Episode 28

How to Tackle Burnout in Cybersecurity

Security Operating Center (SOC) staff members are often consumed with tedious manual tasks that lead to burnout and can cost organizations millions of dollars in losses due to human error. Thomas Kinsella, Co-Founder & Chief Operating Officer at Tines discusses at length the challenges faced by SOC team members and makes actionable recommendations on how to decrease burnouts, increase retention, and create a better work environment for the security analysts.


Time Stamps

01:26 -- So, before we get into the Voice of the SOC Analyst report details, Thomas, I'd like to give you this opportunity to provide some highlights of your professional journey.

03:54 -- What led to the study. What's the purpose of the study?

06:39 -- Would you like to add anything about the methodology for the study?

08:53 -- So would you say that it's mostly mid-market organizations that you all were able to tap into?

09:18 -- Let's go through each one of the findings. The first one says 71% of the analysts experience some level of burnout. This could be due to the fact that 69% are understaffed, and 60% have seen increased workloads over the past year. Was this surprising to y'all?

11:27 -- Referring to another finding which states that 64% say they are likely to switch jobs in the next year. So the turnover is going to be very high. What do you recommend organizations do to deal with this challenge?

14:05 -- Why hasn't this automation aspect been addressed yet?

19:39 -- When organizations make the decision of investing in an automation platform, what does it take to make the implementation a truly successful experience?

22:19 -- What do you think about job rotation and job enrichment? Is that done well enough to make make it a little more interesting for the staff?

24:52 -- So, talking about job rotation job enrichment. Yeah, I think this creates a great opportunity for an organization to get the security people outside their comfort zone, and expose them to other company operations. And also get people from the other business operations and bring them into the SOC center. Does that gel with you?

34:29 -- One of the first actionable takeaways from the SOC report is -- "improving time spent on reporting." What do you mean? Because I would think that you want to reduce the time that is spent, the manual hours that is spent in delivering different types of reports. Can you clarify?

36:49 -- Moving on to the second recommendation, which is: "making triage, enjoyable," how do you do that? And if you could clarify for the audience, what do you mean by triage?

41:36 -- So moving on to the third recommended takeaway or actionable item, which is -- "increasing retention by measuring and minimizing burnout." Can you expand on that?

47:53 -- Let's talk about the fourth actionable takeaway -- it's time for no-code automation. What does that mean?

50:49 --Do you have any final words for the listeners?


Memorable Thomas Kinsella Quotes

"It seems to me they (SOC team members) enjoy the work, they feel respected, but that you're just spending their time shifting from screen to screen investigating alerts that are not high enough fidelity."

"People (SOC team members) don't mind working hard if they feel like they're adding a ton of value and feeling like they're productive."

"Purchasing a tool is often equivalent to purchasing weights, or purchasing an exercise bike, they actually just look good in the corner unless you're prepared to use them."

"If you generate some challenges, and get people thinking creatively, and get people digging deeper, they remember the parts about security they really love."

"Shame is the exact opposite of what we should be doing in security, we have to be encouraging people to report and knowing that people are gonna make mistakes. That's why we have defense in depth."

Connect with Host Dr. Dave Chatterjee and Subscribe to the Podcast

Please subscribe to the podcast so you don't miss any new episodes! And please leave the show a rating if you like what you hear. New episodes release every two weeks.

Connect with Dr. Chatterjee on these platforms:

LinkedIn: https://www.linkedin.com/in/dchatte/

Website: https://dchatte.com/

Cybersecurity Readiness Book: https://www.amazon.com/Cybersecurity-Readiness-Holistic-High-Performance-Approach/dp/1071837338

Transcript
Introducer:

Welcome to the Cybersecurity Readiness Podcast

Introducer:

Series with Dr. Dave Chatterjee. Dr. Chatterjee is the author of

Cybersecurity Readiness:

A Holistic and High-Performance

Cybersecurity Readiness:

Approach. He has been studying cybersecurity for over a decade,

Cybersecurity Readiness:

authored and edited scholarly papers, delivered talks,

Cybersecurity Readiness:

conducted webinars, consulted with companies, and served on a

Cybersecurity Readiness:

cybersecurity SWAT team with Chief Information Security

Cybersecurity Readiness:

officers. Dr. Chatterjee is an Associate Professor of

Cybersecurity Readiness:

Management Information Systems at the Terry College of

Cybersecurity Readiness:

Business, the University of Georgia, and Visiting Professor

Cybersecurity Readiness:

at Duke University's Pratt School of Engineering.

Dr. Dave Chatterjee:

Hello, everyone, I'm delighted to

Dr. Dave Chatterjee:

welcome you to this episode of the Cybersecurity Readiness

Dr. Dave Chatterjee:

Podcast Series. Our discussion today will revolve around

Dr. Dave Chatterjee:

tackling burnout in cybersecurity, especially among

Dr. Dave Chatterjee:

Security Operations Center (SOC) staff members. Thomas Kinsella,

Dr. Dave Chatterjee:

Co-founder and Chief Operating Officer at Tines will share

Dr. Dave Chatterjee:

thoughts and perspectives based on his experience, and also from

Dr. Dave Chatterjee:

the findings of a very interesting research study

Dr. Dave Chatterjee:

titled, Voice of the SOC Analyst. Welcome, Thomas.

Thomas Kinsella:

Thank you very much. It's great to be on.

Dr. Dave Chatterjee:

So, before we get into the Voice of the SOC

Dr. Dave Chatterjee:

Analyst report details, Thomas, I'd like to give you this

Dr. Dave Chatterjee:

opportunity to provide some highlights of your professional

Dr. Dave Chatterjee:

journey.

Thomas Kinsella:

Sure. So I think I'm a security engineer

Thomas Kinsella:

through and through, I spent a little time working in

Thomas Kinsella:

professional services. But then I joined eBay, PayPal, and was

Thomas Kinsella:

on the technical investigations team there. So investigating

Thomas Kinsella:

large scale criminal organizations, taking over huge

Thomas Kinsella:

amount of accounts or committing large scale fraud on the site,

Thomas Kinsella:

as well as investigating large scale intrusions for attribution

Thomas Kinsella:

and prosecution. From there, I had the opportunity to join

Thomas Kinsella:

DocuSign when it was relatively young, so myself and I own my

Thomas Kinsella:

partner in Tines, our CEO, we joined the security operations

Thomas Kinsella:

team when it was just the two of us. And we grew that team to by

Thomas Kinsella:

30 people, while we went from like a Series C Company to

Thomas Kinsella:

public and we were responsible for everything from incident

Thomas Kinsella:

response, threat intelligence, eDiscovery, security

Thomas Kinsella:

infrastructure, fraud, most things in security that weren't

Thomas Kinsella:

compliance were reporting up to us. And it was really there that

Thomas Kinsella:

we just felt like the same challenges that I think a lot of

Thomas Kinsella:

security teams feel. So just overwhelmed. felt that the job

Thomas Kinsella:

was really hard, and that there had to be a better way. I guess

Thomas Kinsella:

that's where Tines came in. I'm sure we'll talk about Tines a

Thomas Kinsella:

little bit later. I don't want to shell too much too much on

Thomas Kinsella:

the show. I know it's not it's frowned upon a little bit. But

Thomas Kinsella:

we started Tines, basically, because we believe there could

Thomas Kinsella:

be a better automation platform. So it's now for a little over

Thomas Kinsella:

four years old, we've got 120 people or so lots of really

Thomas Kinsella:

happy customers. And yeah, it's just a super lightweight

Thomas Kinsella:

automation platform and I run the customer success team. So

Thomas Kinsella:

pre and post sales, engineering, we basically yeah, we're we have

Thomas Kinsella:

a lot of customers that are automating loads of repetitive

Thomas Kinsella:

manual security workflows.

Dr. Dave Chatterjee:

Thank you Thomas. That really helps. So

Dr. Dave Chatterjee:

you are the subject matter expert when it comes to SOC

Dr. Dave Chatterjee:

operations. That's wonderful.

Thomas Kinsella:

I won't say the, but I've certainly got a

Thomas Kinsella:

little bit of experience, experience in that area, and

Thomas Kinsella:

also like my day and my team's day, is talking to the best

Thomas Kinsella:

security operations teams out there. I'm learning what they're

Thomas Kinsella:

doing, learning how they're approaching the challenge. So

Thomas Kinsella:

we've got a lot of perspectives, both from this report, but also

Thomas Kinsella:

from a lot of a lot of customers and prospects and peers, I

Thomas Kinsella:

suppose.

Dr. Dave Chatterjee:

Sounds good. Yeah, we're all learning.

Dr. Dave Chatterjee:

There is no such thing as definite expertise. It's

Thomas Kinsella:

always evolving, same security. Yep,

Dr. Dave Chatterjee:

I totally agree. So to set the context for

Dr. Dave Chatterjee:

our discussion today, I'd like to share a couple of excerpts

Dr. Dave Chatterjee:

from the study that we'll be talking about; one of which

Dr. Dave Chatterjee:

says, in my 15 years of being a security practitioner, working

Dr. Dave Chatterjee:

on incident response, and leading security teams, I

Dr. Dave Chatterjee:

witnessed over and over again, that in the SOC, by the way, SOC

Dr. Dave Chatterjee:

stands for security operations center, there's too much work

Dr. Dave Chatterjee:

and not enough staff. More specifically, I saw overload

Dr. Dave Chatterjee:

analysts so consumed with tedious, repetitive tasks that

Dr. Dave Chatterjee:

it led not only to burn out, but to human error that could cost a

Dr. Dave Chatterjee:

company millions. And this is really concerning, because you

Dr. Dave Chatterjee:

can never overemphasize the importance of the work the SOC

Dr. Dave Chatterjee:

team does. So to have the best and the brightest, fully

Dr. Dave Chatterjee:

engaged, fully energized, is so critical. So it's not surprising

Dr. Dave Chatterjee:

that the study would be conducted. But I'd like to,

Dr. Dave Chatterjee:

again, ask you to share with the listeners what led to the study.

Dr. Dave Chatterjee:

What's the purpose of the study? Yeah. So

Thomas Kinsella:

I think we were working in security operations

Thomas Kinsella:

teams, we were monitoring SOX, we talked to a lot of peers on

Thomas Kinsella:

how they were doing. And we Yeah, that's what led us to

Thomas Kinsella:

start Tines, Tines is four years old. And I think we were out of

Thomas Kinsella:

the game a little bit. We were doing a lot of we were having a

Thomas Kinsella:

lot of conversations with people saying, like, Hey, here's the

Thomas Kinsella:

reason we started the company. But we want to know, was that

Thomas Kinsella:

still the case? We wanted to know, like, had the life of a

Thomas Kinsella:

security analyst improved? Were there better tools? Were there

Thomas Kinsella:

better processes? Or was it still the case that they were

Thomas Kinsella:

being overwhelmed with alerts, and that they were dealing with

Thomas Kinsella:

too many repetitive manual tasks? And we didn't really have

Thomas Kinsella:

the answer. And rather than go out and just claim it, we said,

Thomas Kinsella:

actually, this would be really interesting. And also, we wanted

Thomas Kinsella:

to find out Yeah, a little bit more like, hey, what how do

Thomas Kinsella:

these people that are on the frontline actually feel? It's

Thomas Kinsella:

not good enough to say like, Hey, the managers think that

Thomas Kinsella:

they're overwhelmed. It's like, what do they feel? And how do

Thomas Kinsella:

they do they enjoy the work? are they passionate about it? What

Thomas Kinsella:

are their biggest frustrations? What are the things that they

Thomas Kinsella:

loved the most? What would they do if they had more time? So we

Thomas Kinsella:

went away, and we came up with a list of questions that we

Thomas Kinsella:

thought would be super interesting to find out. And

Thomas Kinsella:

yeah, we conducted the study, but really was the aim of it was

Thomas Kinsella:

to see whether or not our like, our initial thoughts still held

Thomas Kinsella:

true, and gathered some really interesting information that

Thomas Kinsella:

could be useful for not just SOC teams, but also like CISOs, who

Thomas Kinsella:

are making decisions and information security

Thomas Kinsella:

professionals and managers around around the world.

Dr. Dave Chatterjee:

Sounds great. Sounds great. So so as

Dr. Dave Chatterjee:

far as the methodology and participant demographics go, let

Dr. Dave Chatterjee:

me share with the listeners a couple of highlights here. 468,

Dr. Dave Chatterjee:

full-time security analysts were surveyed, they worked at

Dr. Dave Chatterjee:

companies with 500 or more employees. The survey was

Dr. Dave Chatterjee:

conducted online via poll fish using organic sampling. And 45%

Dr. Dave Chatterjee:

of the surveyed security analysts work in the technology

Dr. Dave Chatterjee:

sector. In addition, manufacturing, healthcare,

Dr. Dave Chatterjee:

finance, education, utilities, insurance, services, state and

Dr. Dave Chatterjee:

local government, retail and federal, were the other industry

Dr. Dave Chatterjee:

sectors represented in the sample. So the survey really is

Dr. Dave Chatterjee:

representatives of what's going on in a wide range of

Dr. Dave Chatterjee:

industries. So that's really a major strength of this

Dr. Dave Chatterjee:

particular survey. Yeah. Before you get to the findings, Thomas,

Dr. Dave Chatterjee:

would you like to add anything to this, methodology?

Thomas Kinsella:

Yeah, maybe just maybe one or two things.

Thomas Kinsella:

The first is that we only survey people in the United States. So

Thomas Kinsella:

we didn't survey for example, people who were working on a lot

Thomas Kinsella:

of organizations have like eight sourced security operation

Thomas Kinsella:

centers in India, for example, or in the Philippines, we didn't

Thomas Kinsella:

study those, we felt they're a little bit different. And a

Thomas Kinsella:

little bit out of the scope of what we were what we were

Thomas Kinsella:

looking at. And the second thing was just in terms of the number

Thomas Kinsella:

of employees, we tried to split it up roughly as best as we saw

Thomas Kinsella:

the the market. So I think it's 50% or so are in that mid market

Thomas Kinsella:

500 to 1000 person company, I think 30% or so are in the one

Thomas Kinsella:

to 5000, and then 20% are above 5000, a lot more enterprise

Thomas Kinsella:

category. So it's pretty broad, but it is a little bit skewed

Thomas Kinsella:

path, skewed may not be the word, but there's certainly a

Thomas Kinsella:

lot of ways in not, you know, 500 to 1000 person or some

Thomas Kinsella:

company just for reference. Now we have the data, we've broken

Thomas Kinsella:

it down, we've pivoted on on a bunch of different ways.

Thomas Kinsella:

Honestly, it's very consistent throughout, as you'd expect. But

Thomas Kinsella:

even still, it's just worth noting,

Dr. Dave Chatterjee:

Thanks for sharing that. So So would you

Dr. Dave Chatterjee:

say that it's mostly mid-market organizations that you all were

Dr. Dave Chatterjee:

able to tap into?

Thomas Kinsella:

Well, 20% or enterprise? obovata? Oh, 5000.

Thomas Kinsella:

So there's certainly there's certainly a lot there. Um, as I

Thomas Kinsella:

said, the the findings were very consistent, but yet that I think

Thomas Kinsella:

that it's fair to say I'd like between, like if 80% are between

Thomas Kinsella:

500 and 5000, that makes it, makes it mostly that mid-market

Thomas Kinsella:

section.

Dr. Dave Chatterjee:

Okay, fantastic. So now getting to the

Dr. Dave Chatterjee:

key findings. Let's go through each one of these. The first one

Dr. Dave Chatterjee:

says 71% of the analysts experience some level of

Dr. Dave Chatterjee:

burnout. This could be due to the fact that 69% are

Dr. Dave Chatterjee:

understaffed, and 60% have seen increased workloads over the

Dr. Dave Chatterjee:

past year. Was this surprising to y'all?

Thomas Kinsella:

Not particularly surprising to me,

Thomas Kinsella:

but I think there were some adjacent findings to it that

Thomas Kinsella:

were a little bit surprising. So I think the SOC staff felt

Thomas Kinsella:

burned out is like if you go to a conference or you talk to

Thomas Kinsella:

people, like online or if you interview people for jobs,

Thomas Kinsella:

they'll say, Yeah, I'm just overwhelmed or not, not

Thomas Kinsella:

everybody, but most so that that finding wasn't that wasn't too

Thomas Kinsella:

surprising. But there were definitely like the fact that

Thomas Kinsella:

69% say they're understaffed. Again, that's not too

Thomas Kinsella:

surprising, 60% seeing increased workloads over the last year was

Thomas Kinsella:

a little surprising, you would think that things were getting a

Thomas Kinsella:

little bit better. But there were some I suppose, adjacent

Thomas Kinsella:

findings, just arraign that in relation to them, burning out.

Thomas Kinsella:

So there were some interesting things like 69% of them said

Thomas Kinsella:

they were satisfied with their job. And 68% said they were very

Thomas Kinsella:

engaged. And another same 69% said, they felt respected by

Thomas Kinsella:

their peers outside the SOC. What you normally get with, not

Thomas Kinsella:

always what what burnout, it's kind of a combination of a

Thomas Kinsella:

combination of factors, there's, you can deal, you can deal with

Thomas Kinsella:

things and you just want to you want to quit, you feel like it's

Thomas Kinsella:

not worth it. But in this, it kind of suggests that there's

Thomas Kinsella:

actually a certain element of, they really do want to do a good

Thomas Kinsella:

job, that it's not just like they want to, they want to quit,

Thomas Kinsella:

they want to give up that forget about it. It's that they

Thomas Kinsella:

actually they even to some extent, really enjoy doing their

Thomas Kinsella:

job, they feel respected, they get a lot of worth out of doing

Thomas Kinsella:

it. So that was really the fact that that those two kind of

Thomas Kinsella:

clash is really it's just a really interesting, it's really

Thomas Kinsella:

interesting tension between the between the points, but no,

Thomas Kinsella:

initially definitely, like that confirmed our suspicions the

Thomas Kinsella:

fact that 70% or so felt burnt out is not it was not really it

Thomas Kinsella:

was not very surprising.

Dr. Dave Chatterjee:

Yeh, just to build on what you said about

Dr. Dave Chatterjee:

that interesting tension that security analysts are by nature

Dr. Dave Chatterjee:

excited, energized, passionate, yet, they are feeling burnt out.

Dr. Dave Chatterjee:

And again, referring to another finding which states that 64%

Dr. Dave Chatterjee:

say they are likely to switch jobs in the next year. So the

Dr. Dave Chatterjee:

turnover is, is going to be very high. So what do you recommend

Dr. Dave Chatterjee:

organizations do to deal with this challenge?

Thomas Kinsella:

Well, I think that just to highlight, to

Thomas Kinsella:

thread on something there, 64% say they intend to leave their

Thomas Kinsella:

jobs. That's not to say that they will actually leave their

Thomas Kinsella:

jobs, I think they definitely intend to. But yeah, even with

Thomas Kinsella:

the best intentions, you may a) may not find a job or b) maybe

Thomas Kinsella:

things will get better or c) it's hard to find the time and

Thomas Kinsella:

d) this was also taken earlier this year, and the economy's

Thomas Kinsella:

shifted a little bit, so I don't know how risk-averse or

Thomas Kinsella:

risk-prone people will be. But certainly a lot of people said

Thomas Kinsella:

they intend to do that. In terms of I suppose looking at

Thomas Kinsella:

recommendations, I think I think you have to drill into the data

Thomas Kinsella:

a little bit more to kind of understand some of the pain

Thomas Kinsella:

points that people are people are seeing. So when we asked,

Thomas Kinsella:

like, I can't say, Hey, here's a recommendation without trying to

Thomas Kinsella:

try to say like, actually, what are what are the challenges? And

Thomas Kinsella:

when we asked people what some of their most frustrating

Thomas Kinsella:

aspects of work, this was the like, this is a multiple choice

Thomas Kinsella:

question. But over 50% of people said spending time on manual

Thomas Kinsella:

work was one of the most frustrating aspects of their

Thomas Kinsella:

work. The second highest a 37% was the high false positive

Thomas Kinsella:

rates. And the third highest was 35%, too many different consoles

Thomas Kinsella:

and tools to investigate incidents. So it really is that

Thomas Kinsella:

it seems to me they enjoy the work, they feel respected, but

Thomas Kinsella:

that you're just spending your time shifting from screen to

Thomas Kinsella:

screen investigating alerts that are not high enough fidelity.

Thomas Kinsella:

And as a result, you're you're switching context, you're you

Thomas Kinsella:

don't like that it's you're not feeling productive. So even

Thomas Kinsella:

though like people don't mind, my experience, people don't mind

Thomas Kinsella:

working hard if they feel like they're adding a ton of value

Thomas Kinsella:

and feeling like they're productive. In this case, people

Thomas Kinsella:

can see the importance of the work. But I think it's just like

Thomas Kinsella:

automatable, manual, boring, trivial. And I can see why that

Thomas Kinsella:

really leads to burnout and leads to leads to you wanting to

Thomas Kinsella:

move to an organization that's better that has better tools or

Thomas Kinsella:

that has better processes. So I think there's a lot of things

Thomas Kinsella:

that we can do. But those are certainly the highlights that I

Thomas Kinsella:

would say that we can if we want to if if we want to fix things,

Thomas Kinsella:

there are some of the challenges that we can we can address.

Dr. Dave Chatterjee:

Thanks for sharing. So as you were

Dr. Dave Chatterjee:

describing the challenges one thought comes to mind is why

Dr. Dave Chatterjee:

hasn't this automation aspect been addressed yet? Because as

Dr. Dave Chatterjee:

we know that from time to time, intelligence is either not

Dr. Dave Chatterjee:

detected, or intelligence is not acted upon. So lots of misses

Dr. Dave Chatterjee:

happen. And it takes one mistake that could lead to a huge

Dr. Dave Chatterjee:

breach. So the the work of the security operations center, I

Dr. Dave Chatterjee:

would think is mission critical. So, why isn't priority given to

Dr. Dave Chatterjee:

review the workflow, make assessments and bring about

Dr. Dave Chatterjee:

process improvements, which includes automation. I'm just

Dr. Dave Chatterjee:

trying to understand, what's the rationale behind not doing

Dr. Dave Chatterjee:

something about it yet.

Thomas Kinsella:

I think some I think a lot of first of all, a

Thomas Kinsella:

lot of organizations have a lot of organizations have embraced

Thomas Kinsella:

automation clearly, like, in my opinion, not enough. But also

Thomas Kinsella:

sometimes it's really hard to find the like, if you're

Thomas Kinsella:

overwhelmed with alerts, it can kind of be hard to find the time

Thomas Kinsella:

to put your head above the parapet to actually start taking

Thomas Kinsella:

out taking action. So if you don't have time to, to audit,

Thomas Kinsella:

like if you're the analogy that we we normally normally give,

Thomas Kinsella:

and I'm not I'm not a huge sports person, I'm also from

Thomas Kinsella:

Ireland. So I'll probably butcher this analogy. But if you

Thomas Kinsella:

imagine in American football, if your team are on the field

Thomas Kinsella:

playing defense all the time, the answer is do you need a

Thomas Kinsella:

better defense or actually probably need a better offense.

Thomas Kinsella:

And I think that the challenge is that they probably need to

Thomas Kinsella:

hire some people and train them up to be, hey, here's how we

Thomas Kinsella:

automate or use a super lightweight tool like Tines and

Thomas Kinsella:

allow people the time. But if you're spending all your time

Thomas Kinsella:

responding to alerts, it's really hard to it's really hard

Thomas Kinsella:

to find that time. The second part and this is kind of ironic,

Thomas Kinsella:

but the better you get at detecting, the more you have to

Thomas Kinsella:

respond to. So if you purchase a new tool, all of a sudden, it's

Thomas Kinsella:

like, brilliant, we've got better, I've got better

Thomas Kinsella:

visibility into our environment, to a certain extent, you can

Thomas Kinsella:

tune your alerts better, absolutely. But if you purchase

Thomas Kinsella:

a new EDR tool, it's not as a pure alerts, you're gonna go

Thomas Kinsella:

down. Sorry, EDR is Enterprise Detection Response tool. So

Thomas Kinsella:

sorry, Endpoint Detection Response tool. So a tool like

Thomas Kinsella:

CrowdStrike, or Carbon Black or SentinelOne or something like

Thomas Kinsella:

that. If you purchase a tool like that, you all of a sudden,

Thomas Kinsella:

just by definition, have to respond to alerts, and then you

Thomas Kinsella:

have to tune in them. So it takes a long time to, I suppose

Thomas Kinsella:

get to a stage that you're ready to, you're not that you're ready

Thomas Kinsella:

to automate, you can always be ready to automate. But it can

Thomas Kinsella:

can actually take a lot of work. The analogy that I sometimes

Thomas Kinsella:

give for that is that purchasing a tool is often equivalent to

Thomas Kinsella:

purchasing weights, or purchasing an exercise bike,

Thomas Kinsella:

they're actually they're good, but they actually just look good

Thomas Kinsella:

in the corner unless you're prepared to use them. So you

Thomas Kinsella:

have to put in the work to use them to tune them to get the

Thomas Kinsella:

value out of them. And I think that's the case with with

Thomas Kinsella:

automation and with a lot of other products as well, that

Thomas Kinsella:

people find it too difficult. And that's kind of why we

Thomas Kinsella:

created Tines, again, don't want to don't wanna shill. But yeah,

Thomas Kinsella:

we tried to make it super lightweight automation platform

Thomas Kinsella:

so that those analysts that are on the front line that don't

Thomas Kinsella:

have that engineering experience, or that don't know

Thomas Kinsella:

how to code that they can automate the workflow. So they

Thomas Kinsella:

know code, they know how to investigate a suspicious IP

Thomas Kinsella:

address, they know how to investigate a suspicious file.

Thomas Kinsella:

That's what they're doing all day, every day. So we give them

Thomas Kinsella:

the tools to investigate that and automate that themselves. So

Thomas Kinsella:

that they don't have to call in and other teams do.

Dr. Dave Chatterjee:

Yeah, absolutely. So we're basically

Dr. Dave Chatterjee:

talking about a thoughtful automation and not mindless

Dr. Dave Chatterjee:

automation, which is, which happens a lot, I can refer to

Dr. Dave Chatterjee:

say the whole ERP system phenomenon, enterprise resource

Dr. Dave Chatterjee:

planning systems where companies invest in an ERP, but they're

Dr. Dave Chatterjee:

not ready to fully leverage all the functionalities for a

Dr. Dave Chatterjee:

variety of reasons -- procedural, people-related,

Dr. Dave Chatterjee:

structural, cultural. So whenever you're trying to

Dr. Dave Chatterjee:

implement a new technology, a new solution, the organization

Dr. Dave Chatterjee:

should be prepared, there should be a certain level of readiness.

Dr. Dave Chatterjee:

And I'm sure that applies to this particular automation that

Dr. Dave Chatterjee:

that you're talking about.

Thomas Kinsella:

You it's really hard to automate a process if

Thomas Kinsella:

you don't have a process is the is the answer.

Dr. Dave Chatterjee:

And often times, you want to better the

Dr. Dave Chatterjee:

process before you apply technology to it right. You

Dr. Dave Chatterjee:

don't want to automate an inefficient process.

Thomas Kinsella:

like that manual work, day in day out.

Thomas Kinsella:

They do know how to like process a phishing email, they know,

Thomas Kinsella:

okay, we analyze the headers in this particular tool, we check

Thomas Kinsella:

out the URLs in this particular tool, we upload the files to

Thomas Kinsella:

this sandbox, we add all the results to our case management

Thomas Kinsella:

system. And then an hour later, we reply to the end user saying

Thomas Kinsella:

thank you for reporting this mail. It was malicious. That's a

Thomas Kinsella:

process. And even though in your head, that's only three or four

Thomas Kinsella:

steps, it's probably 50 or 60 steps, because you take

Thomas Kinsella:

different steps, if they're the CEO of the organization; you

Thomas Kinsella:

take different steps if it looks like it's benign, immediately,

Thomas Kinsella:

you take maybe it's failed decam or something and you take

Thomas Kinsella:

another step. So there's there's a lot of different steps, but

Thomas Kinsella:

the analyst usually knows that. So it's about enabling, enabling

Thomas Kinsella:

that person who knows that process to automate that

Thomas Kinsella:

automate that task. Okay.

Dr. Dave Chatterjee:

And so when organizations, let's say they

Dr. Dave Chatterjee:

make the decision of investing in an automation platform, yeah.

Dr. Dave Chatterjee:

What else goes with it? Yeah, make that a truly successful

Dr. Dave Chatterjee:

experience.

Thomas Kinsella:

I think there's, there's, there's a lot

Thomas Kinsella:

of different things. Obviously, you have to assign people to do

Thomas Kinsella:

some work on it. But there's also important things that you

Thomas Kinsella:

should be thinking about when you're enabling your team just

Thomas Kinsella:

in general, right? So one thing that you should always be

Thomas Kinsella:

considering is, this isn't something you'll do with your

Thomas Kinsella:

automation platform. But it's tracking the tracking the alerts

Thomas Kinsella:

by the user, just like by the, you should be tracking the MTTR

Thomas Kinsella:

mean time to respond, you should be tracking mean time to detect,

Thomas Kinsella:

but also like, who's responding and who's building these. So

Thomas Kinsella:

that who's building is important, because what you're

Thomas Kinsella:

identifying is, hey, do we have a single point of failure here

Thomas Kinsella:

who's absolutely critical, maybe she's a rockstar, and she's

Thomas Kinsella:

built 10 workflows, you probably a) need to keep that person b)

Thomas Kinsella:

you need to train somebody else up who knows your workflows,

Thomas Kinsella:

because she leaves she's kind of take the team with her. And the

Thomas Kinsella:

second part is the tracking who's responding to those

Thomas Kinsella:

alerts, even if they're enriched, and there's automated,

Thomas Kinsella:

there's still some response. Because it can all you can still

Thomas Kinsella:

have people that are left behind that are doing that manual,

Thomas Kinsella:

boring work. And what you want to do is you want to make that

Thomas Kinsella:

triage fun again, you want to get people automating the

Thomas Kinsella:

boring, but also keeping the really exciting parts of

Thomas Kinsella:

security. Security is an incredibly exciting area. It's

Thomas Kinsella:

growing really fast. There's a never ending number of threats.

Thomas Kinsella:

That's why a lot of us got into it, that you have an opportunity

Thomas Kinsella:

to grow your career and learn very, very fast. But you don't.

Thomas Kinsella:

You're Yeah, analyzing adware all the time. And you don't come

Thomas Kinsella:

across a new breed of malware. Or you see people on Twitter

Thomas Kinsella:

talking about, oh, look, there's this macro enabled malware

Thomas Kinsella:

that's hitting em, I'm not sure was it MTD dot exe or whatever,

Thomas Kinsella:

then you add the new the new ballgame in Microsoft was or

Thomas Kinsella:

bypass and Microsoft in Windows was, if you can't investigate

Thomas Kinsella:

that, it's pretty frustrating. So you want to make it so that

Thomas Kinsella:

you can they these people can have some fun. The next thing

Thomas Kinsella:

that you want to you want to be investigating just in general is

Thomas Kinsella:

how much time people are taking off. So are they actually

Thomas Kinsella:

overwhelmed? Are they spending enough time here? Are they

Thomas Kinsella:

spending enough time like taking holidays? Or are they working

Thomas Kinsella:

all the time? Are they working overtime? How many times have

Thomas Kinsella:

they been paged? How many times? How much time are they spending

Thomas Kinsella:

on call, because that's another measure of how quickly people

Thomas Kinsella:

will leave the organization or how happy they are in the

Thomas Kinsella:

organization. If they're on call all the time. They're getting

Thomas Kinsella:

paged all the time, you're not doing it, you're not doing it

Thomas Kinsella:

right. And in many ways you have to you have to shift left and

Thomas Kinsella:

reduce the risks in your in your organization. There's a whole

Thomas Kinsella:

lot of other things, but there's some of the things that I can

Thomas Kinsella:

I'd recommend.

Dr. Dave Chatterjee:

Sure. Now, what do you think about job

Dr. Dave Chatterjee:

rotation and job enrichment? In the context of, is that done

Dr. Dave Chatterjee:

well? is that done well enough to make make it a little more

Dr. Dave Chatterjee:

interesting for the staff?

Thomas Kinsella:

definitely can be definitely can be done. And

Thomas Kinsella:

especially a lot of people who are younger in their careers

Thomas Kinsella:

actually valued that to a certain extent over they know,

Thomas Kinsella:

and rightly so they view their careers as like, I'll be working

Thomas Kinsella:

here for Barbie working for 40 years, I want to try out a few

Thomas Kinsella:

different things, rather than choosing my career, I'd like

Thomas Kinsella:

sticking with it for the rest of the rest of my life. So a lot of

Thomas Kinsella:

people will really value that. So if you get the opportunity,

Thomas Kinsella:

or if you offer people the opportunity to grow, that could

Thomas Kinsella:

be like go deeper into malware analysis. But if you give them

Thomas Kinsella:

the opportunity to work in compliance, or work on the Red

Thomas Kinsella:

team, or do a shift in IT, and vice versa, you're also you're

Thomas Kinsella:

you're you're retaining your staff, and you're keeping them

Thomas Kinsella:

at you're keeping them happier. The next thing is that that's

Thomas Kinsella:

actually really important for diversity. So a lot of people, a

Thomas Kinsella:

lot of organizations, they they'll the people that they

Thomas Kinsella:

hire are that are experienced, they'll be coming from like,

Thomas Kinsella:

they'll be privileged white men basically. And if you enable a

Thomas Kinsella:

job rotation, you're able to enable internships, you're able

Thomas Kinsella:

to get people with a different background in who you may not

Thomas Kinsella:

have traditionally thought had the skill set to perform SOC

Thomas Kinsella:

duties or to work on a security operations team. If you allow,

Thomas Kinsella:

if you like, job rotation, not only are you getting people from

Thomas Kinsella:

different backgrounds, you're getting people from different

Thomas Kinsella:

skill sets, and you're expanding the pool of candidates that you

Thomas Kinsella:

want. That's so important. Like right now, this isn't anything

Thomas Kinsella:

to do with the report, but it's not a it's not something we

Thomas Kinsella:

found in the report. But there's something like 1.8 people for

Thomas Kinsella:

every single job that's needed in security in the United

Thomas Kinsella:

States, there's 600,000 vacancies, we're not going to

Thomas Kinsella:

fill that by just by by continuing with the same, ah

Thomas Kinsella:

well we'll hire out of the cybersecurity programs in these

Thomas Kinsella:

20 universities. The way we're going to fill it is by having a

Thomas Kinsella:

lot of people from a whole diverse, diverse range of

Thomas Kinsella:

backgrounds, get interested in cybersecurity and be exposed to

Thomas Kinsella:

cybersecurity. So the best teams are doing that and they'll

Thomas Kinsella:

they'll find like a lot of diamonds in there they'll find a

Thomas Kinsella:

lot of real gems that like are super super smart in information

Thomas Kinsella:

security and can add a whole load, and aren't more

Thomas Kinsella:

importantly just coming from that same mode of thinking, they

Thomas Kinsella:

will question things, they will question processes. Yeah, that's

Thomas Kinsella:

definitely effective.

Dr. Dave Chatterjee:

Fantastic. So there is another thought

Dr. Dave Chatterjee:

here. So, talking about job rotation job enrichment. Yeah, I

Dr. Dave Chatterjee:

think this creates a great opportunity for an organization

Dr. Dave Chatterjee:

to get the security people outside their comfort zone, and

Dr. Dave Chatterjee:

expose them to other company operations. And also get people

Dr. Dave Chatterjee:

from the other business operations and bring them into

Dr. Dave Chatterjee:

the SOC center. So they have a sense of what the analysts do,

Dr. Dave Chatterjee:

and what goes on, because by engaging in this kind of an

Dr. Dave Chatterjee:

exercise, which I would like to call it a little out-of-the box

Dr. Dave Chatterjee:

exercise, and which might seem going against the grain of

Dr. Dave Chatterjee:

focusing on expertise, but what it does, it sensitizes, the

Dr. Dave Chatterjee:

entire organization, to the importance of the work the

Dr. Dave Chatterjee:

analysts do, the security analysts do, and also to the

Dr. Dave Chatterjee:

challenges. So this way, the knowledge is spreading, it is

Dr. Dave Chatterjee:

getting to the ears of the top management and other decision

Dr. Dave Chatterjee:

makers. And at the same time, it's also enhancing the level of

Dr. Dave Chatterjee:

awareness and skill sets of the folks who didn't intend on

Dr. Dave Chatterjee:

having a career in security analytics. So by taking this

Dr. Dave Chatterjee:

approach, you're broadening the pool, you might be able to

Dr. Dave Chatterjee:

attract talent from within the organization, like you said,

Dr. Dave Chatterjee:

there is a scarcity of talent in general. So maybe you can tap

Dr. Dave Chatterjee:

into some some talent within the organization. And that kind of

Dr. Dave Chatterjee:

talent is useful because they understand the business. And

Dr. Dave Chatterjee:

they also understand the security. The second point I

Dr. Dave Chatterjee:

wanted to make it goes back to my experience in corporate. When

Dr. Dave Chatterjee:

I started my career, and I was in audit and I was in systems

Dr. Dave Chatterjee:

audit, I often wondered that I do this work, who really cares?

Dr. Dave Chatterjee:

Who does it impact, because you are again, focused in a small

Dr. Dave Chatterjee:

area, and you are not seeing the big picture. And that creates

Dr. Dave Chatterjee:

disillusionment. And I wouldn't be surprised if that happens in

Dr. Dave Chatterjee:

this particular context, as well. So to be able to offer the

Dr. Dave Chatterjee:

security operating center team, the staff members, that be

Dr. Dave Chatterjee:

exposed them to show them that how their work is valued, how it

Dr. Dave Chatterjee:

relates to the top line and the bottom line. That reinforcement

Dr. Dave Chatterjee:

that awareness, again, is very helpful. It makes you feel that

Dr. Dave Chatterjee:

yes, I am in security which is seems like a staff function. But

Dr. Dave Chatterjee:

what I do is equally valuable and important, as the line

Dr. Dave Chatterjee:

folks. Does that gel with you?

Thomas Kinsella:

Yeah, 100%, there's so much that you've had

Thomas Kinsella:

that you've shared there. That's yeah, it's good wisdom. There's

Thomas Kinsella:

a great book of 20 things. And there's a great book called

Thomas Kinsella:

Delivering Happiness by Tony, I'm not going to pronounce his

Thomas Kinsella:

surname correctly, Tony, I think it's Hsieh but I'm not sure. And

Thomas Kinsella:

it's about his journey to start the shoe company Zappos. It's

Thomas Kinsella:

absolutely fascinating. One of my favorite books, I'd recommend

Thomas Kinsella:

that every every listener read it or listen to us. But he talks

Thomas Kinsella:

about, like company culture, there are some really out their

Thomas Kinsella:

ideas in terms of matrix org structures for the organization.

Thomas Kinsella:

But one of the things that every single person who joins the

Thomas Kinsella:

organization must do is spend the first two weeks or the first

Thomas Kinsella:

two weeks in training. But after that two weeks, on the phone

Thomas Kinsella:

with customers, so their biggest problem is Delivering Happiness.

Thomas Kinsella:

They're Delivering Happiness to every single one of their

Thomas Kinsella:

employees, sorry, to one of their employees to one of their

Thomas Kinsella:

customers. So as a result, everybody from the new VP, the

Thomas Kinsella:

new CEO, all the way down to obviously somebody working in

Thomas Kinsella:

customer service, they have to begin their journey on the

Thomas Kinsella:

customer floor talking to customers and it's so so

Thomas Kinsella:

impactful. In that it means that everybody understands the

Thomas Kinsella:

importance of that job. And also the perspective of actually

Thomas Kinsella:

we're delivering delivering to like the top line as well as the

Thomas Kinsella:

as well as the bottom line. It's already it's really impressive.

Thomas Kinsella:

The second part in terms of the security team feeling, I suppose

Thomas Kinsella:

disillusion because they don't feel that love. And they don't

Thomas Kinsella:

feel that like if you're separate from the organization,

Thomas Kinsella:

it's so rare to see. And this is where like automation can come

Thomas Kinsella:

in. But it's also where like delivering interesting threat

Thomas Kinsella:

research or spending time outside of that analyst job can

Thomas Kinsella:

do it. It's so rare to see in an organization or security

Thomas Kinsella:

organization, like do anything innovative in a company that

Thomas Kinsella:

often they are just seen as wow they are protecting us from this

Thomas Kinsella:

threat. But in reality, first of all, many companies and in many

Thomas Kinsella:

institutions, the security and the organization's reputation is

Thomas Kinsella:

critical, right. If you get breached, it's a devastating

Thomas Kinsella:

impact to your your team to your get to your staff, to your

Thomas Kinsella:

customers to your get to do to every single person involved and

Thomas Kinsella:

potentially add it to your stock price. or to the reputation of

Thomas Kinsella:

your university or your organization. But that doesn't

Thomas Kinsella:

mean that like security analyst feel that often they feel that

Thomas Kinsella:

as a pressure. On the other hand, what we seen when people

Thomas Kinsella:

start implementing Tines or other automation platforms, it's

Thomas Kinsella:

incredible to see a CISO be able to brag about like, Hey, here's

Thomas Kinsella:

how much work we've automated. We've automated 72 hours of

Thomas Kinsella:

manual work that we would normally be spending every

Thomas Kinsella:

single week, we've automated that. But what's even cooler is

Thomas Kinsella:

when the CISO talks about, "here, we're able to offboard

Thomas Kinsella:

employees in five minutes using this using this platform." And

Thomas Kinsella:

what you'll see is IT be like, "hold on a second, it takes us

Thomas Kinsella:

like eight hours to onboard these employees on the Sunday

Thomas Kinsella:

before they join and set them up with all these tools. How did

Thomas Kinsella:

you do that? And the CISO is like I am using this tool. Or

Thomas Kinsella:

you see the like the the security team in the middle of

Thomas Kinsella:

an incident start pain indicators enriched into a Slack

Thomas Kinsella:

channel that's been set up and everything has been archived for

Thomas Kinsella:

compliance purposes. There's an audit trail of every single

Thomas Kinsella:

thing that's happening. And meanwhile, the site reliability

Thomas Kinsella:

engineering team or the tech ops team are in the same chat, or on

Thomas Kinsella:

the same zoom or incident meeting. They're like, hold on a

Thomas Kinsella:

second, how are you doing this? How are you monitoring these

Thomas Kinsella:

things? This is crazy. This takes us, you know, hours to do,

Thomas Kinsella:

how are you moving so fast that like, Oh, we're doing this,

Thomas Kinsella:

we're using this tool. And it's so exciting to see that because

Thomas Kinsella:

all of a sudden the CISO is adding value, but also getting

Thomas Kinsella:

credit in the organization and being like, wow, you've you've

Thomas Kinsella:

done an incredible job here. This is this is really exciting.

Thomas Kinsella:

And that is yeah, like the CISOs job is normally like delivering

Thomas Kinsella:

bad news and fighting fires, it's very rarely Yep, check it

Thomas Kinsella:

out, check out the awesome things that I'm doing. So that's

Thomas Kinsella:

really exciting. And that swagger that they can have

Thomas Kinsella:

afterwards. It goes so far to building those relationships

Thomas Kinsella:

with the IT team or with the tech ops team, with the

Thomas Kinsella:

engineering team. They're like why these these people know what

Thomas Kinsella:

they're talking about. And you start being able to move from

Thomas Kinsella:

that organization or that team that's just bring us problems to

Thomas Kinsella:

these these folks know what they are doing. And like, yeah,

Thomas Kinsella:

she's, she's an amazing leader. So that's it's really exciting

Thomas Kinsella:

to see that sort of thing happen.

Dr. Dave Chatterjee:

Very true. In an earlier podcast, I was

Dr. Dave Chatterjee:

talking to the CEO of a billion dollar company, insurance

Dr. Dave Chatterjee:

company. And I made a statement I said, the more I think about

Dr. Dave Chatterjee:

it, the job of a CISO is kind of a thankless job. Yeah. Because

Dr. Dave Chatterjee:

you don't get recognized in general if things are going

Dr. Dave Chatterjee:

well. But if something goes wrong, and you're breached,

Dr. Dave Chatterjee:

obviously, that person is under gets the all the spotlight, the

Dr. Dave Chatterjee:

focus and probably can lose their job. In reacting to that,

Dr. Dave Chatterjee:

this gentleman very articulate, said, Dr. Chatterjee, I, I beg

Dr. Dave Chatterjee:

to disagree. I think it's a very important job. It's not a

Dr. Dave Chatterjee:

thankless job. And I said, You know what, I couldn't agree with

Dr. Dave Chatterjee:

you more, I definitely the C suite, the CEO, the CEO of the

Dr. Dave Chatterjee:

company, senior leadership should remember that should

Dr. Dave Chatterjee:

recognize that and accordingly, empower the function. So that is

Dr. Dave Chatterjee:

one aspect, because after all, that empowerment percolates

Dr. Dave Chatterjee:

right to teams such as the SOC, because how the CISO is viewed

Dr. Dave Chatterjee:

and valued in the organization will have an impact on how the

Dr. Dave Chatterjee:

SOC team feels about their work and the importance of their

Dr. Dave Chatterjee:

work. So it's an interesting dynamic, but that's something

Dr. Dave Chatterjee:

that organizations to be must be sensitive to. And it again, goes

Dr. Dave Chatterjee:

speaks to the point that automation is not the entire

Dr. Dave Chatterjee:

solution. No, no, definitely not. But automation needs to be

Dr. Dave Chatterjee:

supported by appropriate structure, right kind of

Dr. Dave Chatterjee:

processes, right kinds of people. Sorry, you wanted to say

Dr. Dave Chatterjee:

something?

Thomas Kinsella:

Yeah, no, just just definitely like it's not

Thomas Kinsella:

it's definitely not it's certainly not the only solution.

Thomas Kinsella:

There's a ton of a ton of things you can be doing. But also that

Thomas Kinsella:

it's even though something can be an extremely important job,

Thomas Kinsella:

that doesn't refute that it can be thankless, like it doesn't

Thomas Kinsella:

like it's still really, really hard. And it's not, it's not

Thomas Kinsella:

it's not not too surprising. The average tenure of a CISO is

Thomas Kinsella:

something like 18 months. That's like, I don't think that's their

Thomas Kinsella:

choice. Most of the time. I think it's it's really hard to

Thomas Kinsella:

come in and be effective. And oftentimes there's yeah,

Thomas Kinsella:

resistance to to how effective they can be. Yep,

Dr. Dave Chatterjee:

True! So, reverting back to the actionable

Dr. Dave Chatterjee:

takeaways from the report, I like to share with the

Dr. Dave Chatterjee:

listeners, four of them. And then I have a couple of

Dr. Dave Chatterjee:

questions. The first one says -- improving time spent on

Dr. Dave Chatterjee:

reporting, the second one is -- making triage enjoyable. The

Dr. Dave Chatterjee:

third one -- increasing retention by measuring and

Dr. Dave Chatterjee:

minimizing burnout, and the fourth --it's time for no code

Dr. Dave Chatterjee:

automation. My first question here is, when it is stated

Dr. Dave Chatterjee:

improving time spent on reporting, what do you mean?

Dr. Dave Chatterjee:

Because I would think that you want to reduce the time that is

Dr. Dave Chatterjee:

spent the manual hours that is spent in delivering different

Dr. Dave Chatterjee:

types of types of reports. Can you clarify?

Thomas Kinsella:

Yeah, I think there's, I think there's a few

Thomas Kinsella:

things that that that came from that came from this. So it's

Thomas Kinsella:

probably a little bit it's definitely a little bit

Thomas Kinsella:

confusing. The first is, it's where they spend a huge amount

Thomas Kinsella:

of their time on like time consuming tasks. So I think it

Thomas Kinsella:

was literally the place, they said they spent the most tasks

Thomas Kinsella:

was like capturing notes, capturing metrics, filling out

Thomas Kinsella:

tickets, all that sort of stuff. So I think improve is make that

Thomas Kinsella:

like faster and make sure that you're like you're actually

Thomas Kinsella:

adding value as opposed to just copying and pasting. So I think

Thomas Kinsella:

that's, that's one thing that you can definitely do. So

Thomas Kinsella:

basically, don't be filling out the same IP address 10 times get

Thomas Kinsella:

as much information into a ticket beforehand. And then like

Thomas Kinsella:

track, yes track what incidents are coming up all the time, and

Thomas Kinsella:

add value to that reporting. So adding value to that reporting

Thomas Kinsella:

could be actually this alert is super noisy, and is a false

Thomas Kinsella:

positive 95% of the time, so it needs to be tuned. Or as I said,

Thomas Kinsella:

this person is answering 95% of the tickets, or maybe it's not

Thomas Kinsella:

like actually, this alert is super high fidelity, maybe we

Thomas Kinsella:

should be looking into building out building a few, a few more

Thomas Kinsella:

of these. So I think that's some of the things that we talked

Thomas Kinsella:

that we were recommending, were saying improving time spent on

Thomas Kinsella:

reporting is like actually just making it more valuable, rather

Thomas Kinsella:

than just Yeah, filling out an employee's job title and a

Thomas Kinsella:

ticket, that that is not something that you that you

Thomas Kinsella:

need. It's something that's actually really important, but

Thomas Kinsella:

it's not something that you should be doing manually.

Dr. Dave Chatterjee:

Okay. That's good to know. And then

Dr. Dave Chatterjee:

moving on to the second recommendation, which is: making

Dr. Dave Chatterjee:

triage, enjoyable, how do you do that? And if you could clarify

Dr. Dave Chatterjee:

for the audience, what do you mean by triage here?

Thomas Kinsella:

Yeah, so triage is that process of investigating

Thomas Kinsella:

and alert when it comes in? So if you think of a suspicious

Thomas Kinsella:

login alert, this is probably the most common it's the process

Thomas Kinsella:

of taking that IP address and saying, Hey, have we where is

Thomas Kinsella:

this We got an alert that Steve logged in from Egypt. Okay,

Thomas Kinsella:

like, let's take that IP address. Is it on any known

Thomas Kinsella:

threat intel lists has it been seen as bad before? Is Steve

Thomas Kinsella:

actually in Egypt? Is it possible that Steve's on

Thomas Kinsella:

holidays? Where's Steve normally based? Does Steve use a MacBook

Thomas Kinsella:

because it looks like this was a login login from a Windows. That

Thomas Kinsella:

process of triaging an alert is just basically investigating the

Thomas Kinsella:

steps involved, it could be looking in your threat intel

Thomas Kinsella:

tool, or it could be looking in your in your Sim for additional

Thomas Kinsella:

logs, or it could be investigating on your in your

Thomas Kinsella:

EDR tool or in your Cloud console in AWS, it doesn't

Thomas Kinsella:

really it doesn't really matter. The problem with this one, when

Thomas Kinsella:

we say make triage more enjoyable, is that bad triage is

Thomas Kinsella:

that repetitive analysis for duplicate alerts following the

Thomas Kinsella:

screen, same script over and over again. It's noise. It's

Thomas Kinsella:

easy. It's mundane, it's boring. But even worse than that, it's

Thomas Kinsella:

error prone. If you're doing this day in day out for your

Thomas Kinsella:

organization, you're not adding any value. But you're also going

Thomas Kinsella:

to be like, Ah, I think this I think I've seen that IP address

Thomas Kinsella:

before or I think yeah, I think I saw that Dave was in Egypt.

Thomas Kinsella:

And that's not that's not something you want to do. So

Thomas Kinsella:

making it more fun, is that process of like being a

Thomas Kinsella:

detective, that's what people really enjoy about security is

Thomas Kinsella:

that like, ha, I'm detecting something good. Like, this is

Thomas Kinsella:

really interesting. And I remember, so when I worked in,

Thomas Kinsella:

in one of my organizations, we were seeing a load of malspam

Thomas Kinsella:

campaigns. So that's malware campaigns being delivered

Thomas Kinsella:

through phishing. And if you're familiar with those, you'll see

Thomas Kinsella:

the standard names like Emotet, or TRickBot or Hancitor, there's

Thomas Kinsella:

loads of them. And they're really like, they're insidious,

Thomas Kinsella:

you'll get hit with them, like loads of times every single day.

Thomas Kinsella:

But we have a lot of fun in my organization, when we initiated

Thomas Kinsella:

a policy -- the first person to track the fruit or that the

Thomas Kinsella:

first Hancitor email of the day, the first person that can post

Thomas Kinsella:

that in Slack, like won a prize. Basically, there was just a

Thomas Kinsella:

competition to investigate that. And what that meant was that

Thomas Kinsella:

every single mail you were immediately on it. Like, okay,

Thomas Kinsella:

what is this? But the next part about it was that you actually

Thomas Kinsella:

started noticing the patterns here, like actually, I don't

Thomas Kinsella:

think Hancitor ever used a Ring Central team before. Probably

Thomas Kinsella:

not Hancitor. Or it's like, oh, yeah, Hancitor, they recently

Thomas Kinsella:

shifted up their techniques to use this dot doc file, like this

Thomas Kinsella:

probably is them. So you start getting people to go deeper, but

Thomas Kinsella:

also making people a little bit more excited about like the work

Thomas Kinsella:

that they're doing and not just adding, not just adding that

Thomas Kinsella:

boring stuff day in, day out. It's hard to do, but honestly

Thomas Kinsella:

you can do it and if you like if you If you make a, generate some

Thomas Kinsella:

challenges, and you, you get people thinking creatively, and

Thomas Kinsella:

get people digging deeper, they remember the parts about

Thomas Kinsella:

security, they really love to tell I'm getting excited about

Thomas Kinsella:

thinking about it. Now that that was fun. But honestly before

Thomas Kinsella:

that, like when we just saw 20 mails come in, that wasn't

Thomas Kinsella:

funny. This is hard you know. So it's making making that triage

Thomas Kinsella:

process running. And, and there's a lot of things that you

Thomas Kinsella:

can do that you can do for that. So you need to design your team

Thomas Kinsella:

to around I suppose, minimizing those noisy, easy, mundane

Thomas Kinsella:

alerts and maximizing those like being indicative of those

Thomas Kinsella:

creative alerts and creative processes that are hard, but

Thomas Kinsella:

also really worthwhile? You know?

Dr. Dave Chatterjee:

Absolutely. So one thing that is coming

Dr. Dave Chatterjee:

through very clearly, from your articulation is one of the

Dr. Dave Chatterjee:

challenges and success factor is to be able to tease out and

Dr. Dave Chatterjee:

emphasize the creative aspects of the job, while automating the

Dr. Dave Chatterjee:

non- creative aspects.

Thomas Kinsella:

Exactly that that like that if that. And

Thomas Kinsella:

honestly, the non creative aspect is, is all automatable.

Thomas Kinsella:

That's like, that's why that's why people find it boring. Like,

Thomas Kinsella:

if you're looking up an IP address, and five different

Thomas Kinsella:

tools are looking at the hash in 10 different tools or asking a

Thomas Kinsella:

user Hey, do you are you on holidays? Or asking a manager,

Thomas Kinsella:

"did you assign these permissions to this person,"

Thomas Kinsella:

that's the stuff that you're gonna burn out on. But all of

Thomas Kinsella:

that is actually very easy to do in automation. They're all just

Thomas Kinsella:

simple API calls, or they're simple tasks, like sending an

Thomas Kinsella:

email or sending user message in teams or slack.

Dr. Dave Chatterjee:

Okay, fantastic. So moving on to the

Dr. Dave Chatterjee:

third recommended takeaway or actionable item, which is --

Dr. Dave Chatterjee:

increasing retention by measuring and minimizing

Dr. Dave Chatterjee:

burnout. Can you expand on that?

Thomas Kinsella:

Yeah, so I think with this that, there's a

Thomas Kinsella:

lot of like, burnout is not lack of support, it's taking on more

Thomas Kinsella:

that you can handle. It's poor self care. And I think what when

Thomas Kinsella:

we measure the achievements of a SOC, we do measure, like the

Thomas Kinsella:

mean time to investigate, the mean time to detect, but what

Thomas Kinsella:

we're not tracking is, I suppose, how our employees are

Thomas Kinsella:

doing as part of that, or if we are sometimes just the number of

Thomas Kinsella:

tickets that they've answered, which doesn't tell you hey, how

Thomas Kinsella:

hard those tickets were or even, like, yeah, if they're working

Thomas Kinsella:

overtime, or if they're, if there's any indicators of

Thomas Kinsella:

burnout. There's some people that have done a lot of great

Thomas Kinsella:

work on this MongoDB have great articles on this on their on

Thomas Kinsella:

their website, if you want to check it out. But things like

Thomas Kinsella:

measuring who is taking their holidays. So if you're, if

Thomas Kinsella:

you've got somebody who's worked 50 of the last 52 weeks, and has

Thomas Kinsella:

also worked several weekends been paged? That person's

Thomas Kinsella:

definitely burning out. Like there's they haven't had the

Thomas Kinsella:

time to to reflect and get time aid from the organization. Yeah,

Thomas Kinsella:

so who's working weekends who's working overtime? And employee

Thomas Kinsella:

satisfaction reports, but also considering those like recurring

Thomas Kinsella:

employees satisfaction reports, but also like management

Thomas Kinsella:

one-on-one. So spending individual time as a manager

Thomas Kinsella:

with each of your employees? And asking them genuinely, Hey, how

Thomas Kinsella:

are you doing? What do you want to work on? What are your goals

Thomas Kinsella:

for the next three months, and then reviewing those goals after

Thomas Kinsella:

those three months standard management stuff, but again, it

Thomas Kinsella:

doesn't happen when you're slammed with alerts. But those

Thomas Kinsella:

are I think, those are some of the things that we that we

Thomas Kinsella:

recommend that it's just not good enough to, just not good

Thomas Kinsella:

enough to measure this the standard things in a SOC, in

Thomas Kinsella:

order to keep your team and this time you, you have to start

Thomas Kinsella:

measuring, measuring how they're performing, and not just how

Thomas Kinsella:

many tickets they've opened. But more importantly, like, hey, you

Thomas Kinsella:

know, how they're actually performing and how their mental

Thomas Kinsella:

health is performing. It's a really tough job. So we need to

Thomas Kinsella:

track it. The last part about that, sorry, I should have said

Thomas Kinsella:

this at the start. It's important to be really open

Thomas Kinsella:

about your mental health and talk about normalizing the

Thomas Kinsella:

conversation and saying, this is a tough job. It's okay, if

Thomas Kinsella:

you're struggling, it's okay if you find this overwhelming. And

Thomas Kinsella:

offering in place, you can talk to me, you can talk to your

Thomas Kinsella:

manager, you can talk to your peers, or you can talk using the

Thomas Kinsella:

employee assistance program if you have it in place. But in

Thomas Kinsella:

managers, normalizing that conversation saying I've been

Thomas Kinsella:

burnt out at work, or I've experienced these challenges

Thomas Kinsella:

with my mental health is really, really important to share.

Thomas Kinsella:

Otherwise, you're, you're you're kind of saying like, ya know,

Thomas Kinsella:

like, I'm sure you're burnt out, but I've never shown any

Thomas Kinsella:

experience of like, of noting that's only weak people are, you

Thomas Kinsella:

can't do that. It's like incredibly strong and incredibly

Thomas Kinsella:

just intelligent people. Everybody gets experiences. It's

Thomas Kinsella:

not something that you're doing wrong. It's the same as breaking

Thomas Kinsella:

a leg playing sports or something like that. It can

Thomas Kinsella:

happen to everybody.

Dr. Dave Chatterjee:

I'm so glad you said what you said because

Dr. Dave Chatterjee:

it's so important to have that candid conversation, or to

Dr. Dave Chatterjee:

create an environment of honesty and candor where somebody can

Dr. Dave Chatterjee:

just go to their manager or to their peers and say, Look, I'm

Dr. Dave Chatterjee:

experiencing this I could do with some help and offer that

Dr. Dave Chatterjee:

help without treating it as some kind of inability, it is not an

Dr. Dave Chatterjee:

inability, like you said it can happen to everyone. And this

Dr. Dave Chatterjee:

reminds me of something from another episode where this CISO

Dr. Dave Chatterjee:

takes this approach, where when a particular user fell victim to

Dr. Dave Chatterjee:

a phishing attack, and confessed and said, Look, yes, I was

Dr. Dave Chatterjee:

trained, but I messed up. I'm sorry about it. Recognizing the

Dr. Dave Chatterjee:

honesty of it, and using that user, as an example, of somebody

Dr. Dave Chatterjee:

quickly reporting the breach, alerting everyone and not trying

Dr. Dave Chatterjee:

to hide and trying to fend off investigations, and rewarding

Dr. Dave Chatterjee:

that kind of honest behavior, and then supporting it with any

Dr. Dave Chatterjee:

other kinds of educational programs. That is so very

Dr. Dave Chatterjee:

critical. And I'm glad that you all are talking about it in as

Dr. Dave Chatterjee:

one of the takeaways. So we are running out of time.

Thomas Kinsella:

Can I add really I know we're running out

Thomas Kinsella:

of time but really quickly to that. I had a fantastic

Thomas Kinsella:

experience, where we had a we had an incident in again, in my

Thomas Kinsella:

career where we had a an executive assistant, so a

Thomas Kinsella:

C-level staff member's executive assistant, report a phishing

Thomas Kinsella:

email, didn't click on it, just reported. We said, Oh, wow,

Thomas Kinsella:

okay, this looks targeted, like the fact that a C-level staff

Thomas Kinsella:

member is receiving a phishing email or an executive assistant

Thomas Kinsella:

receiving phishing email, this is bad, we look to see had

Thomas Kinsella:

anybody clicked on the link. And we detected three people had

Thomas Kinsella:

clicked on the link. And when we look to see who received the

Thomas Kinsella:

email, five people, in addition to the executive assistant had

Thomas Kinsella:

received it; all executive assistants. So at this point, we

Thomas Kinsella:

had like, not whatever, six recipients, three people clicked

Thomas Kinsella:

on that link, we contacted those three people, two of them had

Thomas Kinsella:

entered their credentials, we locked their accounts

Thomas Kinsella:

immediately, like investigated, we saw a failed login to their

Thomas Kinsella:

failed logins to their accounts by 30 minutes later. And the

Thomas Kinsella:

only reason we detected it was as a result of that one

Thomas Kinsella:

executive assistant reporting. It was incredible. We like we

Thomas Kinsella:

gave her loads of loads of loads of props, as you'd expect, but

Thomas Kinsella:

it really was an indication of I'd much rather you report

Thomas Kinsella:

those, every even if you're unsure, report that phishing

Thomas Kinsella:

email, because without her, we would have had a major major

Thomas Kinsella:

incident on our hands. Because all of those have like, well,

Thomas Kinsella:

they've got access to a lot of sensitive information anyway.

Thomas Kinsella:

But they also have access to their C level staff members

Thomas Kinsella:

mailboxes. So it was really, really important, but super

Thomas Kinsella:

critical. So definitely, shame is the exact opposite of what we

Thomas Kinsella:

should be doing in security, we should be like, it's so hard to

Thomas Kinsella:

get right. We have to be encouraging people to report and

Thomas Kinsella:

knowing that like, people are gonna make mistakes. That's why

Thomas Kinsella:

we have defense in depth.

Dr. Dave Chatterjee:

Absolutely. Thank you for sharing that. So

Thomas Kinsella:

Yeah, so like, I think a lot of people have

Thomas Kinsella:

thought of automation. So that's writing scripts. The challenge

Thomas Kinsella:

with a lot of automation is that it's really hard to do. And as a

Thomas Kinsella:

result, those people that know the processes just can't do it.

Thomas Kinsella:

So what we built in Tines is we built a really lightweight,

Thomas Kinsella:

no-code automation platform that allows anybody, so that's like

Thomas Kinsella:

interns, or like, like low level, low level is not a good

Thomas Kinsella:

word, like SOC analysts of like tier one, or engineers to

Thomas Kinsella:

automate their own workflows. So that could be that manual task

Thomas Kinsella:

of investigating an IP, it could be an engineer who knows how to

Thomas Kinsella:

finally, let's talk about the fourth actionable takeaway, not

Thomas Kinsella:

like build an incredibly complex process. Their tool is simple,

Thomas Kinsella:

but not simplistic, it can go very deep. But the idea is that

Thomas Kinsella:

those people who know the process will be able to use in

Thomas Kinsella:

our case, a simple drag and drop builder to automate away those

Thomas Kinsella:

tasks. So just to say, Okay, I want to investigate an IP

Thomas Kinsella:

address in this tool, I'm going to drag on an action and I can

Thomas Kinsella:

investigate that IP address, I want to send an email, or drag

Thomas Kinsella:

on an action and send an email, I want to contact a user on

Thomas Kinsella:

Slack, I will drag on an action, and contact a user on Slack. And

Thomas Kinsella:

we make it simple enough that people with very, very little

Thomas Kinsella:

experience are able to build and as a result, allow them to focus

Thomas Kinsella:

on much more impactful risk reduction efforts. The no code

Thomas Kinsella:

part is just that it's we make it super easy so that you really

Thomas Kinsella:

don't need to be a developer. It's not to say that you don't

Thomas Kinsella:

know how to you also have to know what an IP address is kind

Thomas Kinsella:

of thing. But it means that it's just Yes, super, super flexible,

Thomas Kinsella:

necessarily, in the order of importance is just the number

Thomas Kinsella:

lightweight, easy to learn. And we've got yet some incredible

Thomas Kinsella:

teams from the small startups through awesome security teams,

Thomas Kinsella:

great, great consumer teams, some universities, yeah, like

Thomas Kinsella:

four. And and that is -- it's time for no-code automation.

Thomas Kinsella:

all the way up to Fortune 10s using the using the platform to

Thomas Kinsella:

all in they're all in the exact same way. So that's what it is.

Thomas Kinsella:

But the power of that is really so the reason we say that as a

Thomas Kinsella:

takeaway is that if you allow those people that are super

Thomas Kinsella:

familiar with the process, they're able to they say, I know

Thomas Kinsella:

exactly what this is. But also it means that when there's a

Thomas Kinsella:

tweak to the process, I actually normally if it's the CEO, we

Thomas Kinsella:

What does that mean?

Thomas Kinsella:

won't send the thanks reporting will be back to you in 24 hours,

Thomas Kinsella:

email will probably say, yes, we'll be back to you

Thomas Kinsella:

immediately, or we'll alert somebody and wake up somebody to

Thomas Kinsella:

respond to that. And that part is the people that are familiar

Thomas Kinsella:

with that process are able to automate that part of the

Thomas Kinsella:

process as well. So that's that that's, that's the idea behind

Thomas Kinsella:

it. And then ultimately, it's that if you do that, first of

Thomas Kinsella:

all, they're fulfilling that creative part that you kind of

Thomas Kinsella:

talked about earlier. And then they're, they're no longer

Thomas Kinsella:

dealing with as many manual repetitive alerts, and they're

Thomas Kinsella:

able to focus on much more impactful risk reduction efforts

Thomas Kinsella:

that are actually going to add value to to the business. That's

Dr. Dave Chatterjee:

Fantastic. Yeah. I mean, so if you can, the

Dr. Dave Chatterjee:

the idea.

Dr. Dave Chatterjee:

extent to which you can reduce the technical hurdle, it always

Dr. Dave Chatterjee:

helps, it helps get more people involved and interested, and

Dr. Dave Chatterjee:

engaged. Well, Thomas, this was a fascinating discussion. I wish

Dr. Dave Chatterjee:

we could go on. But in the interest of time, we have to

Dr. Dave Chatterjee:

conclude here once again, before we wrap things up, do you have

Dr. Dave Chatterjee:

any final words for the listeners

Thomas Kinsella:

just yet? Thank you so much. I've really enjoyed

Thomas Kinsella:

being on if you do want to check out Tines, we've got a free

Thomas Kinsella:

community edition. So anybody can use it. Tines.com just sign

Thomas Kinsella:

up for I think you get three workflows completely for free.

Thomas Kinsella:

And yeah, you can reach out and say hi, I'm on

Thomas Kinsella:

twitter.com/thomas ksec, LinkedIn on just Thomas

Thomas Kinsella:

Kinsella. And yeah, I'd love to say hi, especially anybody that

Thomas Kinsella:

wants to talk about the future of security operations, or

Thomas Kinsella:

mental health burn out, the future of the SOC. I'd love to

Thomas Kinsella:

have those conversations. And yeh please do reach out.

Dr. Dave Chatterjee:

Well, thank you, Thomas. It's been a real

Dr. Dave Chatterjee:

pleasure. Thank you. A special thanks to Thomas Kinsella for

Dr. Dave Chatterjee:

his time and insights. If you liked what you heard, please

Dr. Dave Chatterjee:

leave the podcast a rating and share it with your network. Also

Dr. Dave Chatterjee:

subscribe to the show so you don't miss any new episodes.

Dr. Dave Chatterjee:

Thank you for listening, and I'll see you in the next

Dr. Dave Chatterjee:

episode.

Introducer:

The information contained in this podcast is for

Introducer:

general guidance only. The discussants assume no

Introducer:

responsibility or liability for any errors or omissions in the

Introducer:

content of this podcast. The information contained in this

Introducer:

podcast is provided on an as-is basis with no guarantee of

Introducer:

completeness, accuracy, usefulness, or timeliness. The

Introducer:

opinions and recommendations expressed in this podcast are

Introducer:

those of the discussants and not of any organization.

Next Episode All Episodes Previous Episode

About the Podcast

Show artwork for The Cybersecurity Readiness Podcast Series
The Cybersecurity Readiness Podcast Series
with Dr. Dave Chatterjee

Listen for free

About your host

Profile picture for Dave Chatterjee

Dave Chatterjee

Dr. Debabroto 'Dave' Chatterjee is tenured professor in the Management Information Systems (MIS) department, at the Terry College of Business, The University of Georgia (UGA). He is also a Visiting Scholar at Duke University, affiliated with the Master of Engineering in Cybersecurity program in the Pratt School of Engineering. An accomplished scholar and technology thought leader, Dr. Chatterjee’s interest and expertise lie in the various facets of information technology management – from technology sense-making to implementation and change management, data governance, internal controls, information security, and performance measurement. His work has been accepted and published in prestigious outlets such as The Wall Street Journal, MIT Sloan Management Review, California Management Review, Business Horizons, MIS Quarterly, and Journal of Management Information Systems. Dr. Chatterjee’s research has been sponsored by industry and cited over two thousand times. His book Cybersecurity Readiness: A Holistic and High-Performance Approach was published by SAGE Publishing in March 2021.