Why cybersecurity is a shared responsibility: How security leaders can engage end users to alleviate SOC analyst burnout.
By Kayla Williams, CISO, Devo
Sep 30, 2022

An introduction to this article appeared in the monthly Creating Connections newsletter put together by the women of The CyberWire. This is a guest-written article. The views and opinions expressed in this article are those of the authors, not necessarily the CyberWire, Inc.

Why cybersecurity is a shared responsibility: How security leaders can engage end users to alleviate SOC analyst burnout.

Cybersecurity is a team sport — and National Cybersecurity Awareness Month (NCSAM) is a great opportunity to remind everyone of that. Hosted by CISA and the National Cybersecurity Alliance (NCSA), NCSAM aims to raise awareness about and ensure everyone has the resources they need to keep their data secure. This year’s theme is “See Yourself in Cyber,” which is quite fitting. 

For CISOs and security leaders specifically, NCSAM is the perfect time to reiterate proper cyber hygiene and security best practices across their organizations. End users have never played a more significant role in keeping cybercriminals at bay. However, unlike the security team, end users typically don’t live and breathe security as we cybersecurity professionals do. But, they need to start to — hence this year’s “See Yourself in Cyber” theme. 

SOC teams are busier than ever as they deal with growing data volumes, disparate systems, and a seemingly never-ending flow of alerts that vary in seriousness and criticality. To pay attention to the most severe cyberthreats, analysts need all the help they can get. So, how can you drive a culture of security at your organization? Here are three tips: 

1. Educate and avoid blame culture: Cyberthreats are evolving constantly, and the attack surface has become more complex than ever. So, you must train employees on new and emerging security trends just as quickly as they emerge. Not every security team will have all the subject matter expertise to understand and manage the full technology stack. Therefore, security leaders must stay tuned in to the security and vendor community for alerts and notices. It’s also paramount to continuously review all security-related documentation and check for outdated materials or processes. 

You should ensure new employees receive cyber training during their onboarding processes. And as employees obtain promotions or make lateral movements within the organization, you must also ensure that role-based training is available. Staff should also understand who they should go to if they suspect something is awry in their system. Unfortunately, in many organizations, employees are often too scared or worried they’ll lose their job if they make a security mistake, so they won’t report it, which only exacerbates the problem. To avoid this, companies should develop an acceptable use policy to ensure everyone understands their cybersecurity responsibilities and their duty to help keep the company safe. 

2. Combat shadow IT: SOC analysts cannot protect what they cannot see. Therefore, shadow IT causes significant impediments to their work, introducing unknown amounts of risk to the organization. When employees purchase shadow IT, they often don’t intend to do harm. In many cases, employees simply didn’t realize how long the proper due diligence and approvals would take and cut corners to obtain the tools they need to do their jobs. Security leaders can help their security teams combat this by working cross-functionally to make sure the policies and procedures for purchasing third-party tools are clear, concise, and signed off on by employees. 

3. Communicate clearly about security actions: In today’s corporate environment, it’s become quite challenging to cut through the noise, as everyone is overwhelmed with emails, texts, and calls. Security leaders should adhere to the KISS (keep it simple, stupid!) model when sharing critical information about security actions that employees need to take. Don’t be afraid to use emojis, colored fonts, memes, and short videos, as these minor changes in style and tone can go a long way in getting people to pay attention, absorb the information, and act. 

It’s also critical to demonstrate to employees that security is a priority for top-ranking company leaders. Leaders within different departments should reinforce and re-communicate security actions within their teams, gamifying learning experiences where possible. They should also ensure security is always top of mind by including a security team member in project meetings. Business leaders may be surprised to find security professionals’ knowledge can come in handy to expedite processes and prevent roadblocks. All that said, CISOs and security leaders need to view business unit leaders as their allies — and vice versa!  

While the security operations team certainly bears the brunt of the load in securing the organization, that load becomes a little bit lighter when all employees are vigilant and cyber aware. And while Cybersecurity Awareness Month is a prime opportunity to remind employees about the importance of being cyber smart, CISOs should also make sure educating employees becomes a year-long effort! 

If you’d like to learn more best practices and solve pressing SOC challenges, register to attend Devo’s SOC Analyst Appreciation Day on October 19.