Here's the truth -- most of the underperforming analysts I see have the potential to do well, but they are limited by their managers or lack of support from their organization. 1/
Here are the top 5 manager/org factors I see holding analysts back:
- Lack of critical data sources
- No culture of learning
- Poor relationships with IT teams
- Misaligned manager/analyst priorities
- Too much managerial capitulation to strong personalities
2/
- Lack of critical data sources
- No culture of learning
- Poor relationships with IT teams
- Misaligned manager/analyst priorities
- Too much managerial capitulation to strong personalities
2/
The unfortunate part about these things is most managers know and acknowledge them. They just pass the buck and make excuses. It's a lack of ownership and everyone suffers. But, here's the thing... 3/
That lack of ownership often ends up boiling down to a manager who doesn't trust themselves. It'll appear as though they don't trust the analysts, but that's an abstraction. They probably hired the analysts after all. 4/
The best SOCs I see have managers who hold themselves to high standards and provide opportunities to let others rise to those same standards. It's a shame that's so rare. 5/
Maybe you're reading this and you're one of those managers. It's easy to blame *your* manager and use that as an excuse, but most of those problems I listed are still within your power to affect. That'll require trust in yourself and resolve. 6/
I probably talk to more analysts with more in-depth discussions on a regular basis than just about anyone right now. Most SOC problems are human problems when you get down to it, not technical ones. Introspection, ownership, expectations, and effort win the day. 7/7
Let me give an example of what this looks like when it's done right.
I spoke to an analyst in a class recently, and I asked them: "When do you feel comfortable walking away from an alert and calling it a false positive?" 8/
I spoke to an analyst in a class recently, and I asked them: "When do you feel comfortable walking away from an alert and calling it a false positive?" 8/
That analyst responded very quickly... "When I can explain what happened."
Me: "But what if you can't do that?" 9/
Me: "But what if you can't do that?" 9/
Analyst: "Our management expects us to get to root cause every time and they've given us the data and tools to do so."
It was that simple to them. And ya know what? They pretty consistently executed.
10/10
It was that simple to them. And ya know what? They pretty consistently executed.
10/10
