Big rig on the long haul

Security analysts in short supply: 3 ways to build up your team

For today's companies, the top security challenge is finding and keeping information security workers. The global shortage of security workers is expected to reach 1.5 million by 2020, according to a report released by the International Information System Security Certification Consortium and Frost & Sullivan.

Hiring and retaining qualified workers continues to be the top issue affecting organizational security, with 87% of respondents concerned about it both in the 2015 survey and in a report that focuses on the government and will be published by the same group this year. 

The challenges of finding, training, and retaining security analysts continue to hurt the readiness of today's security operations centers (SOCs), said Travis Wiggins, senior manager of IT security consulting for Secureworks. While some managed services can replace much of the work done by low-level (Level 1) analysts, not having internal Level 2 and Level 3 analysts to handle more complex security tasks can stall the development of a mature security operation, he said.

"It really feels like, today, the real gap in the security organizations that we help build seems to be around L2 and L3 workflows," Wiggins said. "That impacts not only incident response, but also activities such as red team exercises and threat modeling that are the ways that defenses are truly tested."

Companies need to make a sustained effort not only to find new information security analysts, but also to train existing employees in the skills necessary to succeed as an analyst. A paper released by Hewlett Packard Enterprise, Growing the Security Analyst, argues that most companies should consider growing their own analysts and look beyond security-focused engineers.

Here are three ways to build out your security team.

Growing the Security Analyst: Hiring, Training, and Retention

1. Evaluate your security team's strengths and weaknesses

Companies should start by evaluating what they already have. What roles need to be bolstered, and what skills are lacking?

There is no single perfect background for an analyst. While former law enforcement officers and military veterans can bring an investigative mindset to a security team, and former IT network engineers add technical aptitude, companies should not strive for a monolithic composition, said Travis Grandpre, director of product marketing for HPE Software's ArcSight group.

Rather, new analysts should complement the composition of the team.

"If your team is young, it is not good to have new analysts all come straight out of college. If you already have experienced hands, you don't want all veterans either. It is good to have a combination of both."
Travis Grandpre, HPE

Building a team whose members support one another is important, he added. "It is really important to focus recruiting and training on the complementary skillsets that really support each other," Grandpre said. "You have to have a team with the right aptitudes and the right attitudes—they need to be problem solvers."

2. Create a skill-development plan for analysts

IT security managers should evaluate the skills of new hires and, from time to time, conduct a regular review of team members' skills. Skills should include a body of knowledge that the organization would like to be integrated into the security team, such as anomaly detection, digital forensics, encryption, and threat hunting.

A simple system of ranking—for example, 0 for no knowledge or skill, and up to 3 for an expert—is suitable for evaluating the technical proficiencies of each member of a security team. A note can be added for employees who gain a professional certification in the stated skill.

There are a lot of aspects to the SOC that need to be incorporated into training and understood, said Grandpre.

"If you have good training in place, you can take an analyst who is weak in operating systems and put a plan in place to really develop that."
—Travis Grandpre, HPE

Secureworks' Wiggins said analysts who can take the attacker's mindset are valuable.

"If they can take the output of that activity and feed them back into your blue team and feed them back into your technology stack, then you can make your blue team and your L1 defenses smarter."
—Travis Wiggins, Secureworks

Following the skills assessment, the company should create individual plans to help each security analyst strengthen his or her weak areas and work toward skill-improvement goals. Turning these plans into annual goals and as areas to develop can help workers remain engaged.

3. Support analysts with career paths

One way to counter the loss of experienced security workers is to create a good career path for existing workers and—as covered in the previous section—help them work toward their training and education goals.

A career path is important, because no one wants to spend an entire career as a Level 1 analyst, said Wiggins. "If you consider the employees that always need to be replaced, the ones that burn out the fastest, they are always L1 analysts, across every organization that we deal with," he said. 

The increasing adoption of machine learning also means that the role of Level 1 analysts is changing, in two ways. First, rather than doing basic work, Level 1 analysts are being scooped up and trained by service providers, and second, the name "Level 1 analyst" is being used for a more complex role within the company. 

You are in it for the long haul

Companies have to face the fact that they will likely have to train their security teams, a longer process than most firms want. However, by focusing on the overall team's capabilities and the individual team members' personalities and knowledge, and by developing a path for career advancement, most companies can turn out strong security groups.

And when hiring, also think longer term, the HPE report notes:

"Don’t start with people with no understanding of IT, but keep an open mind when interviewing analysts." 

Growing the Security Analyst: Hiring, Training, and Retention
Topics: Security