and adversarial employees, & it creates a perfect #burnout storm. #Ciotechtalk

Ben Rothke@benrothke

Devo CISO Kayla Williams pointed to evidence that a substantial number of SOC crews are overworked:

@devo_Inc’s new #SOCPerformanceReport found that 41% of survey respondents say their teams work up to 9 hours of overtime per week. Cybersecurity leaders must keep a pulse on this and help teams prioritize and lighten workloads. I find automation key for success #CIOTechTalk

Kayla@kayla_obviously

More ominously, some participants indicated they’d changed careers due to the pressures:

I did, in fact I experienced a burnout year in 2017, which culminated in a number of factors together requiring a career direction change - the #defense pressure and constant budget and attention challenges are hard. #CIOTechTalk

Wayne Anderson@DigitalSecArch

One revealed the physical toll, along with sexist-tinged response of management:

They knew because it made me physically ill. They chose to tell me I wasn't "tough enough" to handle it. Read as female in a male role.

Joanne Friedman@joannefriedman

Very unfortunate. Gender bias is a bigger challenge in #infosec than the security challenge itself.

Moin Shaikh@moingshaikh

Women in security numbers have improved, but it's not great yet. Speaking from my experience, tech wasn't marketed towards me at all growing up. I got into tech by way of auditing & complementary skills #CIOTechTalk

Kayla@kayla_obviously

Many of the stress factors are equal opportunity, including lack of executive management empathy and unrealistic expectations. CIO TechTalk Moderator Isaac Sacolick kicked off some back-and-forth with his observations:

What I've witnessed with IT teams can be boiled down to unrealistic expectations. Too many priorities and not enough prioritization. One reason SOCs burn out more is it's an area that's hard to prioritize and where the biz can ill afford outages & headlines #ciotechtalk

Isaac Sacolick@nyike

At the very top - the #CIO and the #CISO - how you manage the expectations of your peer business leaders and show IT and protecting IT as part of the business mission directly contributes to the consumption of your team. #CIOTechTalk

Wayne Anderson@DigitalSecArch

I think this is a double-edged sword, some leaders are vilified for raising issues and concerns of security while others will hide them and tell the teams to get creative. I think how the risks and needs are presented to the business ultimately determines the outcome.

Taylor Parsons @iTweetITgeek

Several participants questioned whether leaders are listening to staff, or even whether they fully understand the security challenges:

We’re at a point where some execs are being left behind by rapid tech change. It’s obvious the same effect is happening with security leading to more disconnects. Also, some CISOs don’t have a seat at the table yet, and the org’s sec posture can suffer for it. #CioTechTalk

Will Kelly@willkelly

For leaders to listen, they might have to understand what they are listening to. Not all leaders understand security and it’s up to the security folks to communicate effectively. #CIOTechTalk

Arsalan Khan @ArsalanAKhan

And even more - do they know where to listen? Have you / your team been intentional about the channels to reach [execs|the field|sales|whomever]? Wiki, PPT, whatever. What's the cadence? Format? Its minutiae that saves you stress later. #CIOTechTalk

Wayne Anderson@DigitalSecArch

#CioTechTalk - Between personal experience and friends and colleagues they listen, but they do not hear.

Joanne Friedman@joannefriedman

But perceived management shortcomings reflect just part of a long laundry list of issues that contribute to the problem:

In no particular order: - Understaffing - Budget cuts to security - Lack of exec support - Security isn't part of the biz - Legacy processes & mindsets still rule product delivery - Reactive "Hero" culture still rules in the org

Will Kelly@willkelly

Participants were asked if the goals of the business and the SOCs are in alignment, kicking off a discussion on how to get the attention of business decision makers:

Not usually. But the words "brand value" get and keep their attention. #CIOTechTalk

Joanne Friedman@joannefriedman

Brand value and reputation risk certainly drive a lot of investment in #security these days. No one wants to be associated with a breach and investing in a SOC is one way to be proactive against attackers #CIOTechTalk

Kayla@kayla_obviously

The discussion concluded with a question on how organizations can better support security professionals. More resources, empathy, stress management programs, and communications were just a few of many suggestions. And speaking plainly:

Also helps to know: as a #CISO it’s a difficult conversation but have you talked with #CFO and board about what a survivable loss is? What an acceptable loss is? If you don't know that, how do you prioritize your real risk magnitude? #CIOTechTalk

Wayne Anderson@DigitalSecArch

Catch up with the full discussion at #CIO TechTalk