Blue Teams have a burnout issue. Here is why and what can be done about it

Blue Teams have a burnout issue. Here is why and what can be done about it

Let’s talk about burnout. I know, not a new topic. I even mentioned burnout as one of the reasons why I was failing at learning in this article. But, recently, I came across the Voice of the SOC Analyst poll , conducted by Tines, where 468 current SOC Analysts from organizations with at least 500 employees were polled. The results proved burnout is perhaps even more widespread than I had originally thought, with 71% of the analysts polled admitting to experience some level of burnout, and 47.6% of them admitting to feel very burned out at work.

In this article I wanted to share my take on why burnout is so widespread on SOC and other blue teams around the globe, and what can be done about it.

Why burnout runs rampant

1. Cybersecurity is still a very young field

… and that comes with its own set of pros and cons. While it can definitely be a thrilling environment filled with growth opportunities, the lack of maturity in certain organizations or the ever-moving goal posts can definitely take a toll on every blue teamer. A lot of the points we will make later in this article will be somewhat connected to the fact that this industry is young and still in early stages of development and maturity in most aspects and in all levels, from entry level analysts to C-level executives. Another symptom of this early challenge is the recurrent feeling of always being behind and having to catch up to either some standards or the activities of a threat actor.

2. The nature of the job

The traditional attack-defense nature of cybersecurity does not help in the fight against burnout. There is a never ending feeling of extreme competition (against other cybersecurity providers, against threat actors, against the clock to catch up on cybersecurity news/feeds, etc.)

Though this may vary depending on the environment or level of maturity of an organization, many SOC Analysts can also feel a lack of proactiveness in their day to day. Almost as if they were playing a game they are ultimately destined to lose, since all they do is play defense.

Another factor contributing to burnout that is part of the nature of a SOC Analyst or a blue team role is the immense impact a single breach can have, far beyond the organization that employs them. Joint research performed by IBM and the Ponemon Institute set the average cost of a breach in 2021 to $4.24 million. SOC Analysts’ routine involves making dozens if not hundreds of decisions per day that are arguably among the most critical to their organization’s bottom line. They do so while still being well aware how costly a relatively easy to make mistake can be. Long term exposure to this pressure can increase the level of burnout of a blue team professional, more so in organizations that do not take burnout into consideration or do not make actively fighting against burnout one of their priorities.

3. The problem with tools

A lot of SOC Analysts also face challenges with the very same tools they use to carry on with their jobs. Guided by overly persuasive vendors, many organizations fail to realize the impact a new tool can have in their SOC Analysts and the rest of their cybersecurity operation, in terms of tuning and growing the expertise needed to optimize those tools. Though there will always be a new tool to chase or that claims superior capabilities over existing or deployed ones, tool-hopping has very negative consequences.

Growing that expertise and executing proper tailored tuning in a new tool can be an effort that expands throughout several months, while completely optimizing a tool to take full advantage of its features can take years. In many organizations, the lifecycle of a tool is far too short for the tool itself to reach high levels of optimization.

Environments with too many untuned or unoptimized tools can cause high levels of alert fatigue. SOC Analysts are not oblivious to investigating and reviewing time and time again alerts that provide little to no value to their organization and mission. Though there are many more negative consequences to alert fatigue (lack of financial return, increased risk of compromise, etc) burnout to those in charge of triaging alerts is definitely one of them.

4. An old-fashioned mindset

I briefly mentioned this point in our first article, where I pointed to it being a major contributing factor to imposter syndrome.

Security teams sometimes have an “us vs them” mentality that can be counterproductive and even toxic. The “them” is not necessarily an external entity, but often refers to other in-house teams or departments. Operating in a silo, with little to no collaboration between internal teams, and without a strong security-minded culture that spreads throughout the entire organization, will increase the levels of burnout in a SOC, which will feel more on its own with the task at hand.

In some cases, there is also an inherited old-fashioned “tough-guy” culture within our field. The same attack-defense nature can establish an ego hierarchy where everyone is constantly competing and/or comparing, and analysts feel an increasing fear of judgement or simply do not want to be singled out if they show “weaknesses” such as asking clarifying questions, asking for help during an investigation, etc. This is even more prominent if those issues or challenges that judgement is feared upon are mental health related issues in work cultures that prioritize the impression of toughness.

Needless to say, both operating in siloes that do not allow for collaboration and fostering a “tough-guy only” culture, can contribute to a rapid burnout within your blue team(s).

5. The business side of cybersecurity

A lot of the potential solutions to the burnout epidemic that I will mention below would require investment in resources for SOC and cybersecurity teams, which relates to this point.

The sad reality is that a lot of security budgets are simply not keeping the pace of the rising threat levels during the last couple of years and the budgets do not allow for a much needed increase in capabilities. This is not only about increasing the size of a security department or the number of analysts working, but expanding their activities beyond response and into much more proactive and modern endeavors (CTI, Threat Hunting, Sec DevOps, etc.) that support a SOC.

Some organizations fail to look at their cybersecurity operations as anything more than an added cost, while other organizations that sell security services, such as MSSPs or MSPs, can be so focused on maximizing their profits that further maturity and structure is often overlooked.

It is definitely important to find a balance and prioritize any effort in order to not sacrifice the long term future of an organization, but the clear lack of investment in many organizations will contribute to burnout, among other net negative consequences.

What can be done about it

As this tweet by Adam Karpiak (a great follow) points, I feel companies need to be more cognizant of the impact burnout can have in their organization’s long term strategy. In most cases, a burnt-out employee that ends up departing the organization has acquired tremendous amounts of experience and has gained very valuable expertise that can prove to be a challenge to replace effectively, even with a higher salary.

The truth of the matter is that threat actors do not care about burnout on blue teams. SOC Analysts and cybersecurity professionals need help, and they are not going to get it from the adversary. Thus, a lot of companies and leaders need to do their part. Many are simply failing to take burnout into account and act upon it.

Here are a few areas to tackle or focus on to prevent burnout to run rampant in your organization.

1. Automation is a must

A staggering 66% of the 468 SOC Analysts polled by Tines believed that at least half of their workload could be automated today.

A modern cybersecurity posture should expand well beyond response-only roles and build a sufficient support system to their mission and to their SOC via some flavor of DevOps/Engineering team, or multiple.

Automation does not only free up an analyst’s time and help prevent burnout, but allows organizations to increase their capabilities without hiring more personnel. Having the majority of repetitive tasks that do not require critical thinking automated, analysts can invest their time in more mission-critical efforts, such as updating operational documentation, developing advanced detection rules, integrating more systems and logs, focusing on cyber threat intelligence, or tuning rules to reduce false positives.

2. Training is not a perk

Security operations teams have never had more tools, data points and logs available to them. While this is intrinsically a good thing, it can quickly mean a lot of unorganized, out-of-context and unactionable data for a team to ingest, as well as create multiple skill gaps in a wide range of tools within a short period of time.

Providing relevant training is by far the most efficient solution to combat the app sprawl and scope creep many security operations teams face, and prevent increasing the technical debt overtime and battle widespread burnout.

Including recurrent and relevant training specific to a tool in the deal to acquire said tool should be a no brainer. Additional training to either expand or reinforce the skills of your workforce should never be seen as a perk, but as a necessity and a must in order to keep the cybersecurity posture of an organization at a net positive.

3. Leaders need to pave way for growth

One of the easiest ways to lose a capable and valuable employee is by failing to support them, and blue team professionals are no different.

It will always pay off for leaders to carve some minutes per week out of their meeting-filled weeks and check in with their analysts, celebrate their victories and offer guideance when needed.

But the support should go beyond that surface level. Providing training that allows analysts to become better in technical areas that align with their interest will both ease their burnout and benefit the overall operation with in-house talent that can even be transitioned to a hybrid role if the organization’s budget is limited (i.e. cyber threat intelligence, detection engineering, programming/automation, etc.)

Creating and maintaining that pipeline for growth will undoubtly give organizations greater maturity, help against burnout, and ultimately foster a number of blue team professionals that are experienced within the organization’s environment and ready for upward mobility.

4. Being smart about metrics

Organizations should move away from implementing quotas or other non-contextual individual metrics, such as time spent on alert, number of tasks completed etc. Those analysts-specific metrics fail to tell the whole story and condition analysts to not conduct thorough analysis as well as encouraging other poor habits.

Tracking analyst metrics from a macro level to, not only measure team performance, but gauge your own operatioonal maturity, is definitely important. Moving away from metrics that only promote speed over anything else will also provide analysts with very much needed room to breathe in what is an already high-pressure environment.

Among good replacement to this type of metrics would be the answers to questions such as “Are there repeat incidents flowing into the SOC?” “Is the SOC handling alerts for known or recent threats?”, “How often are there. deviations in SOC procedures or runbooks and why?”, or “Are the tools in place configured to best practices? Is there a review cadence?”.

5. Truly promote work-life balance

We have already addressed why cybersecurity operations can be such a burnout-prone field. One of the simplest ways to limit burnout is improving work-life balance.

Of course, this is a two-front effort. Analysts can benefit from prioritizing their workload, make use of support systems and ensure that they make time for themselves to spend on activities that contribute to their mental/physical health and personal satisfaction.

But organizations play a fundamental role in the work-life balance of their employees and need to own up to their responsibility. For example, an unlimited PTO policy is as good as no PTO if employees are not actively encouraged to make use of said time off. Expecting analysts even implicitly to stay overtime routinely is a clear indication that the team needs to increase its size, or that alternative schedules (4x10s or 3x12s) need to be in consideration.

While certainly some HR-crafted policies can encourage a good work-life balance, truly promoting it requires active engagement and participation from all levels of leadership within an organization.

These are my thoughts around the big problem of blue team burnout. Did I miss any important point? Do you have any questions? Let’s continue the conversation either here or on Twitter @spapjh.

Leave a Reply

Your email address will not be published. Required fields are marked *