In this chapter we’ll discuss the demand for cybersecurity professionals at three different levels, starting with the demand for cybersecurity workers, then address the demand of cybersecurity analysts and, finally, the demand for security operations center (SOC) analysts.
Cybersecurity During a Crisis
Advanced Persistent Threat groups are using the COVID-19 pandemic as part of their cyber operations.
—US Dept. Homeland Security2
Having a current shortage in the cybersecurity workforce combined with a crisis such as the COVID-19 pandemic, a cyberwar, or any other emergency increases the demand for cybersecurity workers. The shortage of cyber workers gets even worse, and the cybersecurity workforce is drained even further. There is no solution but to work longer and harder. Cybersecurity workers’ physical and mental health takes a toll as the stress and hours worked increase. There is not a fast fix or solution for training new cybersecurity workers, so the result is an extra-taxed workforce.
During the 2020 COVID-19 pandemic, the world rushed to continue to be productive while working at home. While the US government shut down businesses everywhere except those deemed as “essential” for some time, cybersecurity was one of these professions considered essential, and the already high demand for skilled workers grew overnight.3
What did the industries learn from the pandemic? COVID-19 proved that a very large workforce could be productive while working remotely. For years, US companies have taken steps to be more environmentally friendly. Whether it’s sustainable power for their warehouses, recycling programs, or alternative fuel for delivery vehicles, around the world thousands of companies are embracing sustainable resources. Now that an at-home workforce is feasible, we believe companies will embrace this as an opportunity to decrease greenhouse emissions and increase employee happiness.
Demand for Cybersecurity Analysts
Today, we find ourselves in a global cyberwar. Every industry, in every country, is actively targeted by cyber criminals, state-sponsored hackers, and companies engaging in corporate espionage. That might sound like the plot to a low-budget movie starring your favorite 1990s action star, but the truth is everyone’s a target. Even more troubling is the fact that it didn’t start in 2020; this has been going on for decades. It’s only been in the last 5 years that companies have identified the need for higher investments in cybersecurity.
High-profile compromises over the last 10 years have served a hard lesson for industries globally. In November 2014, Sony Pictures Entertainment announced they were the victim of a data breach. Analysts from Reuters.com estimated the compromise would cost Sony more than $75 million in recovery costs and lost revenue. More recently, the Capital One breach in August 2019 resulted in the theft of 100 million consumer credit applications. Attacks like these two have driven home the requirement for a dedicated cybersecurity workforce.
In fact, according to the US Bureau of Labor Statistics, the cybersecurity analyst occupation is projected to grow 32% from 2018 to 2028 in the United States, compared to 12% growth for other computer-related occupations and 5% total growth for all occupations.4 One significant benefit for those considering a move into cybersecurity is the relatively low bar for entry into the career field.
For decades the narrative has been “Go to college, earn a 4-year degree, get a career.” This book will dedicate a chapter to covering the different entry paths into cybersecurity analyst positions. But for now, know that college is not the only path into a great career.
When companies embrace the need for cybersecurity, it usually begins with the Security Operations Center or SOC for short. The SOC is responsible for triage, investigation, and response to cybersecurity incidents. This concept is not new. Military and law enforcement agencies have been using Tactical Operations Centers (TOC) to coordinate operations during conflicts for decades. And like the TOC, the SOC serves as the Command and Control (C2) hub for first responders to cybersecurity incidents.
A cybersecurity incident is an adverse network event in an information system or network or the threat of the occurrence of such an event according to the SANS institute.5
The SOC isn’t the only team dedicated to responding to cybersecurity incidents. Many companies have dedicated Digital Forensics and Incident Response (DFIR) teams to support the SOC in investigations and response. Usually, the DFIR team takes on long-term investigations from the SOC, allowing the SOC to focus on daily operations and live incidents. The skills required of DFIR analysts are very similar to SOC analysts, the most substantial difference being the focus around legal requirements for digital forensics and evidence collection. In truth, the majority of DFIR analysts begin their careers as SOC analysts.
Demand for SOC Analysts
Now that we’ve covered the general demand for cybersecurity analysts, let’s get to the reason you picked up this book. Perhaps you’re transitioning from the military into the civilian sector or a recent college graduate looking to get a foot in the door. Maybe you’re in the information technology (IT) field already. Regardless, the purpose of this book is to prepare you to become a SOC analyst. Whether you wish to join a DFIR team or work your way up to management, the SOC analyst profession has the lowest barrier of entry for cybersecurity. Becoming a SOC analyst is an excellent strategic position to get your start in the industry.
When staffing a SOC, hiring managers have a few challenges that they continuously face. The most prevalent of those challenges is the revolving door of the SOC. After a SOC manager hires for an open position, it takes them several months to train the new analyst. Once training is complete, retention becomes a problem as the new analysts are “head-hunted” repeatedly by recruiters enticing them with more money. The average tenure of a security analyst is only 1-3 years with a single company.6 Companies today offer very lucrative compensation packages tied to the amount of time spent with the company. A common practice is to use stock options spread out over 3-4 years to ensure the worker remains at the company.
Once a SOC analyst is proficient at their job and feels they are no longer challenged, it might be time for them to seek a higher position. One of the most common paths upward is to become a senior SOC analyst. The “senior” title comes with better pay and additional responsibilities such as mentoring the junior analysts that join the SOC. Senior SOC analysts also handle more complicated work as junior analysts will escalate challenging items to their seniors to resolve. Being in this position allows an analyst to become more technical and gives them the opportunity to learn how to train and mentor others. This role is an excellent way to become a SOC manager, grooming them for their next leadership role in the SOC. Almost everywhere in the United States, the senior SOC analyst pays over six figures.
As a new SOC analyst, set stretch goals for yourself to reach this milestone. However, that leaves the hiring manager with your spot open again!
Another problem that SOC managers struggle with is burnout or alert fatigue. An example of this could be when analysts are watching so many alerts that something important is overlooked or “lost in the noise.” SOC analysts usually work in shifts with 8-, 10-, or 12-hour days, sometimes evening and overnight shifts, and at some point, the task might seem brainless. It’s not brainless work; in fact, most people will find SOC analyst work exhausting. It’s easy to get complacent when the work becomes second nature and can get monotonous. Most everyone in a SOC is brilliant and constantly needs to be challenged.
The third challenge that SOC managers face is that the SOC is a 24/7/365 operation, which means they need coverage outside of regular business hours and on holidays. Many international companies utilize the “follow the sun” SOC model. That is when companies build three SOCs in different geographical locations for 24-hour coverage. Typically, companies will have a SOC in the United States, a second in Singapore or Australia, and the third in India or Europe. However, there are use cases where companies require analysts from a specific nationality to work with their data. It’s especially true in staffing a Managed Security Services Provider (MSSP).
Hiring for early morning and overnight shifts is not an easy task, and the people that fill them don’t stay for long before wanting to move to regular business hours. Tyler’s first security job was working as a second-shift analyst in a SOC at an MSSP. He was in a position in life where it worked out well for him. He had a base salary and was offered a small shift differential on top of it for working the second shift. He was freshly out of college, and who needed to wake up before noon anyway? He credits his career to making that sacrifice because it gave him invaluable experience that still serves him today. He decided he had to take his experience and run after only a year. It was a hard decision because it was a great company, but he couldn’t wait for a day shift to open up. The night hours started to take a toll. It is nobody’s fault, but it is another challenge of the SOC revolving door.
SOCs aren’t going away anytime soon. The demand for the SOC grows with every new privacy law, every new compliance and regulation that companies must adhere to. A SOC is an expensive cost center in business. Unless the SOC is part of your product that brings in revenue, it loses the company money. The more SOC analysts they need to hire, the more companies are looking for creative ways to reduce the money spent on a SOC. This demand has given birth to a set of tools promising to automate some of what a SOC analyst does on a day-to-day basis, but it presents challenges that the industry hasn’t solved (yet).
Security Orchestration Automation and Response (SOAR) tools promise to reduce the number of hours spent by SOC analysts to complete a task. This is explained in detail in Chapter 7.
What This Book Is About
As of late 2020, there are roughly three million cybersecurity professionals in the world, but that number must grow by more than double to meet the increasing demand. What does that mean for you? It means that individuals with the right skills and qualifications should find it relatively easy to land a job. If we look into the hiring challenges that companies face today, it becomes clear that technically proficient cybersecurity professionals continue to be in short supply, not to mention it is also difficult to find candidates with business acumen. Cybersecurity professionals are needed because the Internet is a global war zone. Anyone and everyone on the Internet is constantly being barraged by attacks every few seconds. Cybersecurity professionals protect enterprises from a successful intrusion and respond effectively when an attacker gets through the barricades. There are great opportunities out there for professionals, and because the demand is so high, people who are qualified and have the skills in this book will be hired.
A candidate not only has to be technically skilled but also needs to know how to interact with the other parts of the business in a way that shows they understand business goals, objectives, and culture. Recognizing these challenges faced by cybersecurity hiring managers allows you to prepare for your interview or have advancement discussions with your boss. This book will arm you with tools that you need to build a good strategy for transitioning onto the front lines of cybersecurity.
When you read this book, we will provide you with the knowledge needed to help you with the business acumen challenges by explaining how a typical security organization is structured from the top down. Understanding the “big picture” view of cybersecurity is imperative because, as mentioned, understanding how things work inside a company is fundamental to how effective you will become as a Security Operations Center (SOC) analyst.
At a basic level, similarly funded cybersecurity programs are usually equally structured, with the exception where security is the product of the business. Managed Security Services Providers (MSSP) sell security solutions to customers, and many of these SOC roles are customer-facing. MSSPs tend to have a more robust hierarchy and will sometimes include positions such as a SOC director. The culture is a bit different in our experience as well, security is how MSSPs make money, and the CEO is always the “security guy.”
In-house SOCs, on the other hand, tend to be granted more control over the enterprise’s security architecture and engineering. The SOC analysts can get “into the weeds” of the infrastructure and learn the ins and outs of the network. Where the customer of an MSSP is external, third-party companies and organizations, the customer of the in-house SOC is the company itself. These SOC analysts are given more power to intervene during security incidents to remediate the situation. Although this might sound like a good thing, one poor decision can negatively impact the entire network and become a “resume-generating event”.
Once you’re hired, the first day in the Security Operations Center can be the most overwhelming experience you will ever have. You might feel out of your league with all of the buzzwords, new security tools you’ve never heard of, and technologies that weren’t exactly covered by formal education. To top it off, you’re considered a cybersecurity expert by those not in the field, and people will be looking to you for advice. It can take up to a year to get settled in and feel comfortable enough to take a breath. Remember to give yourself some slack and be patient. We aim to help you shorten the time of discomfort. We will help you solve the technical proficiency challenges hiring managers struggle with by familiarizing you with the standard tools that you might use on a day-to-day basis.
We will help you with technical proficiency challenges by guiding you to think like a SOC analyst. There are many ways to learn how to think analytically, and for some people, it will come more naturally than others. It’s important to know that it is not out of reach to anyone, and we mean anyone. Teaching hard technical skills is something better left to the professionals at SANS, but this book will fill in the gaps that you need to start your SOC analyst career quickly.
The demand for cybersecurity is enormous, but the unfilled jobs are a result of a lack of the right kind of applicants – not the number of them. Plenty of people want the salaries and lifestyles of the industry’s practitioners. However, hiring managers need help now, and they will hire the candidate that requires the least amount of training. They need to hire someone that can do the job by yesterday!
Through the course of this book, we will help to identify the priorities and goals of the people and business units outside of the SOC that you will interact with daily so that you can thoughtfully approach them. We’ll show you how to use language in your conclusions that protects you and your company while you are new to this role.
Summary
The need for cybersecurity professionals is growing at a rapid rate. Much faster than the industry can train candidates and fill positions. Hiring managers are faced with challenges that are at least twofold: they can’t find technically proficient candidates, and they can’t find candidates that know the business. This mix of hard and soft skills is incredibly important to have, but also increasingly important as your cybersecurity career progresses.
The cybersecurity analyst occupation is projected to grow 32% from 2018 to 2028 in the United States alone, compared with 12% growth for IT-related positions and only 5% total growth for all occupations. When the world is in crisis, cybersecurity workers are essential. The demand for the work that we do increases dramatically, but often this means the current workforce must work longer and harder. Hiring additional people can take many months.
The SOC analyst is the lowest barrier of entry into cybersecurity, and this book will help prepare you for landing your first role. The revolving-door challenge of a SOC means that there are always new positions opening up for you to apply for. In the next chapter, we will discuss what job titles to look for, typical job posting websites, and strategies on how to turn your job application into an interview.