5 Tips for Motivating Cyber Talent

June 28, 2017
Security Operations Centers: Post by Kathryn Knerler

As a new operations manager, I’ll never forget the crushed feeling I experienced when the first superstar left on my watch. He could figure out what was happening technically, he was quick and accurate, and best of all, he could write well and brief executives. He was the reason I could sleep at night—I knew he was "on it." Then one day, he walked into my office and told me he was leaving. I had not planned for him to leave, and there was no one on the team who could fill his shoes. This was the first in a long line of analysts to leave. I took it personally for a while; then I started realizing this was happening to my counterparts at other SOCs. In some cases, we were trading analysts—one would leave the SOC I managed, and I would gain one from another.

I slowly realized this was the nature of running SOCs. I adopted a staffing model that included planning for cyber talent rotating out every two years. I found it very challenging and counterintuitive to think about the talented team members I just hired leaving in two years. Yet once I accepted this fact, it was very freeing to acknowledge the reality that it’s challenging to retain cyber talent. From my experience, cybersecurity analysts stay in a job they like for about two years.

The best cyber practitioners have a lot of options and usually like a change of scenery to stay sharp. I found that even if you provide analysts the right motivators, they still tend to leave after a few years—but that’s better than leaving after three to six months. Some of it is the nature of a curious analyst who wants broad experience across a range of business sectors; some of it is due to the changing pace of technology, to which SOCs might be too slow to adapt for an analyst’s tastes. The better they are, the more likely they will be exposed to a new opportunity, and they will leave. I pipelined talent working around this anecdotal two-year rule of thumb, and it generally worked for me. That is, I would be recruiting, hiring at a rate of losing each analyst every two years. So how exactly can we best understand and support our cyber talent?

1. Motivate Your Cyber Experts

On the bright side, now that we’ve acknowledged we probably won’t retain our cyber experts for more than two years, there are some motivators that could attract and retain them. In my experience, I have found retention is not solely dependent on salary. Superstars are not always driven by money (and some who demand high salaries are not superstars). To attract and retain exceptional talent in the highly competitive field of cyber operations, motivators include autonomy, technology tools, and the ability to have impact and visibility beyond the SOC. Of course, flexible hours and work location are also factors in today’s environment.

2. Give a Little Autonomy

The open secret to retaining high-performing cyber experts is that it starts with the SOC manager. SOC managers who provide the latitude and autonomy for analysts to try new approaches and techniques, even when unproven, set the ground work for creating and keeping great analysts. And when the analysts do fail, those SOC managers continue to support and defend them, recognizing any time new things are tried, there’s a risk of failure.

The trick is for the SOC managers to understand how to facilitate high performance while ensuring the team stays on target for providing value to the organization. As challenging as it is, SOC managers are best served by focusing on the goals or outcomes of activities, and letting the analysts determine how to achieve them. When the SOC itself is limited, SOC managers need to look for outlets for the creative thinkers and problem solvers; providing development environments for analysts and responders to try out new methods is a reasonable first step.

3. Drive Organizational Impact

As SOC managers, we don’t always have tons of control over this one. The great analysts in this field want to have impact; they want to know that they came to work and did something lasting, that they found "the bad guy" no one else found, or created a script that is used by everyone, or something else non-trivial. And some great analysts want to have impact on the business itself. When there is a big security event, the great analysts live to be the person who figured out how to identify, contain, and resolve it and have the acknowledgement of the wider organization. For those SOCs severely limited in the mission or visibility to the larger organization, this lack of perceived impact may be a reason talented analysts don’t stay. A little recognition and visibility for impact can go a long way, and as SOC managers, we can advocate for our high-performing analysts.

4. Provide Tools and Toys

Another secret to happy analysts is allowing some technology toys. Technologies can include anything from open-source scripts that sort and correlate raw data in new and different ways to visualization applications that suggest new connections and trends. I worked in one facility where we had very little funding, so we took time to develop and adopt open-source scripts to build our own "toys." However, it is more fun when there is enough funding for analysts to purchase and try out applications and lightweight approaches (scripting and web services) to make their jobs easier and more interesting during lulls. SOC managers need to be able to dynamically create, acquire, and use more scripts and applications in support of the mission and strategic direction.

5. Location, Location, Location

If you have any control over being flexible about the physical location of your analysts, you are more likely to retain them than those that require all their analysts to sit centrally in a dark room. As life happens, analysts will move around. If you can employ remote analysts or teleworkers, you might be able to accommodate location requests of your great analysts. If you are at liberty to choose a SOC location, choose one near large cities, preferably with large IT emphasis. This broadens the pool of analysts available. Of course, it also broadens the competition for cybersecurity analysts; however, you would now be at an advantage, understanding these top motivators for attracting cyber talent.

The good news is that great analysts attract other great analysts. If you plan that your analysts will move on, physically or otherwise, it would be in your best interest to have them say good things about your SOC. You want them saying things like, "I liked working at that SOC; I think you would too."