Maslow's SOC by Luigi Ritacca

give me a chair of your work and a sock okay well that's good because this presentation is kind of aimed at you but if you don't work in a sock um this is still pretty relevant so who am I well my name is Luigi rataka I work at Microsoft I'm a crisis manager what that means is basically there are multiple incidents at Microsoft which are large scale lots of different security teams involved and someone needs to manage them to resolution and that's what I do for my day-to-day but before that I was the head of the UK's cyber operations center for the home office I had about 40 direct analysts we did fun things like

protective monitoring threat vulnerability management threat intelligence so all good stuff and when I joined we were just starting out our security operations center and when you're doing that people find out about how much money you've got and how much money you're going to spend and vendors come up to you and say hey buy our product now one of their sales techniques is to say why don't you come and have a look at one of our other customers see what they do see how they use our tool maybe you can take away you know those Lessons Learned we were getting quite a few of these so we thought you know what let's do it let's let's have a road trip part

of this kind of talk is about our lessons that we learned from it and just more a bit background before the home office I was at the BBC for about 10 years in the blue team so today's agenda is I'm going to talk to you about one of the lessons we learned from doing that road trip about the number one killer for cyber operation centers then you're going to take a slight detour talk about a chat called Abraham Maslow and his hierarchy of needs and then finally and then talk about embedding that hierarchy of needs within your sock so when I was traveling around going to these socks looked at their technology Stacks I'm surprised because they're all

different not everyone was using Splunk I was also a surprise that all of their processes were quite unique you know some socks were only caring about endpoints others about networks others were about just email gateways some were huge fusion centers with both privacy physical security involved so that that was quite you know interesting to see as well but they all had one common problem and that was staff retention so cybery at the top there found that one in four new security analysts would quit within a year cxo who have been tracking this found that retention was in cyber security were the highest in years and now that's not just because of the great resignation um it's not just because the UK cabinet

decided to do it the other day it's been a growing Trend so if you have a look at the Sans kind of survey they do every year you can see this ever moving position to people leaving Security operation centers sooner and sooner in fact if you drill down into the detail you'll find that a junior sock analyst so someone in their first sock role will generally stay there for about 18 months this graph this is a standard HR graph that they use to say how productive are my employees and if you have a look at kind of day Zero they join the company they're not just not productive they're actually negatively productive because we take our time out of our day to go

and train them we teach them stuff we're asked answering their questions we're getting them more and more productive and it takes about six to eight months to get there so then you have what we call this Plateau or productivity where you're you know you're really performing and then about month 22 you decide you know what I've got what I can from this role I'm going to look elsewhere and you've got that Trend to zero and so that's the average for an employee if you think about cyber we've got this ever-changing environment of new technologies coming into place so I'd probably say that our kind of gradient to productivity slightly lower in slope because you know everything's

changing so we don't have fixed processes in place so it takes longer for people to get up to speed also if you think about you know one in four stock analyst quitting after 12 months well you're not getting any of your productivity from them you're spending most of your time training them so you're losing that that's really costly because the price of productivity is retention because your staff aren't productive enough your business changes faster than your team can keep up alerts become inefficient incidents take longer to resolve cases build up staff burnout staff leave earlier you can see where I'm going it gets worse and worse eventually until you can no longer perform Your Role your security

operations center becomes defunct the people buying or paying for your security operations center says hey you know what I'm going to go elsewhere maybe to an mssp or maybe I'm going to bring it internal and you've got this kind of cycle of you know shutting down and having to restart so we've got a problem now I'm going to take a little detour talk about this Smiley guy this is Abraham Maslow he was an American psychologist he was born in 1908 and he's a bit of a revolutionary see at the time when he was teaching psychology there was only really two strands of thought so it was what we call freudianism and behaviorism and both of

those really tried to kind of look at the problems in people and their psyches and Abraham Maslow said this is the wrong way to do it we need to look at treating human beings as human beings rather than just a bag of symptoms so he said if we can treat a human and basically satisfy all of their basic needs they can become the best they can be I think he's awesome I mean these are some of the quotes that he's kind of come up with you know one can choose to go back towards safety or forward towards growth that's great really inspirational stuff you know he's probably most famous one is if you all if all you have is a

hammer everything looks like a nail right I bet you heard of that but you didn't know it was this guy and finally in a world of social media you know be independent of the good opinion of other people again super guy now in 1943 this chap wrote a paper called a theory of human motivation now in this paper he described this hierarchy of needs and like I said when humans meet their needs they can become more motivated and more satisfied with life so we had a problem in socks of productivity and retention and this guy wrote a paper on how to make people more motivated so more productive and more satisfied so hopefully we can keep them

for longer now this is the best way to describe that paper you have this pyramid of needs you start off with the bottom parent with the bottom row which is your physiological needs which you know basically making sure you've got a shelter warmth Etc then you've got safety needs security then belongingness esteem needs and then at the top you've got your self-actualization the being the best you can be now Maslow didn't actually come up with the pyramid that was done by a HR business firm in fact when someone showed Maslow this he went oh that's don't like it at all um the main reason is because he said your needs are Dynamic uh you know you

some people might want love more than kind of Financial Security which is probably why we have only fans um so you know he said needs a dynamic you'll never satisfy and eat a hundred percent you know you've you've got a kind of just assume that these needs are going to change over time and what we need to do is just make sure that we can remove the blockers so you can get to the top of your pyramid and be the best who you can be so now I'm going to go through it again but this time I'm going to tell you what we did at a home office so you can kind of understand how we're

filling in this kind of hierarchy of needs so my first sock was actually in a data center uh in a server room I don't know if you all know what a server room's like but it's cold they don't like having hot server rooms it's you know I remember coming in one morning seeing the night shift there and they were all wrapped in blankets they had hot water bottles they had gloves on hats on I thought to myself none of these people have touched a keyboard in about an hour or two they're just there shivering away and I was so you know I remember being quite angry about it having to come into my day shift and having to do a whole

rank of tickets that were left over from the night but I didn't realize that the reason why they weren't doing their job was because they were too concentrated on that basic need of just warmth so took that lesson to Heart at the home office what we did was we spent a lot of money and time on making sure our sock analyst had comfort so big thermostat in the middle of the room so you can crank up that heating and make sure that the chairs people were sitting on were suitable for more than 12 hours so we spent a lot of time ensuring that they could not have to focus on being uncomfortable and could focus on

their job food again really important but again what does a sock have to do with food well most Junior analysts on a night shift they don't tend to meal prep what they do is they go out and we'll buy the nearest takeout they can and they'll keep doing that on a night shift and basically what that means is that take out what really tasty over a period of time actually really bad for you you have what happens is lethargy Creeps in you become unmotivated and it's a bit of a problem it's also really expensive and you know if people become unmotivated due to diet nutrition they'll reflect on their job so I'm not saying we all force

people to eat healthy but give people the opportunity if someone asked me what the most important technology is in a suck I would say a fridge let me put something in there let them store it in fact there was one psychological experiment that took two groups of people separated them measured their productivity and then on one group they said right all you have to do is eat one piece of fruit a day the other group you can do whatever you want and after a week they found that a group who are eating one piece of fruit a day their productivity improved by 25 percent imagine going to your boss and saying I can get rid of a quarter of our staff

here and replace them with this apple that you know um so yeah nutrition really important and again you're probably thinking when you look at that rest well what's the stock got to do with risk well the first thing a stock manager is going to do is he's going to Define your shift pattern now your shift pattern is could be anything from deciding how long you're working in a day from 6 8 10 12 hours to how often your working nights you know are you going to do two weeks of nights and then have the month off or are you going to rotate every two to three days you know new new sleep plan every time there's been plenty of

studies over sleeping especially night shifts and what they found is none of them are good for you nights shorten your life massively so the best thing you can do is ensure that you're working no longer than four hours sorry longer than four nights and you're also working you're switching your sleeping pattern as less frequently as possible so at the home office what we did was we ensured that we had four on four off standard rotation pattern but we added another shift a fifth shift and every five months you would come off shift and be replaced by that fifth year so kind of what happens is everyone got a month of nine to fives they what we

found was people were feeling a bit more invigorated a bit more ready to get back on that horse and yeah they had more daylight in their life which is good and healthy more productive so moving up on that kind of pyramid of needs safety needs psychological safety is really important for our staff so one of the things the stock analyst will do is they'll be the bearer of bad news they'll have to call up people at 3am and say hey you know why uh why is your machine picking or why why is this online and they'll have to wake up and engineer and I don't know if you know many Engineers but they're grumpy especially at 3am

and they may decide to be a bit nasty to that sock analyst and that's really bad we can't let that stand because next time we have one of these alerts that same sock analyst is going to be a bit hesitant in fact they might just not touch it at all you might say you know what I'm going to leave it to the next shift to deal with because last time I did that we got shout out and felt so what we did was at a home office if we ever found out that anyone was mistreating our staff we didn't just raise it to their manager because again their managers knows that person knows what they're like probably will cover

for them we went above them and above them again so we were going to that VP level and always at that level they tended to help a bit more they wanted to be seen as a good guys so that always worked quite well because probably the next day we'd get a lovely worded email about how sorry they were and how they won't ever be nasty or sock analysts again and that's really important because it teaches a sock analyst that they were in the right and that way next time it does happen for real they'll do it again job safety is another big issue for socks so what we want is our stock analyst to be

able to do the jobs um to be able to do their jobs without worry that they're doing it correctly so what we found was by giving everyone a process documenting that out so they all knew what they were doing the had kind of less stress in their life they didn't have to worry that oh do I call this person or is it that person we made sure it was up to them you know everything they could see they could do foreign the stress it made them more productive because you know they could get through tickets faster we found that that was good for us [Music] belongingness needs to get a drink

so you want people to come into work and not be like I hate everyone here you want them to be like oh you know these are my friends these are people I I care about and I'm going to work harder for them now unfortunately it sounds horrible again but the best way to do it is with team bonding activities right you want to take people out of context see what they're like show that actually we're more similar than we are different now what I used to do in a home office was I'd bring in all of my tier twos or my team leads into a room and basically have them discuss all the problems of

the day now in socks if you have different shifts what tends to happen what we found going around was that shifts become a bit native so tribalism happens in a lot of socks where you have one team who who think they're God's gift to Earth you'll have another team who think that team's a bit of a bunch but it happens so by bringing them into a room showing them that they're actually all suffering the same common issues and that they're all willing to work together in fact some of that team's productivity and projects have helped this team's workload you actually developed a better community and a better Bond we found there was a lot less team infying as well when we

brought it together but you're not ever going to escape personalities um some people just rub people up the wrong way now again I was shocked to find when I was going around all these socks that people never change shifts they were never given the option you were literally coming in they won being told that's your team lead and the only way you'd get out of that team is either a promotion or quitting that job so what we did at home office we said look we're realistic every five months you can put in a request to change teams and we'll just do it for you what we found was people were doing that people wanted to change teams

and I think you know that that meant that we kept that individual for a lot longer than we would have done and what we also found was that the good stuff that they had learned on their previous team they took with them so when we found one team which were particularly good with tickets they would then cross-pollinate over and that team would become good at tickets and that that was a real positive thing for us so esteem needs so the best way to kind of please your need for ego as it were is accreditation right give yourself a little shiny sticker and the best way to do that cheapest way to do that is with

accreditation you know going out getting a training course for a week getting that to put on your wall there's been I have so many stock managers I speak to say well I'm not going to help people get another job you know why would I give them some letters after their name and you kind of think well be realistic you're a sock manager you've done this interview process you have never hired one based on you know oh you've got a CH welcome aboard right it doesn't happen um so give them accreditation help that ego another good way to do this is with show and tells so what you can do is when you see one of your analysts doing something

well get them to stand in front of the other analysts get them to tell you what they did you know they'll get the little round of applause you know everyone else will get a bit more kind of motivation and productivity to really kind of boost themselves up the best way to satisfy a steam needs and it's really good for addressing retention as well is to show them a pathway so what pathway is is you take the analysts wherever they are and you say look you're here but in a year you're going to be over there you're going to know how to do this you can know how to do that and I'm going to pay you a

little bit more and what happens is in a year's time they'll reach that point and hopefully you've kept your word you've given them that little bump in salary you've taught them new techniques and they think wow you know that's great they'll look back at that pathway and say oh look there's still a couple more years here for me and so they stay if you don't have that pathway whenever they get to that point then they'll just look at other companies because that's the only future they'll see so definitely one for esteem finally self-actualization this was probably the most critical part of Maslow's kind of motivation kind of whole hierarchy of needs see Maslow said that

anyone had the potential for self-actualization to be achieving kind of number one to be who they want to be and then they would say Okay Maslow will point us who who right now is self-actualizing and you say easy it's Einstein now I've been to myself I've seen that I don't have a room full of Einsteins you know I don't think anyone does so he got a little critique for this in fact he found when he was interviewing a lot of Junior psychologists and and his kind of experiments that the younger you were the less likely you were to be self-actualizing but it didn't bother him too much because he said look it doesn't stop that these people can reach these kind

of periods of he wasn't very religious well he didn't like using religious terms but divine inspiration stuff that would impress you to see it stuff that would make you just happy doing it not necessarily in the search of happiness but just you know you're doing your job and you're happy because of that you've satisfied your needs one of the best ways we can do that in a sock is by giving our analysts freedom now I think one of the worst things that happens within socks is the first thing we do is we restrict our analysts they come in and we say look you're a tier one you're a tier two tier ones don't touch anything the tier twos does tier

twos won't touch anything the tier ones do that's wrong right firstly that's stopping you know Junior analysts from actually resolving an incident from end to end I'm not saying that they shouldn't have oversight but you know let's encourage people to take some initiative to encourage them to give that feeling of completion and so yeah let's let's stop doing that kind of rigid tier structure and at the home office that's kind of what we did you know we still kept the experience there but we said look everyone has access to all the tools that they need to do their jobs and there shouldn't be a reason for you to have to wait for say a crisis manager to walk in to deal

with a crisis you are all crisis managers we didn't pay them like that but a really good way to do this is with projects so especially because of the way we had kind of structured our shifts we had that every five months these teams would come in for nine to five and you know they they had some time during the day where they could speak to people and develop and mature our security operations center so we would give them projects that they wanted to accomplish they we gave them something that they could be proud of and if you remove all of the kind of the barriers you know their basic needs making sure they have the right tools

they can accomplish some great things so in the home office we were able to take threat intelligence information and apply it across our Network in about 15 minutes that was the time you know from someone writing a Blog posting it online to that detection being able to fire on our Network and that was completely open source that was just done off our own backs and I'll be honest that's pretty impressive you know no money was spent there so absolutely like let people be able to achieve those kind of divine moments of inspiration so in summary retention is bad because retention drives well poor attention is bad because poor attention means your productivity fails poor productivity means you're not able

to keep in line with your cases your workload which means burnout happens which means retention is worse foreign had a way to solve that to satisfy our basic needs to satisfy our you know ego satisfy those needs for loving and belongingness we are Community animals After All and at the home office after two and a half years we looked at our retention rate and we knew that the average retention rate for a sock was 50 percent we were achieving 85 I think that's off the back of us actually treating our stock analysts like humans and taking care of their basic needs and you know we were government we didn't pay well you know sorry for the

government people in here but um but there is that right it's more about money it's more about giving people the opportunity to kind of excel in life give them interesting problems and kind of watching people develop so yeah that was quite quick for me but um does anyone have any questions oh fantastic there's lots of people I tell you what we've got microphones around the room so if a song with a microphone comes to you you can have a question [Music] how would you approach um there you go hello how would you approach uh inter-department tribalism yeah the classic sales versus developers and the the kind of tension that often comes with that yeah I mean there's no

helping sales people oh God uh no um it's that bonding again get them in a room get them to understand what each others do right I I'm sure sales people think sock analysts are robots and soccer analysts probably think sales people are egocentric maniacs and some of them are but anyway get them get them together and see that they've got more in common than they have different and uh you'll you'll break down those walls foreign

how did you um get buy-in from so how did you find uh getting buy-in from people above you was for a initiative like this it was kind of a bit of a change yeah it requires money yeah absolutely I mean telling my manager that I needed uh 300 pound for an Ikea sofa was you know difficult but you know when you've got sock analysts and you're trying to explain right sock analysts are like emergency service workers right we don't expect people who work in our emergency service to you know stay awake for 12 hours and then put out on a fire right so keeping them rested keeping them kind of energized will actually reduce incident times and reducing incident

time saves you money which is a lot more than this 300 pound Ikea Cipher that I have to put together on my weekend but yeah so yeah it's framing right everything's going to be to reduce the instant time and that you know really is what it's all about because that's saving money cool any other questions yeah I just got one here um so we kind of looked at it and you said two years is too short that retention period isn't long enough how long can someone really stay in a sock if it's still pyramid structured you know and if they're looking for a level two job they've done the level three time they know they're ready to move on

there's no spot there you know what I mean I think it's so how long would you expect someone to stay in the sock so I think the problem is that people were leaving too soon because they weren't being treated like humans if you are if you go into a sock and you decide look this isn't for me and I'm going to leave in a year then there's there's no fancy chairs that are ever going to keep you there right it's not about keeping them for longer than they should be it's about making sure that they're there for the length of time that they need to grow and develop as a as a decent security analyst the the start at the beginning

about one in four leaving the industry these are our Junior people these are the people we need to fill the skills Gap and we treating them like animals right but there's when we were going around there was one particular sock that stood out I won't name them but basically what they did was they said yeah retention is terrible for us we can't keep any Junior Outlets so what we do is we go out and we every year and we just pull in yeah kind of sandwich year grads and there are junior sock staff and we'll get about 14 of them that was Overkill and we won't let them touch anything we won't let him do anything

they're just there to log and flog like no wonder these people didn't stay right that's a horrible experience so yeah fair enough pressure thanks any other questions

so obviously you were very focused on retention how did you translate that into attracting Talent as well yeah that's that's a good shout um so one of the things that we try to do was you know it's a very competitive market um so we tried to show that we were never going to attract other soft analysts really because our just pay was just not comparable so we wanted people to come in new to the industry so we set up our job adverts and our training and everything geared to people who had never experienced being in a sock before so what we found were we weren't really hiring cyber security graduates we were hiring English Bas we were hiring

you know people who directly wouldn't have come to that role what we also did was when we looked at our job adverts how we set out you know the standard job advert has here's five requirements his five desirables we got rid of all of that we said look here's two requirements that you're hard working and you're motivated and you want to learn this field so we were bringing in new Talent into the industry and then we were giving them that training path so they could stay there for the next four to five years and grow and develop to become decent self-canalists and so yeah uh we we just changed our field of focus really cool any other questions

all right oh [Music] double dipping um did you anchor yourself to like an external pathway or did you end up developing like an internal so I guess a pen tested equipment would be crests yeah or uh would that you would you find that that might make people start looking outside of your company so when we we tried multiple ways one of the the first kind of pathway we tried was very fixed very rigid and we offered people a master's degree in cyber security what we found was that half the people dropped out of it it was too rigid it was too fixed you know there would be a module coming up which was mobile forensics and half the

room was like I don't want to do that I want to look at that so we we opened it up we broaden it up we use something called the severe skills framework for an information age uh that lists something like 200 plus skills and different levels we tied that to their development and their kind of retention and bonus allowance but yeah any other questions is there one out back no all right well if I leave you this go to your manager and say look I want you to give us fruit from now on awesome thank you