Level 1 security operations center (SOC) analysts have the worst job in the cybersecurity world. The role of L1 SOC analyst can be repetitive, tedious, and (often) boring. Despite this, the L1 SOC analyst is also one of the most vital roles for the future of the security organization.
L1 SOC analysts are the gateway to talent in the security organization. It is the closest thing to an entry-level role in cybersecurity, and many see landing a security analyst job as the way to kick-start their future in the field.
Frustrations with the job abound, however. In research we did on the security analyst role, one analyst said, “You must be willing to go the extra mile and put in the additional hours, because security is not an eight-to-five job.”
According to Forrester’s Business Risk Survey, when asked the primary challenge of their organizations’ ability to manage cyber risk effectively, 27% of IT security decision-makers cited cybersecurity staff burnout. Ultimately, in many organizations, this is a self-inflicted wound, as they create a talent burnout pipeline instead of a talent growth pipeline.
One of the biggest factors in employee burnout is a lack of personal satisfaction and enrichment from one’s work. In most SOCs, L1 analysts triage alerts, then hand off deeper investigation and response to level 2 analysts and above. This limits how much an L1 analyst can learn and how much satisfaction they get in their role, as they remain stuck in the purgatory of alert escalation or closure. Without getting the much-needed exposure to deeper analysis and response actions, it’s difficult for L1 analysts to reach the next level in their careers. They also do not feel a real sense of accomplishment without having followed an alert through its lifecycle — from triage, investigation, and response to closure.
Furthering the challenge, even those who have the technical skills are often trained on products, not principles. They get trained to use Splunk or CrowdStrike but are rarely trained on how to build detections, investigate, and respond to security incidents, which is frequently tribal knowledge. The dirty secret of the SOC is that we expect entry-level talent — security analysts — to practice security principles without ever teaching them what they are or how to do so.
Let SOC Analysts Do Their Job
To change this, we must tear down the tiered analyst system. We’ve seen this approach succeed in large enterprises and security vendors. In the new model, every analyst takes alerts from start to finish, regardless of their skill level or how new they are to the job. This helps green staff learn the ins and outs of investigation and response faster, instead of stagnating their growth at triage. It also builds a deeper bench of talent for the organization, as more analysts can now address alerts more quickly and with more skill than before.
To succeed, it’s critical to leverage veteran security analysts for mentoring. Take a peer programming approach to investigation and response, with more experienced analysts helping newer analysts walk through the response process and learn. This also helps veteran analysts stay engaged in the longer term by stretching their mentoring and leadership skills.
Developing a detection engineering practice can help enable this shift, as well (read our research on that for more info). To get more in-depth on breaking down the tiered structure or developing a detection engineering practice, schedule an inquiry or guidance session with me.