SANS survey highlights pandemic-influenced hiring plans

3 Minute Read

Highlights from the “Closing the Critical Skills Gap for Modern and Effective Security Operations Centers (SOCs)” survey

Way back in March, when most of us were still working in the office and taking restaurant dining for granted, the SANS Institute launched their survey on “Closing the Critical Skills Gap for Modern and Effective Security Operations Centers (SOCs).” Two days later, COVID-19 was declared a pandemic and life was thrown into turmoil. Thus, these survey results provide an early glimpse into organizations’ uncertainty around hiring and the outsourcing of security.

The survey covers:

  • SOC hiring plans in 2020
  • Which skills are most needed in today’s SOC
  • Which security technologies enable organizations to delay the need for additional staff
  • Areas where organizations are looking to external service providers to assist with their staffing needs
  • Where SOCs are currently sourcing new hires

As expected, one of the main themes of the survey is uncertainty around hiring. The report finds that only 34% of respondents reported plans to add security staff in 2020. Large organizations are the most uncertain about hiring with close to 56% reporting they are unsure if they will increase staff. Interestingly, only 29% of respondents from small organizations expressed uncertainty concerning their organization’s hiring direction.

Key Takeaways from the SANS Skills Gap SOC Survey

“Hiring managers need new hires who can sit down at SIEM and visibility product consoles, work with threat intelligence feeds, and take advantage of automation and integration tools to reduce time to detect, respond and restore.”

  • Staff turnover is an ongoing concern. When junior analysts are promoted to more senior roles, their positions need to be backfilled. Although most respondents indicate lower attrition than industry averages, they also report zero to negative gains when adding staff promotion figures to attrition rates. SANS notes that organizations need to prioritize hiring or focus on adopting technology and services to manage with fewer internal resources.
  • Strong demand for external service providers. Nearly 46% of respondents said they plan to maintain or increase their use of managed service providers. Reasons for this range from an inability to attract qualified staff to economic uncertainties limiting hiring. The top four services being outsourced to a managed security service provider (MSSP) or other third parties include penetration testing, incident response, threat intelligence and forensics.
  • Some tool-specific skills are prerequisites for new hires. Given the amount of time it can take to teach an entry-level analyst how to use tools, most organizations expect new hires to already be familiar with commonly used, mainly open-source tools, such as Wireshark, Nessus and Python.
  • Organizations suffer from a lack of metrics to justify resource needs. This specific survey, along with other SANS surveys, finds that fewer than half of security organizations collect metrics that would allow them to justify resource needs. Thus, most organizations justify their hiring based on attrition/turnover replacement or to reduce workload on existing employees. What’s missing is the tracking of metrics to quantify these claims, such as events closed per analyst per shift, time to detect, time to respond, etc.
  • “Force-multiplier” tools are key to SOC effectiveness and efficiency. Given the issues around hiring more staff, organizations should look at other options for enabling their existing staff to meet demands. For example, security orchestration, automation and response (SOAR) solutions enable organizations to keep staffing levels flat while using automation to identify and focus on high-risk/high-business-impact areas quickly and efficiently.

As the pandemic continues to impact all areas of everyday life, SOCs are not exempt to the uncertainty of the times. They continue to face growing cybersecurity threats while the skills gap continues to grow. This report provides some insight into the future of the SOC and how it can continue to level up during this time by adopting external services and technologies and finding ways to justify additional hiring with business-relevant security metrics.

At Swimlane, we’re committed to maximizing the capabilities of your existing security infrastructure and staff through automation and orchestration. Our security orchestration, automation and response (SOAR) platform is a way to make your security team more productive and effective by automating incident response, consolidating and contextualizing incident data, and providing holistic security operations visibility.

Download the full SOC Skills Gap survey results, sponsored by Swimlane, and read SANS’ suggestions on how to make your SOC successful during these uncertain times.

SANS Closing the Critical Skills Gap for Modern and Effective SOCs Survey

The global impact of the COVID-19 pandemic means that any forward-looking projections include a large “cone of uncertainty.” Download the SANS Closing the Critical Skills Gap for Modern and Effective SOCs Survey today to gain insight into organizations’ uncertainty around hiring and the outsourcing of security.



Request a Live Demo