Even Amidst Pandemic, Security Operations Remains a Realm of Negative Unemployment
I first heard the phrase "negative unemployment" earlier this week. It happened in the context of an interview with a senior security analyst who works for a technology firm that supplies SOAR (Security Orchestration, Automation and Response) tools to other security companies, managed security service providers, and nice chunk of the Fortune 1,000.
Let's call him Mr. X, and his company Xcom. When I asked Mr. X what the phrase signified, he said that it means there are more jobs open in Security Operations Centers (SOCs) around the world, than there are qualified people to fill them. "If that's not negative unemployment," he went on, "I don't know what is."
He observed further than anybody who worked in his organization could hit the streets today and have a new job tomorrow. "Even with the pandemic raging?" I asked. "Even with the pandemic raging," he replied.
Keeping Security Pros Is All About Retention Strategies
As it turns out, Mr. X's own company employs more than a hundred security analysts. And as his company grows, he's going to need more of them to support that growth. Thus, his company has spent a lot of time thinking about retention strategies.
Xcom needs not only to attract the best and brightest to fill its security analyst jobs. It also needs to to keep those people over time as their careers grow, and their interests and goals change. This turns out to be an interesting challenge.
Xcom has responded by looking very seriously at what's involved in doing a security analyst's job. They've defined three tiers of security analyst positions, named Level X Security Analyst, where X can be 1, 2, or 3. For each level Xcom has a well-defined set of technical and soft skills requirements.
Level 1 Analysts who enter the company must complete a nine-week training course before they sit down at their desks to do the job "for real." During that nine-week period, they get trained on the nuts-and-bolts requirements involved in doing the job, and they get to shadow other people already doing the job to see how it's done in production mode.
They also learn how to work a security incident, when and how to escalate an incident, how to participate in after-action reporting, and most of the other day-to-day tasks and activities that a Level 1 Security Analyst faces while doing the job. Once they make the grade and start working for real, they have regular opportunities to attend training classes and to pursue various areas of security specialization.
Because Xcom makes heavy use of automation in its SOC, they also seek out individuals with programming or scripting skills to fill Security Analyst jobs. Their preference is for people with a basic working knowledge of Python, but for those who lack (or wish to sharpen) such skills — you guessed it — on-the-job training is available.
Adding Levels to Security Analyst Status
At Xcom, climbing from Level 1 up to Level 2, and then from Level 2 up to Level 3, requires more than "time in grade." Level "n" analysts who wish to become Level "n+1" analysts have access to a set of requirements they must meet to qualify for a level-up maneuver.
This includes some time-in-grade, but it also includes taking on added responsibilities during the company's quarterly security exercises. Those exercises include "red teams" and "penetration testing teams" who take on adversarial roles in foisting simulated (but deadly serious) attacks in the former, and who attempt to use all their skills and knowledge to break into Xcom's infrastructure working for the latter.
Certain certifications — many from the SANS GIAC program — also play into this mix, along with a roster of training classes offered through Xcom's in-house learning management system (LMS).
All in all, says Mr. X, the annual training budget for security analysts is around $10,000. He goes on to observe that management watches carefully to make sure that managers (and analysts) consume as much of that budget as possible. Career and career growth planning is also an important part of Xcom's annual review process for security analysts.
Analysts are always asked to envision themselves, three-to-five years from now, in a specific and more senior security role. Management and HR work together to make sure security analysts understand what it will take them to get from they are to where they want to be, and coordinate with them to create and manage training plans and schedules to help them on their way.
That's the kind of thinking that technology companies need to incorporate into their cultures and mindsets if they want to keep their people around (especially the best ones). I can understand why it's such a vital element for building and retaining security staff.
But it's a good model for rethinking how companies and employees collaborate to make work, life, and the world a better place to live in. All I can say is that companies and organizations that don't move themselves into this way of thinking will pay for it down the road, as their most valued employees defect to join other outfits that do this kind of thing seriously, routinely, and enthusiastically.
Shoot! I want to work for a company like that myself.