Improving team retention with SOAR

Miles Tappin, VP of EMEA at ThreatConnect, explores how SOAR can help to improve team retention in the cybersecurity industry

Retention of employees is something that the cybersecurity industry has been struggling with long before the current socio-economic climate. As early as 2015, MIT Technology Review and Peninsula Press pointed out that more than 200,000 cybersecurity positions went unfilled while the demand for security-related positions was expected to grow by 53% through 2018.

As you can imagine, a worldwide pandemic only exacerbates this problem: “in early 2019, Gartner TalentNeuron data predicted that there would be a global shortage of two million cybersecurity professionals by the end of 2019. The global pandemic has further escalated this situation. In spite of a decline in new job postings between 1^st February and 10^th April (2020), both the U.S. and U.K. saw a surge in demand for info security roles. There was a 65% upswing in demand in the U.S. and an increase of more than 5% in the U.K.”

The virus forced a rapid organisational evolution of business operations, condensing a transformation that has historically taken at least a decade into a few months. Hasty growth brings swift change, and swift change causes gaps, and gaps are threat actors’ specialty. Like clockwork, when force majeure events occur, threat actors expedite their tactics, techniques and procedures, making companies that are grappling to hire and retain security professionals even more vulnerable.

The knock-on effects of being understaffed

Research conducted by ISACA found that “only 21% of ‘significantly understaffed’ respondents report that they are completely or very confident in their organisation’s ability to respond to threats.” They went on to say, “the impact goes even further, as the research found that enterprises struggling to fill roles experience more attacks, with the length of time it takes to hire being a factor.” The organisations that were unable to fill their open security positions experienced the most attacks.

As Sandy Silk, Director of IT Security Education & Consulting at Harvard University states, “security controls come down to three things—people, process and technology—and this research spotlights just how essential people are to a cybersecurity team. It is evident that cybersecurity hiring and retention can have a very real impact on the security of enterprises. Cybersecurity teams need to think differently about talent, including seeking non-traditional candidates with diverse educational levels and experience.” This forces us to adopt new hiring strategies, which can be very expensive.

Where SOAR Comes In

A factor of retention is satisfaction, and a factor in satisfaction is listening, understanding, and acting on the challenges that person or team is facing. In working with many incident response, security operations, and threat intelligence teams these challenges are often clustered around a few themes: large volumes of uncontextualised data (alerts, events, tickets, IOCs), no relevant context around that data, manual & ad-hoc processes for the collection, analysis and dissemination of the data, and the length of time it takes to find relevant intelligence negatively impacts speed and accuracy.

SOARs act as a collection and analysis hub for threat intelligence, security operations, and incident response data and processes. Intelligence and operations are built on a cyclical relationship. As intelligence dynamically changes, it should affect the decision-making process as a result. The automation and orchestration informed by threat intelligence makes an organisation’s pre-existing technology investments and security team more efficient and effective. Threat intelligence housed in a SOAR, influences decision related to security operations, tactics, and strategy. SOARs help security teams prioritise response, standardise processes, and gain instant access to relevant threat intelligence to improve the speed and accuracy of their detection and response. This makes the security team’s job a lot easier.

Providing a knowledge-management solution that automates manual processes optimises lean teams, creates efficiency, and frees up team members to focus on doing the job they were hired to do, and the job they enjoy doing. It also gives the managers visibility into the output of their team to coach and train them in a meaningful way. The most impactful development happens not through formal programmes but smaller moments that occur within the workplace: on-the-job learning opportunities that are wholeheartedly catered to the worker’s unique needs and challenges.

Don’t forget about culture

Ultimately, the most crucial factor of retention is culture. Specifically, a culture that consists of empowerment, career growth and development, integrity, and collaboration. The stronger the mix of these ingredients the more productive the team becomes. SOARs do some of the dirty work in enabling these elements to blossom. They are a workbench for security teams to create step-by-step, dynamic workflows around best practices, collaboration during analysis or investigations, and visibility into data, teams and their processes so tailored training and coaching can be provided. Technology alone will not solve this problem, but it can be a helpful partner in developing team satisfaction and thus improving retention.