Alert overload is burning out security analysts
Survey suggests overall volume and high rate of false problems are changing priority lists in security operations centers.
Alert overload is changing the work focus in security operations centers and increasing the risk of burnout among analysts, according to a survey by CriticalStart.
Forty-one percent of survey respondents said the main responsibility of their job was analyzing and remediating security threats, down dramatically from 70% in the 2018 survey. Here’s what the priority list looks like:
- Analyzing and remediating security threats: 41%
- Reducing the time it takes to investigate a security alert: 25%
- Investigating as many alerts as possible: 18%
- Limiting the number of alerts sent to clients for review: 13%
That last responsibility—limiting contact with clients—seems to be the default approach for 57% of the respondents. Forty-three percent of the managed security services providers and managed detection response firms report full transparency with clients, “they see everything we see.”
Forty-eight percent let clients see parts of an investigation if the firm needs customer input and 9% offer no transparency at all.
CriticalStart asked more than 50 security professionals to evaluate the state of incident response within security operations centers. This included professionals at the enterprise level as well as at managed security services providers and managed detection and response providers.
Sixty-five percent of respondents investigate more than 10 security alerts each day, up from 45% who managed the same volume last year.
On average, security analysts spend more than 10 minutes investigating each alert and nearly half of them report a false-positive rate of 50% or more.
As companies outsource more security services, the alert overload shifts to security providers and influences hiring and operational procedures. To cope with the overload, providers are turning off certain alerts and hiring more analysts:
- Tune specific features or thresholds to reduce alert volume: 57%
- Ignore certain categories of alerts: 39%
- Turn off high-volume alert features: 38%
- Hire more analysts: 38%
This workload and high-stress environment has an impact on employee retention. CritialStart asked about turnover among security analysts for the first time in this year’s survey. Employee retention doesn’t look good:
- Less than 10% turnover: 20%
- 10 – 25% turnover: 45%
- 25 – 50% turnover: 29%
- More than 50% turnover: 6%
In 2018, LinkedIn found that software, retail, and media companies have the highest turnover rates at 13.2%, 13% and 11.4%, respectively.
The alert overload survey also found that 50% of respondents had 20 or fewer hours of training every year. Only 13% of respondents reported receiving 40-80 hours of training annually and 11% said they received more than 80 hours.