Five ways to keep your security nerds happy
When you think Defcon, you probably think hackers. It’s a short step from there to Mr. Robot or (if you’re into throwbacks) Angelina Jolie. Rest assured, either would probably love the three-day event in Vegas. Problem is, those three days won’t make up for the other 362 days in the year if they don’t love their job.
At my previous gig, a big part of my job was hiring and retaining security analysts. While there are lots of different roles in security, security analyst is one of the hardest to fill. It’s also one of the hardest to keep filled. To keep my pulse on how we were doing, I met with new hires after their first two weeks on the job and again at the 90-day mark. In the first meeting, I wanted to make sure onboarding went well, ensure they had started building strong peer relationships and check to see if they felt like they had what they needed so they could contribute positively to the mission. Three months in, I wanted to get a feel for how much they felt they’d learned since starting, and how that compared with other jobs they’d had.
What did I hear? There were three consistent themes.
- Onboarding was uplifting. It was refreshing to work at a place where policy and procedure didn’t leave them mired in corporate red tape. Having the executive team lead portions of the onboarding program really instilled a sense of purpose.
- Meeting everyone was humbling. Everyone seemed to be at the top of their game and more than happy to mentor. Better yet, people weren’t scared of talking about new ideas or even changing how we did things.
- I’ve plugged into the matrix. The ratio of knowledge gained to time on the job was incredible. Analysts would often say something like, “I’ve learned more in the last three months than I did in the last three years at my last company.”
The new-hire feedback was consistent year after year and churn stayed low. So, what does this imply? What can you do to keep your own security nerds happy? I’d suggest you consider the following five areas of focus (in increasing order of importance):
5. Get your tools in order
There’s nothing more frustrating than not being able to use the right tool for the job. Make sure your security analysts have what they need to effectively detect, investigate, and remediate, without too much red tape.
4. Don’t dam upstream
I lied. There is, in fact, something more frustrating than not having the right tools. It’s having detection capability that’s based on garbage, and no ability to go upstream and fix the inputs. Dealing with an endless stream of false positives is nobody’s idea of a good time.
3. Mission matters
Don’t kid yourself: compensation matters too. Assuming you’re doing that right, your team wants to know they’re working at a place where “the bosses” get it. Security doesn’t have to be core to the culture. But when it’s the red-headed stepchild of the organization, you won’t typically find happy analysts.
2. Recruit for Team Dauntless
Analysts love to mentor, but only when their apprentices learn fast. Look for a pattern of figuring-things-out in previous roles. Unafraid to walk into the unknown, these sorts of analysts will thrive in ambiguous situations and quickly earn the respect of their peers.
1. Remember: learning is fundamental
The phrase, “huh, that’s interesting,” is the siren’s call to a security analyst. When you’re hiring, prioritize boundless curiosity coupled with unflappable persistence. But beware the other side of this blade: you’d better be ready to expose your new hire to new malicious activity almost every day. You might call these “bad days.” They’ll call them “awesome.”
Maybe you’re thinking this easy “five step” plan for doesn’t look so simple after all. I wouldn’t blame you. There’s a lot of organizational headwind just to get one of these areas righted — not even counting challenges that may be counter to your culture. We’ll have a series of posts after this one to go into a little more detail about the challenges you can run into in each of these five areas, and some tips for how to overcome them. Spoiler alert: they won’t turn any of these into a walk in the park.
So, before you go any further, if you happen to be thinking about building a SOC or hiring security people (nevermind finding them in the first place)… ask yourself first: if I hire them, can I keep them happy?
This is the introduction of a five part series on key areas of focus to improve security team retention. Read the other posts in the series: