Secrets of a cybersecurity employer-of-choice

Post Syndicated from Rapid7 original https://blog.rapid7.com/2023/04/19/secrets-of-a-cybersecurity-employer-of-choice/

Secrets of a cybersecurity employer-of-choice

By Jay Prescott, Director, Global SOC Operations

While the staffing crisis is real, our global MDR SOCs are thriving with top-notch analysts, DFIR talent, and no revolving doors (they like it here). In a high-pressure, high-stakes business, these are our lessons learned.

Measure your staffing performance meticulously and publicly

In an industry plagued by burnout, churn, and open jobs everywhere, be obsessed with your metrics to retain top talent. We do.

  • Last year, we grew our global Managed Detection and Response (MDR) teams by 68%
  • Our voluntary attrition for SOC analysts is under 5%
  • Since the start of Rapid7 MDR seven years ago, we’ve only lost about one to two analysts per year (as competition for cybersecurity talent went white-hot)

Rapid7 recruits talent from all over the world to join us in our state-of-the-art SOC locations. Each SOC has incredibly high retention rates.

We prioritize investments in training, competitive pay, project work and extracurricular activities, and ensuring analysts are doing the work they enjoy. The leadership team is in tune with job satisfaction and directly attacks any aspect of the analyst duties that causes friction.

Trending
[$] A viable solution for Python concurrency

Peter Drucker said it best:  “Culture eats strategy for breakfast.”

According to a survey by Mimecast, 84% of security professionals are experiencing burnout due to the constant barrage of threats, the  talent shortage, and other employees’ mistakes (as a result of burnout).  And, while everyone battles “The Great Resignation” and our collective 5-year skills crisis, ZDNet reports it’s going to get worse. Nearly a third of the global cybersecurity workforce plans to leave the industry—not their jobs, but the entire industry—within two years.

To prevent burnout, we encourage a culture of friendship and after-hours socialization. People who work alongside friends help more and perform better. They trust one another.  Like just about anyone in our line of work, Rapid7 MDR employees know they can go anywhere and do what they do. They also know we greatly appreciate the fact they choose to do it here.

A member of one of our SOC had his car in the shop for far too long due to a supply chain shortage of the missing part.  There was only one thing to do for April Fool’s day:

Secrets of a cybersecurity employer-of-choice

As one member of the team stated, “we work at a place that crowdsourced a $700 prank!”

You don’t need budget for team-building consultants and “trust exercises.”  Camaraderie is created in Slack channels and karaoke nights at the bar on the first floor of the Rapid7 Arlington , VA office.

Create a learning organization

We’ve heard it called “alphabet soup after your name.” While certifications are important, real-world experience and constant learning trumps a course any day of the week. And the best way for the SOC to learn? By doing first-hand and sharing those learnings with everyone. Here’s some of the lessons learned:

First, eliminate silos. Each of our MDR SOCs are  composed of three tiers of analysts, working together on customer environments. There’s complete threat detection coverage, multiple layers of escalation and validation, and redundant knowledge. Additionally, the technology used by the SOC captures relevant details of the environment, detected threats, and analysis notes which are available to all analysts.

Second, train constantly. Rapid7 has a robust training program: a combination of external live training (SANS, Chris Sanders courses), self-paced learning (TCM malware analysis & forensics courses), as well as a robust internal security training program (modeled after specific incidents Rapid7 MDR has handled) to train our analysts quickly and effectively. All training is heavily focused on endpoint forensics, incident response, threat hunting, coding/scripting, and foundational security concepts. All analysts have the chance to attend external training every year. Internally, analysts learn from each other with weekly “lunch n’ learns” to level up their stills by learning from others around them and show off the latest threat they were able to thwart for our customers.

Third, we organized around learning in new ways. Over a year ago, Rapid7 merged our Incident Response Consulting Team with our MDR SOC to create an integrated team of Detection and Response experts. If an incident investigation appears to be major, analysts simply (and literally) swivel their chairs and tap Senior IR consultants and DFIR practitioners on the shoulder.

For major incidents, Rapid7’s TIDE Team (Threat Intelligence and Detections Engineering) is right there too. “We ride along with them and are watching what they’re discovering and we develop new detections,” says Eoin Miller, Manager of Detection and Response Services. “It helps not only that customer but any other customer that may be a current or future victim of that same attacker.”

Rapid7 MDR  also created a “Tactical Operations” (TacOps) team, which is primarily used as a “farm system” for analyst development. Typically, Associate Analysts at other Security Operation Centers are relegated to Tier 1 roles, focusing on low severity alert triage with little exposure to actual malicious activity or complex investigations. Rapid7 takes a different approach by throwing these Associate Analysts into the deep end to deal with real, high priority threats (the things we know are evil), which accelerates their learning curve. They’re actually looking at malicious activity all day, not just hundreds of benign alerts.

Our Associate level analysts have even gone on to publish their work and were tapped to lead a technical malware deep dive on one of the most popular security webinars in the world (Ultimate IT Security). Not too shabby for “entry level” folks to be presenting to a broad audience after only a year working in our SOC. Not surprisingly, we focus on promoting from within, with many analysts taking on advanced roles in forensic analysis and IR.

Finally, we’ve reorganized our services organization to bring our penetration testing team SOC analysts under one roof. We feel the best way to learn (and improve our ability to detect and respond effectively) is to encourage collaboration and knowledge sharing between both our offensive-minded and defensive-minded security practitioners. Iron sharpens iron.

Never compromise your standards

MDR analyst candidates go through an initial technical assessment (live on phone responses) with our Talent Acquisition partners in order to pre-screen candidates before the live technical interview panel.

During the interview Technical Panel, our interviewers’ goal is to push the candidate to the edge of their knowledge. We ask a series of questions which are progressively more difficult using real-world scenarios: “If you see XYZ behavior, walk me through the process from start to finish:

  • What technology and methodology would you use?
  • What data are you looking for?
  • Deep dive into why and how you’re looking at it?
  • How do you come to the determination that the behavior is malicious or benign?

This allows us to question various tools and techniques used in the course of an investigation. We then hire based on the candidate’s knowledge, skill set, and culture fit.

More questions like these and other best practices we use can be found in our guide, the 13 Tips for Overcoming the Cybersecurity Talent Shortage.

Say what your values are

Rapid7 has company core values. We’ve added to it with our “Culture Code for the MDR SOC.” Every organization and each SOC’s values are different. These are ours:

  • Ownership: Know what you’re responsible for and own it. We expect you to own your mission fully. Don’t make excuses, and don’t point fingers at others.
  • Customer-Centric: We are here for one reason—to deliver the managed security services our customers expect and deserve.
  • Passion and Purpose: Love what you do. While not everything you do every day is exciting, our team members genuinely enjoy their work and understand the importance of it.
  • Don’t Just ‘Turn The Wheel’: We’re not here just to handle alerts, run scans, perform hunts, or throw alerts over the fence for our customers to handle. We’re here to bring our security expertise to bear in the most effective way to better protect our customers at scale.
  • Risk Taking: Choosing not to take a risk is often the biggest risk. We will never fault someone for taking a well informed risk in order to better serve our customers.
  • Integrity: We never mislead customers or prospects or act against their best interests, and we are open and honest with our fellow Moose.
  • Never Done: This is not a clock-in / clock-out kind of job. While many days are predictable, others are not. Our North Star is customer outcomes, not time-based.
  • Glass Half Full: Security operations can be unforgiving—but we will remain positive and optimistic.
  • Have Fun: Get your job done, but have fun doing it.

We’re always looking for great security professionals to join our team. If the above piques your interest and you’re looking to join a part of something special, come check out our open Career opportunities.