Thursday, April 17, 2014

Five Ways to Chase Away Your Best Analysts

Recently, Fast Company published an article entitled “10 Ways to Lose Your Best Employees” ( The article provided an interesting perspective on how companies sometimes drive away their best talent. I thought it might be interesting to take a look at this concept from a security operations/incident response perspective. During the course of my career, I have seen organizations make mistakes that have cost them their best analysts. Hopefully this blog post will help organizations identify ways in which they can improve in order to retain their best talent. Here are my thoughts on “Five Ways to Chase Away Your Best Analysts”:
  1. Put a jerk or an idiot in charge: This concept is fairly universal, and was listed in the original Fast Company article as well. Studies have shown time and time again that the manager has the most direct effect on an employee’s happiness. Security operations is a serious business with serious consequences, and it is one that deserves a serious leader. Think twice before you crown a leader who can’t spell incident response, or who has no incident response or security operations experience. An analyst who needs to take time away from important work to give remedial security lessons to his or her “leader” is not going to be a happy analyst.
  2. Deliver technology that doesn’t work: In the heat of an incident response, key stakeholders need answers, and they need them fast. An experienced analyst knows how to interrogate the data to answer the tough questions of the day. Want to infuriate your best analysts? Provide them with technology that fights them and swims against the workflow, rather than technology that supports the mission. Another great way to bring about that resignation letter.
  3. Micro-manage incident response: During an incident response, management has the best intentions and wants to do what’s best for the organization. But management may be several years removed from the operational realities and best practices of the day. The role of management during incident response is to ask tough questions that need to be answered, and then to step back and let the analysts/incident responders go about doing the work required to answer those questions. More often than not, in my experience, management micro-manages incident response. This causes valuable analyst cycles to be wasted in pursuits that are less value-added or potentially off task. Remember, there are a lot of ideas or thoughts that may seem good in theory, but experience and practice have shown that they are a dead-end. The best analysts know this, and management can empower them by focusing them on high level objectives and then letting them get to work.
  4. Value body heat over grey matter: It’s an unfortunate reality that office environments are sometimes political and require self-promotion. The best analysts are generally apolitical and spend most of their time hard at work, rather than tooting their own horn. Management can help them by presenting and representing their efforts and accomplishments to leadership. Want to step in and take credit for the hard work your best analysts are doing to make yourself look good? Kiss those analysts goodbye.
  5. Don’t match your actions to your words: Analysts are, not surprisingly, analytical by nature. Actions speak louder than words, and analysts can see through words that are not matched by action. If your security operations program is a priority, then make it so through action. Simply speaking to it as a priority without matching that talk with action will cause your best analysts to look elsewhere for a better fit.
Security operations and incident response are already a high priority or are quickly becoming a high priority for almost every organization. There is not enough experienced analytical talent to meet the demands of the field. Given this constraint, it’s perhaps helpful to understand the mistakes of others and to look at making your organization more attractive to scarce analytical talent.

No comments:

Post a Comment