How to improve the SOC analyst experience -- and why it matters
Burned-out security analysts miss threats, take longer to investigate incidents and are more likely to quit. Here's how CISOs can improve the SOC analyst experience.
Security Operations Center analysts stand on the front lines between their organizations and countless cyberthreats. How effectively an analyst reacts to any given security alert could mean the difference between a contained, minor incident and a full-on data breach.
Too often, however, SOC analysts suffer from poor workflows, outdated tools and overwhelming workloads. The resulting burnout fuels high turnover -- something organizations can't afford, given the cybersecurity talent shortage. Worse, these conditions create environments where security incidents go undetected or take longer to contain. For CISOs, improving analysts' working conditions is a security imperative that directly impacts organizational risk.
Why analyst experience matters in the SOC -- and beyond
Forrester first coined the term "analyst experience," or AX, with analysts Allie Mellen and Jeff Pollard defining it as, "Security analysts' perception of their interactions with a particular security product, service and process across various workstreams."
Organizations, Mellen and Pollard noted, rely on analysts to recognize, classify, investigate and respond to cyberthreats that pose enormous risk to their organizations. Tools in the SOC, however, often fail to reflect the importance of their work. Siloed data, clunky integrations and poorly functioning user interfaces, they argued, make it unnecessarily challenging and unpleasant for analysts to do their jobs.
"Security teams are regularly forced into a reactive state by too many alerts, too little time and a fragmented security stack, leading to increased employee stress and burnout," agreed Nicole Carignan, field CISO and senior vice president of security and AI strategy at Darktrace, a multinational cybersecurity firm based in Cambridge, England.
Consequences of neglecting the security analyst experience in the SOC include the following, according to experts and practitioners.
Talent attrition
Most, if not all, CISOs have grappled with understaffing in the SOC -- a chronic problem that poor analyst experience makes worse. "Many organizations struggle to provide a good AX, which leads analysts to burn out or look for a role elsewhere," Mellen said.
When unhappy analysts do inevitably quit, remaining team members inherit heavier workloads, further fueling problems and creating a vicious cycle.
Compounding coverage gaps
The effects of talent attrition compound over time. When an organization loses a trained analyst, it also loses months of domain understanding and muscle memory, said Heath Renfrow, co-founder and CISO at cyber disaster recovery firm Fenix24, based in Chattanooga, Tenn.
"That churn creates gaps in coverage, slower response times and greater risk during critical incidents," Renfrow added. "At scale, it becomes a vicious cycle: overworked teams make more mistakes, which increases pressure, which drives more attrition."
For many, the emotional and mental toll quickly becomes untenable, according to Tom Levi, field CISO and director of cyber-risk strategy at CYE, a cybersecurity company based in Herzliya, Israel. "When there are staffing shortages in addition to the fear of getting something wrong, it becomes emotionally exhausting work that cannot be sustained long-term," he said.
Incident outcomes
Poor analyst experience can lead to worse outcomes during security incidents, according to Mellen. "Analysts who don't have the information they need for investigation are not able to respond as quickly and effectively," she said. "They also may spend excessive amounts of time chasing false positives, which prevents them from investigating true incidents."
Operational impact
Poor analyst experience creates operational drag. When analysts must contend with cumbersome tooling, alert noise and handoff friction to do their jobs, investigations slow, and case quality becomes more difficult to standardize. This hurts staff morale and reduces time for proactive work, such as threat hunting.
"Many SOC analysts spend their days triaging endless low-fidelity alerts, fighting noisy tooling and working in reactive mode," Renfrow said. "That grind creates a sense of futility. Analysts feel like they're clicking buttons instead of defending organizations."
What makes a good SOC analyst experience
Poor analyst experience is marked by chaos, tedium, frustration and a sense of futility. In contrast, good analyst experience has the following defining characteristics:
Context. Rather than drowning in false positives and noise, analysts work with high-quality alerts that provide the context they need to take action.
Consolidated tools. Instead of a plethora of disconnected systems, tools are consolidated so analysts don't need to constantly switch among systems to investigate security events.
Respect. Analysts feel their organizations, managers and colleagues respect them as professionals and value their input.
Career paths. Analysts see clear opportunities for professional growth, with career paths beyond endless alert triage.
"What has worked for us is treating analyst experience as an operational priority, not a perk," said Craig Jones, chief security officer at managed detection and response (MDR) provider Ontinue, which has headquarters in Zurich and Redwood City, Calif. "We focus heavily on detection hygiene, tuning noisy rules, rapidly fixing false positives and raising the quality bar so alerts arrive with the context needed to act."
What has worked for us is treating analyst experience as an operational priority, not a perk.
Craig Jones CSO, Ontinue
According to Renfrow, Fenix24 achieved similarly positive results through a three-pronged approach: reducing alert noise so analysts can focus on substantive, high-value problems; giving analysts meaningful ownership of cases, so they see how their work restores the ability of the company's customers to do business; and defining clear career paths that encourage skill development beyond basic triage.
How CISOs can improve the SOC analyst experience
To improve the security analyst experience in the SOC, CISOs should consider the following steps:
Include analysts in technology purchases. "CISOs must bring security analysts into the buying decision process and trust their judgment on what will be most effective for the team," Mellen said. "In many cases, there are nuances to how the technology works in practice that practitioners see when they use the software day in and day out, but others might not. Trust your practitioners and compromise where possible."
Invest in alert engineering. Prioritize regularly tuning noisy rules and fixing false positives so that meaningful alerts reach analysts, and low-signal noise that leads to alert fatigue doesn't. If budgets permit, consider upgrading SOC technology to maximize signal, minimize noise and automate repetitive workflows.
Connect alerts to business risk. Help analysts understand the "why" behind investigations by linking alerts to organizational impact. Tag alerts with business priority levels, provide asset context and show how SOC investigations connect to concrete risks.
Integrate platforms. Reduce tool fragmentation by condensing signals, context and workflows within fewer systems. Unified security platforms minimize the manual work of piecing together investigation data across disconnected tools.
Deploy AI and automation strategically. AI can help companies augment their current cybersecurity workforce, expand situational awareness and accelerate mean time to action. But implementation matters, Mellon warned. It's important to evaluate investigative AI agents to determine how accurate they are, and what kind of testing and validation the vendor performs to ensure that accuracy.
Consider managed services. Organizations struggling with understaffing can consider outsourcing threat detection and investigation to MDR providers, reducing the load on in-house analysts.
Create growth opportunities. Develop clear career progression paths for SOC analysts, with continuous training and opportunities to rotate through security disciplines. Help them build expertise beyond basic triage work.
Empower analyst voices. Build a security culture where analysts can speak up, challenge assumptions and contribute to decisions. Provide visible leadership support during incidents and set reasonable on-call expectations.
Improving the analyst experience is a strategic investment that yields measurable returns in retention, security effectiveness and operational resilience. According to experts and practitioners, CISOs who view positive analyst experience as a security control, rather than a people perk, better position their organizations to defend against increasingly sophisticated threats.
"What has worked for us is treating analysts like elite operators, not interchangeable labor," Renfrow said. "When people feel trusted, skilled and impactful, performance rises and turnover drops."
Sean Michael Kerner is an IT consultant, technology enthusiast and tinkerer. He has pulled Token Ring, configured NetWare and been known to compile his own Linux kernel. He consults with industry and media organizations on technology issues.
