If you build it, they will come: Four steps to building a security operations centre that top talent wants to be a part of

In an age where junior analysts only stay at a job an average of 12 to 18 months, building an effective SOC means creating an environment that skilled workers are drawn to and has career staying power. Allistair Scott, Senior Security Engineer EMEA at Exabeam argues that CISOs, HR executives and C-suite leadership all share the responsibility of building a SOC people want to join and finding the right team to staff it.


This is a contributed article by Allistair Scott, Senior Security Engineer EMEA at Exabeam

As the security industry continues to struggle with the ongoing cybersecurity skills shortage, filling open vacancies is only half the battle. The other, arguably even more difficult half, is keeping hold of talented individuals. With so many organisations trying to fill their own vacant positions, headhunting and poaching is an ever-present threat. In fact, the situation has become so bad that the average retention period for a junior analyst is currently only 12-18 months. In such a competitive environment, how can organisations stop their top talent jumping ship at the first available opportunity? The answer lies in building an environment that skilled workers genuinely want to be a part of; one that draws people in, offers clear lines of progression and enables them to feel like they're fully invested in a wider community.

The responsibility for this doesn't just fall to one person, it is a collective effort spanning senior leadership, security operations centre (SOC) managers and a wide range of other internal departments. This article offers four key tips to help every organisation make a security career in its SOC as attractive as possible.

  • Building an attractive work environment starts right at the top

As with many aspects of business, the culture within any SOC is set at the top. However, recent research suggests this is usually where the problems start. For example, Exabeam's own 2020 Cybersecurity Professionals Salary, Skills and Stress Report highlighted the need for leadership to take better care of employees in order to avoid burnout. Unfortunately, many CISOs and senior leaders don't spend enough time getting to know their employees, or building the kind of relationships that instil true loyalty. Employees need to feel their leaders care about their career development and goals, otherwise it's easy to walk out the door whenever a good opportunity presents itself.

  • Take an interest in (and encourage) employee passion projects

For many security professionals, their interest in the industry goes beyond their job. It's also a personal passion that can give rise to numerous side projects and initiatives. In such cases, organisations should make a point of supporting these projects (provided they don't interfere with an employee's main responsibilities). While moments of downtime can be rare in SOCs, it's important to have projects planned for those rare occurrences that can reinvigorate employees' passion for their work.

  • Create a collaborative working environment

With the world still in the grip of the COVID-19 pandemic, most SOC's are operating remotely for the time being. However, as more employees start returning to the workplace, taking the time to create a collaborative work environment can pay major dividends. Rather than making decisions unilaterally, leaders should consult with employees about the kind of environment they want to work in, with attention paid to workspace layout, lighting and amenities. An inviting environment helps encourage collaboration and makes it a place employees want to be, not just somewhere they have to be.

Without the right tools, security professionals are often forced to manually comb through thousands of alerts a day, trying to weed out actual incidents - the cyber equivalent of finding a needle in a haystack. Such work is both laborious and unproductive, hardly the kind of approach that makes staff feel valued/engaged. To counter this, organisations must invest in tools and solutions that help reduce the manual burden and enable employees to focus on more stimulating and productive activities. Technology such as machine learning-based user and entity behaviour analytics (UEBA) can help significantly reduce the need for manual investigation, whilst ensuring malicious activity isn't missed.

  • Take the time to foster strong cross-departmental relationships

Many organisations have a bad tendency to keep security teams siloed away from the rest of the business, which can greatly diminish productivity and create tension with other departments. Taking the time to build strong working relationships with other departments, such as IT, HR and operations will help ensure smoother, more coordinated responses in the event of an incident. Furthermore, the added sense of community this creates feeds into security team members' sense of belonging within the wider company.

While the security industry's recruitment woes often grab the headlines, far less attention gets paid to how organisations can retain and grow the talent they already have. The answer lies in making employees feel like they are an indispensable member of the team with space to grow professionally, in line with their own ambitions. There are many ways to achieve this, from something as simple as re-organising the SOC's working environment, to investing in technology that improves operational efficiency and ensuring the team has strong links into the wider organisation. Employees that feel valued will be far less likely to jump ship at the first possible opportunity, giving organisations a much better chance of closing the skills gap so many of them are faced with.

Allistair Scott is Senior Security Engineer EMEA at Exabeam. He has been in the IT industry for over 25 years, working in operational security roles across a broad spectrum of industries that includes engineering, manufacturing and finance sectors. His expertise covers a wide range of topics, including breach defence and response, security automation and orchestration, threat intelligence, and cloud security.