Cybersecurity analysts overworked, undertrained and buckling under volume of alerts
The majority of security operations center professionals said the job is now simply about reducing alert investigation time or the volume of alerts.
We would all love to think our favorite companies are doing their utmost to protect our data but a new report may signal otherwise. Digital security firm CriticalStart released a survey of more than 50 people working in cybersecurity across a variety of industries and found a number of alarming trends.
Last year, just 45% of those who spoke to CriticalStart said they dealt with 10 or more security alerts each day. That figure has now jumped to 70% of those surveyed.
To make matters a bit worse, a majority of security analysts now believed their job was not to analyze and address security threats but to reduce the amount of time spent on each alert or the volume of alerts.
“As IT infrastructures have become increasingly complex to secure against accelerating threats – combined with a tight labor market for cybersecurity experts – enterprises are turning to managed security providers to complement and extend their security and risk management,” they say in the report.
“As the research continues to show, this simply shifts the burden of analyzing an oppressive number of alerts from the enterprise to the managed security provider – a number that then dictates how they hire, staff and run their business.”
SEE: IT leader’s guide to deep learning (TechRepublic Premium)
The overwhelming nature of the job was affecting turnover rates as well, with nearly half reporting a significant rate of 10-25% turnover.
Almost 40% of the analysts in the survey said they spent just 10 to 15 minutes on each security alert. The report starts off by explaining that security concerns are only becoming more complex as more people gain access to sophisticated computing.
“When asked what they do if their SOC has too many alerts for analysts to process, 57% of respondents said that their primary approach is to tune specific alerting features or thresholds to reduce alert volume,” they wrote.
“This was the primary approach last year as well, although with 67% using it. While that would seem like good progress, respondents this year also reported they ignore certain categories of alerts (39%); turn off high-volume alerting features (38%); and hire more SOC analysts (38%) – with the latter two categories showing increases over the previous year of 11% and 14% respectively.”
Due to the deluge of alerts, survey respondents now differed on what they considered to be their primary goal. Last year, 70% said “it was analyzing and remediating security threats.”
But this year, that number dropped precipitously to 41%, with others saying their job was to simply reduce the amount of time spent investigating each alert or reduce the total number of alerts somehow.
Unfortunately, almost 50% of those surveyed said their companies made it a point to hide security threats from customers or users.
“Based on survey respondents, a clear majority (57%) report they offer limited to absolutely no transparency to their clients,” CriticalStart wrote.
“In these situations, clients who are paying for managed security services only see information relevant to their enterprise security if the MSSP or MDR escalates an incident to them needing further information.”
CriticalStart also found that more than 50% of those surveyed had 20 or fewer hours of training annually. All of these factors fed into a rising turnover rate.