Changing How We Think About Security Analyst Training

Cyber Security is a relatively young practice. If you think about it, IT systems have only been around in the mainstream for 30-40 years, never mind cyber security. This means most seasoned cyber security professionals (or “IT Security” as some will remember) have been around for and learned the trade when there was no formal way to teach it, so had a fairly in-depth understanding of either IT systems and/or programming.

The bar was then set. Engage with a seasoned cyber security expert and the knowledge was vast and deep. Email, web servers, databases, networking, various operating systems and even development. This breadth of knowledge was paramount in understanding how security fits together. Because security incidents often involve so many aspects of IT, for security analysts, investigating an incident was so much easier with this breadth of understanding.

Fast forward to today and these analysts have become CISOs and we have a skills shortage in the cyber space. Security analysts start their career straight out of school/college or potentially have a couple of years desktop or infrastructure support experience. This is a far cry from the analyst of a decade ago who had breadth of experience.

But this is the reality we are dealing with and we need smart ways to train SOC analysts. We cannot expect a young analyst with 2 years of work experience to have an in-depth understanding of all these systems and methodologies, but we do need them to be able to investigate an incident with confidence and escalate when they are unsure.

We have been training analysts for 7 years and have learned a few things about this. While we may not have all the answers we know that following traits make good analysts:

  • Skeptical solution seeker – They question everything and understand when they make an assumption versus having the facts, but beyond that, they have the drive and desire to find the answers.
  • Teamwork is critical – Working in isolation is career limiting. Our analysts are constantly bouncing ideas and asking for input. This takes courage but puts you miles ahead. Remote work makes this a challenge.
  • Creativity – one might not associate creativity with looking through logs and data, but with the diversity of data, there is always another way to get to root cause.

When it comes to the training, in my view, practical training is still the best way for analysts to learn. Fail fast comes to mind, but the caveat is that when you fail you cannot have a complete breakdown, you need safety nets. Any failed investigation could lead to a breach or delayed detection of an intruder, this is not something that can go unchecked. Have the right safety nets in place and this becomes an excellent learning environment.

SOC analysts face a high-pressure environment, we are asking a lot from these folks and we need to continuously improve how training happens. Toolsets will change and it’s important to teach the fundamentals, this ensures key concepts are learned and can be used across toolsets.

Need to Mitigate a Cyber Risk?