Security operations centers \u2013 the units that manage overall cybersecurity within an organization \u2013 have been getting a workout during COVID-19. Many organizations moved their SOC staff to remote work within days of coronavirus being declared a pandemic.\nThis shift to remote work has put a spotlight on three inter-related issues for business and cybersecurity leaders in modernizing SOCs to meet the needs of today\u2019s workplace. These are: \n\nThe need for more extensive automation\nExpanding the use of machine learning and artificial intelligence\nAdapting practices for hiring, training and retaining cybersecurity personnel\n\nKeeping the SOC properly staffed is a challenge in the best of times because of the ongoing cybersecurity skills gap. With the pandemic affecting corporate profits, CISOs are worried about maintaining staffing levels and ensuring that management continues to make the SOC a top priority.\n\u201cBottom line is \u2013 this is probably not the time when we can depend on adding new bodies to close that skills gap,\u201d said John Pescatore, director of emerging security trends at SANS Institute, a research and education organization.\nFor a CISO, the issue is a matter of upskilling the team and getting better productivity without necessarily adding more people, according to Pescatore. The best SOCs get improved results when CISOs spend budgets more efficiently \u201cor at least not keep asking management for more money,\u201d he said.\nEmbracing Automation and Intelligence\nThe SOC team receives on average over 11,000 daily alerts, according to a Forrester study, and only half the security professionals polled felt confident they can address all or most of them on a given day.\nIf your SOC team suffers alert fatigue, it doesn\u2019t necessarily mean you don\u2019t have enough people. Rather, it may mean you are not using automation and intelligence sufficiently to offload work that can be done more effectively by machines than humans. It may also mean you have the wrong people in the wrong spots and\/or are not using your personnel resources most efficiently.\nExperts recommend using automation to eliminate the manual rinse-and-repeat work of spotting and triaging alerts. This allows the SOC staff to become more of a proactive shield, upgrading the organization\u2019s defenses.\n\u201cYou need to be very careful with your security resources\u2026finding that automation and those points where you can work smarter and align with the business,\u201d said Bruce Beam, CIO of (ISC)\u00b2, the association of certified cybersecurity professionals.\nThe talent shortage is not necessarily caused by a shortage of bodies but by bodies and budgets being poorly allocated, said Josh Zelonis, a chief technology officer at Palo Alto Networks. He compared the situation to an overwhelmed emergency room, where there may be enough personnel but too much time is spent time triaging incoming patients instead of treating them. \nThe Forrester study found SOC professionals spend more than half their workday investigating and triaging alerts. Less than 15% of their time is spent responding to alerts and mitigating vulnerabilities, and only 10.9% of their time is spent on improving security. \nUsing AI and machine learning, SOCs can automate a large part of that triage work and free the professionals to do the real work, said Zelonis. Right now, 17% of companies don\u2019t use automation or machine learning in any part of the alert handling. Even companies that have automation are not using it to its full potential. The Forrester report found only 13% were using automation and machine learning for the full lifecycle of an alert\u2014triage, analysis, and response.\n\u201cWithout changing the allocation of budgets, you can solve that hypothetical challenge of not having enough people,\u201d said Zelonis. Automation, combined with AI and machine learning, can make your organization\u2019s SOC less defensive and more proactive.\nAddressing the Skills Gap\nThe skills gap is two-fold: A shortage of cybersecurity personnel in general, as well as a shortage of personnel with the right skills to deal with emerging technologies and channels, such as the increased use of cloud and mobile devices.\n\u201cIt\u2019s not just about the manning. The manning is important but what we really need to know is the qualifications,\u201d said Beam. \u201cYou need to have a good team of analysts and engineers that are constantly tuning your sensors and your processes.\u201d \nIt\u2019s been a good news\/bad news situation, according to the (ISC)\u00b2 2020 Cybersecurity Workforce Study. The annual report found the workforce gap shrank in 2020 because while people are still being hired into the field, there is also reduced demand because of business uncertainty. \n\u201cThe cybersecurity workforce gap is shrinking, but it persists,\u201d the (ISC)\u00b2 study concluded. \u201cThis demands that organizations be creative about how they fill roles and build their bench strength.\u201d\nThe pandemic is expected to affect budgets into 2021. The (ISC)\u00b2 survey found 49% of respondents expect their organizations to hire more cybersecurity professionals within the next year. But at the same time, more than half the cybersecurity practitioners polled expect budgets for both personnel and technology will be tight in the future.\nThe SOC of the future needs professionals who are problem-solvers and curious about keeping up with the latest technologies. That makes them more capable of spotting the vulnerabilities in emerging channels and devices, and able to spend time preventing attacks, rather than be passive spotters playing a game of digital whack-a-mole with cybercriminals.\nBut where can you find those people? The (ISC)\u00b2 survey said the top sources for new hires are new college graduates (32%), consultants and contractors (31%), other departments in the organization (28%) and other companies in the same industry (27%). Beam said his organization has had good results training interns; one was hired as an associate and is now a senior engineer.\nA SANS study found respondents said their best sources for \u201cgood\u201d SOC employees\u2014staffers their bosses are happy with\u2014was hiring from within, followed closely by recommendations from existing staff. Internships, job fairs and college training programs ranked low in the quality of new hires.\nHiring and training internally also ensures the SOC has people who understand and align with the company\u2019s operations. These internal staff may have a better understanding of how security affects business objectives and the importance of protecting data, not just stopping attacks. For example, someone who works with customer relationship management (CRM) software and has an interest in security could transfer his skills at brand protection and data privacy governance to the SOC.\nValue the People You Have \nAttrition is the enemy for many SOCs, and burnout is the enemy of SOC personnel. A Ponemon Institute report looking at the effectiveness of SOCs found that 65% of IT security operations staff said the stress of working in the SOC made them think about changing careers or quitting. And 66% of the respondents said it is very likely or likely that experienced security analysts would quit their SOC.\nIn the Ponemon report, IT security personnel describe working in the SOC as \u201cpainful\u201d due to \u201cbeing on call 24\/7\/365\u201d and the constant flow of alerts. The report recommended automating the SOC workflow and normalizing the staff schedules to fight burnout. Among the respondents, 60% said automation helps reduce the stress of their organization\u2019s security personnel and 43% added it\u2019s making them more effective.\nOne tool that has been effective, according to the Forrester survey, is extended detection and response (XDR) capabilities. They aggregate data from various sources such as the company network and application stack, so companies can execute threat detection and response on all data sources and devices, whether they manage them or not. This makes the SOC staff more productive and the organization more secure.\nFreeing SOC staff to spend more time improving security can cut back on attrition. Pescatore said interviews with respondents in the SANS survey showed that teams with lowest attrition rates have a mix of technology tools that are being constantly updated and built upon by the staff, so they avoid alert fatigue and remain creative and constantly upgrade their skills.\nThis requires change management, too, said Beam. SOCs are often set apart from the rest of the organization, disconnected from the rest of the business operations. \u201cThere\u2019s not a lot of light or interaction with others,\u201d he said. \u201cIt\u2019s kind of its own isolated environment.\u201d \nBringing the SOC in alignment with the rest of the business priorities helps both the SOC and other departments. \u201cIt starts with management. And it goes all the way down,\u201d Beam said. \u201cMake sure you\u2019re working together.\u201d\nFor more expert advisory and insights on the issues shaping cybersecurity today, visit Palo Alto Networks CXO Perspectives.