I’ve been thinking about ways to build up quality cyber security analysts and offer the following advice to decision makers in this space.
The cyber security analyst’s “hierarchy of needs” starts with the basics and works up the pyramid to more detailed needs.
Your cyber security analyst’s need food and water, simple enough. Sleep is also critical to this role of making complex connections on a regular basis. Energy drinks are not a sustainable long-term solution… analysts need to get good sleep, advise them as such if performance starts to slip.
An organization’s role here is to ensure they pay a competitive market rate so your analysts don’t have to constantly worry about making ends meet.
Favorable Relationships and Structure
Firing on all cylinders as an analyst is difficult when your personal life is hectic or when co-workers are jerks.
Management should protect the team atmosphere and encourage collaboration.
Structurally, having a progression plan for your analysts is important to keeping them motivated.
It’s the progression plan is what inspires them to put in 40+ hours at work, long-evenings studying, and late nights at the command line.
Smaller organizations may vary, but a sample progression plan looks like:
Intern -> Analyst -> Senior Analyst -> Specialist (Host/Network/Intel) -> Senior Specialist (Host/Network/Intel) -> Lead Specialist (Principal)
The most skilled cyber talent can often add more value staying hands-on than moving to management, so compensate them as such.
Analysis is only useful if it translates into action. Many cyber security analysts serve as incident responders and empowering them to stop malicious activity is critical. If your analysts recommend a protective course of action, ensure they have the ability to implement protections without painful approval processes.
The threat landscape is changing constantly. For a few months everyone is trying to attack via java (ex: CVE-2013-2465) and adobe (ex: CVE-2010-1297) vulnerabilities, later they are trying to siphon off data with vulnerabilities in your encryption protocols (ex: CVE-2014-0160).
It’s vital that analysts read up on the latest threats and constantly train towards better skills. At a minimum, annual professional training or conference attendance is valuable to keep motivation levels high.
Cyber security analysis is an art. Don’t be surprised if your analysts unknowingly block non-malicious traffic that your company needs, just make sure all your action plans are written with back out (“undo”) abilities. Your people will make occasional mistakes, don’t be too tough on them.
Equipment and Hardware
If you are solid on all the above items, congratulations! Only a few organizations can get all the above right.
At this point, just make sure your cyber security analysts have the following:
- capable (preferably powerful) machines – this is the foundation of a valuable analyst tool-set. Get machines that can run VMware with two or more operating systems and you’ll be in good shape. Best if one of your machines are left off the domain for some separation from the rest your company’s assets.
- multiple monitors – analysts have a ton of data to sift through and more display space is a staple. Found it best to start with three high-resolution monitors per analyst and adjust up as needed.
- comfortable seats – analysts obviously sit for a long time and being comfortable is key to keeping your analysts analyzing.
- spacious desks – it’s not uncommon for an analyst to have multiple machines (corporate machine, forensics laptop, personal laptop, etc) and multiple monitors so being able to get to reach them without having to routinely re-arrange everything is valuable.
- admin access – it’s certainly empowering to give analysts admin access on everything, but if you want some controls in place… at least give them a small room to setup a lap where they can have administrative-level access to all the lab resources.
- headphones – analysts might be seated in an operations center with activity all around them, its helpful to put headphones on, tune out the noise, and just get lost in the data and hunt for APT (Advanced Persistent Threats).
Not a comprehensive list by any means, but definitely enough to attract and retain quality analysts.
For a deeper analysis of these needs, the MITRE Corporation offers their impressive “Ten Strategies of a World-Class Cybersecurity Operations Center” book for free.
Do your analysts have what they need?