Skip to main content
Download the Buyer’s Guide for Cyber Risk Quantification Solutions
Download Guide
Request a Demo

Improving Team Retention with SOAR

ThreatConnect’s intelligence driven Security, Orchestration, Automation & Response (SOAR) Platform can help organizations address the issues of training and retention. It acts as a process management system to enable faster, more effective, and lower cost on-boarding because best practices and optimized workflows are incorporated and structured to make it easier for new as well as existing employees to learn. This also allows hiring managers to diversify their talent pool to round out the skills and experience of their team. An additional benefit of a diverse team is that it creates more paths for professional development and career growth, as team members with diverse backgrounds can aspire to higher level positions in other parts of the organization. And if they do move to another part of the organization, they bring their acquired cybersecurity skills and knowledge with them.

The Struggle with Retention 

Retention of our employees is something we in cybersecurity, as an industry, have been struggling with long before the current socio-economic climate. As early as 2015, MIT Technology Review and Peninsula Press, and a Stanford Journalism Program Project both pointed out that more than 200,000 cybersecurity positions went unfilled while the demand for security-related positions was expected to grow by 53 percent through 2018. Oh, how right they were! “An estimated 3.5 million cybersecurity jobs will be available but unfulfilled by 2021, according to predictions from Cybersecurity Ventures and other experts… according to the chief economist for LinkedIn, Guy Berger, there was a shortage as of September (2019) of 11,000 people with cybersecurity skills in the San Francisco Bay area, 5,000 in New York and almost 4,000 in Seattle, the areas with the largest concentration of need,” as highlighted in The New York Times, The Mad Dash to Find a Cybersecurity Force.

As you can imagine, a worldwide pandemic only exacerbates this problem: “in early 2019, Gartner TalentNeuron data predicted that there would be a global shortage of 2 million cybersecurity professionals by the end of 2019. The global pandemic has further escalated this situation. In spite of a decline in new job postings between February 1 and April10 (2020), both the U.S. and U.K. saw a surge in demand for infosecurity roles. There was a 65% upswing in demand in the U.S. and an increase of more than 5% in the U.K.” The virus forced a rapid organizational evolution of business operations, condensing a transformation that has historically taken at least a decade into a few months. Hasty growth brings swift change, and swift change causes gaps, and gaps are threat actors’ specialty. Like clockwork, when force majeure events occur, threat actors expedite their tactics, techniques and procedures, making companies that are grappling to hire and retain security professionals even more vulnerable.

The Impact of Being Understaffed

Research conducted by ISACA found that “only 21 percent of ‘significantly understaffed’ respondents report that they are completely or very confident in their organization’s ability to respond to threats.” They went on to say, “the impact goes even further, as the research found that enterprises struggling to fill roles experience more attacks, with the length of time it takes to hire being a factor.” The organizations that were unable to fill their open security positions experienced the most attacks.  As Sandy Silk, Director of IT Security Education & Consulting at Harvard University states, “security controls come down to three things—people, process and technology—and this research spotlights just how essential people are to a cybersecurity team. It is evident that cybersecurity hiring, and retention can have a very real impact on the security of enterprises. Cybersecurity teams need to think differently about talent, including seeking non-traditional candidates with diverse educational levels and experience.”

This forces us to adopt new hiring strategies, which can be expensive according to Harvard Business Review’s Why Competing for New Talent is a Mistake: “so far, organizations have responded by engaging in a war for talent — that is, buying or stealing it, rather than growing it from within. As they compete to fill roles, many have been willing to spend billions on recruiting (or poaching), while reluctant to invest in training their existing workers or unskilled ones, perhaps out of fear their competitors will hire those newly attractive employees away. Spending per employee (around $1,000 per year on average) remains just a fraction of cost-to-hire (which most estimates place around $4,000). However, while overall spending on training by employers increased over the past five years, large companies actually spent less on training per employee in 2018 than they did the previous year.”

They also state that “those numbers reflect a classic tragedy of the commons — fueled by employers who are fishing ever farther into the sea of talent in search of job-ready workers rather than helping incumbents or younger, underserved, and underrepresented groups develop the skills they need to fill tomorrow’s roles.” More, “companies that invest in their people also become talent magnets. Research suggests that education is among the most valued benefits for modern employees. And, while it’s true that corporate loyalty is at all-time lows and mobility rates are at all-time highs, the data suggest that development programs increase retention.”

Strong teams have a diversity of backgrounds, experiences, skills, and strengths – cybersecurity roles are becoming more multidisciplinary and cross-functional.  As The New York Times, The Mad Dash to Find a Cybersecurity Force, states “many skills from other industries are transferable to the cybersecurity field. Cybersecurity experts need to be able to communicate policies to, as Ms. (Shamla) Naidoo (global chief information security officer at IBM) put it, ‘increase the cybersecurity I.Q.’ of an entire organization. For example, people from a finance background might be able to educate their co-workers in accounting about cyber risk.” Ms. Naidoo goes on to say, “to solve the skills shortage, we have to hire people who have the right aptitude, who have the right attitude, people who are curious, and are willing to learn. Outside of that, I have very few other criteria. I’m opening the aperture for where we look.”

Where SOAR Comes In

A factor of retention is satisfaction, and a factor in satisfaction is listening, understanding, and acting on the challenges that person or team is facing. In working with many incident response, security operations, and threat intelligence teams these challenges are often clustered around a few themes: large volumes of uncontextualized data (alerts, events, tickets, IOCs), no relevant context around that data, manual & ad-hoc processes for the collection, analysis and dissemination of the data, and the length of time it takes to find  relevant intelligence negatively impacts speed and accuracy. As I stated in my last blog article, SOARs act as a collection and analysis hub for threat intelligence, security operations, and incident response data and processes. Intelligence and operations are built on a cyclical relationship. As intelligence dynamically changes, it should affect the decision-making process as a result. The automation and orchestration informed by threat intelligence makes an organization’s pre-existing technology investments and security team more efficient and effective. Threat intelligence housed in a SOAR influences decisions related to security operations, tactics, and strategy. SOARs help security teams prioritize response, standardize processes, and gain instant access to relevant threat intelligence to improve the speed and accuracy of their detection and response. This makes the security team’s job a lot easier.

Providing a knowledge-management solution that automates manual processes optimizes lean teams, creates efficiency, and frees up team members to focus on doing the job they were hired to do, and the job they enjoy doing. It also gives the managers visibility into the output of their team to coach and train them in a meaningful way. In Harvard Business Review’s A Better Way to Develop and Retain Top Talent, Margaret Rogers (VP, Pariveda Solutions) suggests “while training is often necessary when teaching people new skills, it’s only the first step toward a more distant end. In my experience, the most impactful development happens not through formal programs but smaller moments that occur within the workplace: on-the-job learning opportunities that are wholeheartedly catered to the worker’s unique needs and challenges.”

SOARs enable low risk on-the-job development opportunities for incident response, security operations or threat intelligence teams of all maturity levels because they can create and follow structured, step-by-step guided workflows built on industry and organizational best practices – with built-in guardrails and safety nets. Margaret states “‘Learning moments’ are an easier, quicker way to move the needle. These moments can be significant or small, but engaging employees in this way is key to helping them step outside their comfort zones, practice, and build confidence. Treating every challenge your employees faces as an opportunity for practice and growth — whether it is something personal, like improving communication skills, or practical, like learning a new technology — is critical to establishing an environment in which people believe they are valued enough as individuals to be given the time and space to flourish. It also gives managers the chance to help their employees effectively upskill and reskill on a case-by-case basis as new obstacles arise outside of formal trainings and in everyday work experiences.”

From my experience in leading teams and working with a wide set of organizations across the public and private sectors the most crucial factor of retention is culture. Specifically, a culture that consists of empowerment, career growth and development, integrity, and collaboration. The stronger the mix of these ingredients the more productive the team becomes.  SOARs do some of the dirty work in enabling these elements to blossom. They are a workbench for security teams to create step-by-step, dynamic workflows around best practices, collaboration during analysis or investigations, and visibility into data, teams and their processes so tailored training and coaching can be provided. Technology alone will not solve this problem, but it can be a helpful partner in developing team satisfaction and thus improving retention.

About the Author


By operationalizing threat and cyber risk intelligence, The ThreatConnect Platform changes the security operations battlefield, giving your team the advantage over the attackers. It enables you to maximize the efficacy and value of your threat intelligence and human knowledge, leveraging the native machine intelligence in the ThreatConnect Platform. Your team will maximize their impact, efficiency, and collaboration to become a proactive force in protecting the enterprise. Learn more at