In short: you'll need to pull out all the stops if you want to keep them.
Why You Might Consider Hiring a Security Analyst
Hiring a security analyst often seems like the logical "next step" once your small-to-medium sized business has its antivirus and firewall up and running.
You want visibility. Visibility requires tooling. Tooling requires trained operators.
For instance, you might want an intrusion prevention system (IPS) to detect and prevent vulnerability exploits on your network. Or maybe you'd like more security information and event management (SIEM) to provide real-time analysis of security alerts. In either case, running these tools is a full-time job. Sticking with the DIY path, instead of going with a managed security service provider (MSSP) or a managed detection and response (MDR) solution, means you'll need someone in house.
Hiring top tech talent is always HARD, and this task is exacerbated by cybersecurity talent shortage. At ActZero, our process routinely takes about 3 months, 100 applicants, and 80 person-hours plus recruiter, background check, and other fees to successfully hire a single highly-qualified analyst. Each hire, though, has a crisp ROI; we understand the value an individual must provide to our organization and that understanding means we can specifically target candidates who will excel in the job that benefits us most.
With cyberattacks growing in frequency and intensity every year, boards and executives have realized cybersecurity is a business issue. As a result, competition for talent is fierce. Some estimates peg the global shortage of talent at 3.5 million unfilled cybersecurity jobs by 2021. That's a 350 percent increase in open cybersecurity positions since 2013, with no signs of slowing. Cyber professionals have their pick of amazing opportunities and therefore when you decide to hire one, you must be prepared to invest the time, effort, and money to sell your role to potential candidates.
Why They May Leave
Hiring an amazing candidate is only the first step. Those other offers that your analyst turned down to work with you are still available to them. Fail to successfully on-board, ramp-up, motivate, engage, and grow your new employee and they will quickly leave for another opportunity.
Ask yourself these questions: What is their on-boarding plan and does it have clear objectives? How do they fit into your organization? Do they have a growth plan? Can you provide all the equipment that they need to be successful? What's your budget to fill gaps in their toolchain and processes so that you can get the ROI you desire from their position?
Unless you are mindful, your analyst's day-to-day job that can quickly devolve into a slog once they are on-board. For instance, if you have invested in a SIEM (despite the challenges with SIEM discussed elsewhere), how soon before your analyst gets buried in alerts spawned by false positives that require investigation to rule out, or escalate? The vast number of alerts generated by a SIEM (especially one that hasn't been tuned optimally) requires a tremendous amount of work to manually triage.
Beyond this alert fatigue, though, burnout is a genuine concern. A single analyst can easily get stretched thin. Do you expect them to monitor your business 24-7-365? How quickly do they have to respond to a critical incident? Do they have any backup support in the event of a major attack? Can they take a vacation? Can they get sick? Answering these quality-of-life questions will help you retain your analyst, but may come at the cost of a second or third recruit.
Without a CISO or Security Director to set the stage at a policy level, an individual security analyst can be somewhat adrift within your company, without clear mandate or agenda within your organization. Perhaps an IT leader can fill this void, but I've learned through my career that they often lack the specific security knowledge to guide (and grow) analysts.
To retain your security analyst, you'll need to invest in training, conferences, certifications, and new technologies. In doing so, you essentially proceed down the complex, lengthy, and expensive path of building your own SOC, which you tried to avoid in the first place.
If your analyst ultimately decides to leave, you'll feel their departure in some major material ways. You'll experience the tangible costs to backfill and train the new hire. Worst, your employee may leave with undocumented knowledge of your systems or projects. Worst yet, if they were burnt out, they may leave a poor review of your company on a job board. Any negative publicity will impact your ability to hire a top talent backfill.
What Can You Do to Try to Keep Them?
Losing a critical employee can significantly hurt your business. There are things you can do, however, to create an environment that motivates, rewards, and ultimately retains your security analyst.
First, be honest. When you hire them, clearly articulate your expectations. Let them sign up for the job you need them to perform.
Second, provide support. If they are working, so are you. Make resources (like non-cyber members of your IT team) available to help them in a pinch. Everyone wants to feel like their leader has their back.
Next, foster open communications. Plug them into your helpdesk so that they have visibility into issues that end-users are reporting. Helpdesk can act as a filter, relaying only the actual security-related issues to your analyst. A word of caution: your helpdesk team may not know when an issue is actually an indicator of compromise. Consider cross-training to address this gap.
Then, working with IT leadership, have your security analyst develop an incident response plan. Keep in mind that a single analyst will be woefully insufficient to tackle a full-blown incident by themselves. Other business units should support this undertaking, and so you should involve operations (see our post on how they can help during a breach), customer support, PR, and others. Build playbooks and then test them through Game Day exercises in advance. For more on this, check out our Elite SMB Incident Response guide.
And finally, invest in your analyst. No one wants to feel stagnant in their role, and by helping your security analyst grow you develop a better performing and more loyal employee. Yes, you risk them leaving for somewhere else as they become more equipped, but remember what Richard Branson said: "Train people well enough so they can leave, treat them well enough so they don't want to."
How ActZero Can Help
Hiring an in-house security analyst can create a powerful asset for your business. However, if you've decided that this goal isn't achievable for your organization without massive spending on the right resources (check out our business case for more on what it actually costs to build an effective 24/7 SOC) then consider ActZero's managed detection and response (MDR) service to gain access to our exceptional people and innovative technology, for an all-inclusive low monthly fee. We strive to hire, develop, and retain the best so that you can focus on what you do best: grow your business.
Contact ActZero today to find out how you can secure your business at a price friendly to the small-to medium-sized enterprise.