DarkReading article, 3 Ways to Retain Security Operations Staff, is actually really good. I imagine the work of a typical tier 1 SOC analyst is much the same as NOC staff and probably in a similar vein (managerial-wise) as front line technical support teams. I imagine they have the same challenges and same expectation of burn and churn (aka either get burnt out and leave or get that first year or two of experience and leave). The article cites average retention span of a junior analyst to be 12-18 months. That sounds pretty accurate, especially when reading the description of the tier 1 and tier 2 roles. And I totally buy the fact that right now, after 1-2 years of SOC work, you can jump to something better and see a decent bump in pay now that the candidate is essentially a seasoned professional (so to speak). To be honest, even C- and D-players can coast along and them get more progressive roles after a couple years. (Arguably, you shouldn’t mind if they cycle out, as you’d rather keep your A- and B-players as much as possible.)

The author’s 3 steps are rotation of duties, aggressive training, and step-up retention bonuses so you keep “seasoned” analysts rather than have them jump to those other jobs.

I like these steps, and the solution of rotating duties is sound enough to combat monotonous duties, oddball shifts, on-call demands, and lack of challenging work to learn from (aka be stimulated by). The downside to this is you might still lose people due to rotating down into the tier 1 duties on a regular basis. You might also run into the common rotation problem where tasks at one tier just don’t get done by one person since they know they’ll rotate out of it next week, so it gets left undone. This does help hide underperformers a bit. Another downside is when shift roles are too rigid such that oddball shifts don’t get to rotate.

Of course, these solutions and situations are all variable based on the organization in question. If the organization is just serving tier 1-3 MSSP/SOC functions, maybe it will have to live with the churn and burn process. But if the SOC is part of a larger organization with roles to transition into over time, that should be tapped as a valuable source of promotion and talent retention.