Vulnerability analysis and response may require networking and forensics skills for certain classes of vulnerabilities, but often also requires some mix of the following skills:

• programming Programming skills, especially in common languages (C, C++, Python, Java)
• reverse Reverse engineering and debugging
• knowledge Knowledge of low-level operating system features for Windows, Mac and/or Linux
• hardware Hardware architecture and basic electrical engineering
• software Software security testing
• virtualization Virtualization and some infrastructure automation
• written Written communications
• customerCustomer-service mindset

In most organizations, these skills will likely be dispersed among a team of people rather than expecting a single person to be fluent with all of these topics.

Beware Analyst Burnout

...

Some

...

organizations

...

may

...

have

...

a

...

small

...

enough

...

flow

...

of

...

incoming

...

vulnerability

...

reports

...

that

...

all

...

the

...

CVD-related

...

roles

...

can

...

be

...

fulfilled

...

by

...

a

...

single

...

team,

...

or

...

even

...

a

...

single

...

person.

...

Other

...

organizations

...

might

...

choose

...

to

...

split

...

the

...

technical

...

analysis

...

roles

...

apart

...

from

...

the

...

more

...

human-oriented

...

communication

...

and

...

coordination

...

roles.

...

No

...

matter

...

the

...

arrangements,

...

it

...

is

...

important

...

that

...

vendors

...

and

...

coordinators

...

establishing

...

a

...

CVD

...

capability

...

mitigate

...

the

...

potential

...

for

...

analyst

...

burnout.

...

Burnout

...

of

...

security

...

analysts

...

is

...

well-documented

...

phenomenon

...

[1

...

,2,3].

...

Analysts

...

working

...

full-time

...

in

...

a

...

CVD

...

process

...

are

...

at

...

risk

...

of

...

this

...

too.

...

A

...

vendor's

...

CVD

...

capability

...

may

...

receive

...

a

...

large

...

amount

...

of

...

incoming

...

reports

...

each

...

week,

...

especially

...

at

...

larger

...

vendors.

...

This

...

can

...

result

...

in

...

CVD

...

staff

...

becoming

...

stressed

...

and

...

having

...

low

...

job

...

satisfaction,

...

leading

...

to

...

lower

...

quality

...

of

...

work

...

and

...

ultimately

...

employee

...

attrition.

...

The

...

costs

...

of

...

lower

...

quality

...

work

...

(e.g.,

...

missing

...

an

...

important

...

report),

...

employee

...

turnover

...

(e.g.,

...

hiring

...

and

...

training

...

a

...

new

...

analyst),

...

and

...

associated

...

damage

...

to

...

the

...

vendor's

...

reputation

...

suggest

...

that

...

this

...

problem

...

should

...

be

...

addressed

...

ahead

...

of

...

time

...

with

...

reasonable

...

precautions.

...

At

...

the

...

CERT/CC,

...

we

...

have

...

attempted

...

to

...

mitigate

...

this

...

issue

...

with

...

reasonable

...

success

...

by

...

implementing

...

the

...

suggestions

...

below.

...

Research

...

has

...

shown

...

that

...

many

...

of

...

these

...

are

...

effective

...

responses

...

to

...

commonly-held

...

morale

...

problems

...

[3].

• Staying well-staffed and rotating responsibility. Organizations may choose to have several team members, trained in the CVD process and tools, who can temporarily assist should a regular CVD analyst be unavailable for any reason, even if these additional team members do not typically do CVD day-to-day. Of course, handing off reports between temporary and full-time analysts leads to other operational concerns as previously discussed, so this must be done carefully. Organizations must also take care that these temporary team members are not pulled away from their own work so often that they themselves experience burnout.

...

Due to the possibility of burnout and the associated costs, the CERT/CC recommends that CVD capability be established within a well-resourced team or teams specifically created for this task, rather than concentrating the responsibilities to a small team, or even a single person. Our suggestions above may be helpful to combat analyst burnout, but do not form an exhaustive list of possible actions.

References

1. B. Rothke, "Building a Security Operations Center (SOC)," 29 Feb 2012. [Online]. Available: https://www.rsaconference.com/events/us12/agenda/sessions/683/building-a-security-operations-center-soc. [Accessed 24 May 2017].
2. S. Ragan, "Avoiding burnout: Ten tips for hackers working incident response," 30 April 2014. [Online]. Available: http://www.csoonline.com/article/2149900/infosec-careers/avoiding-burnout-ten-tips-for-hackers-working-incident-response.html. [Accessed 24 May 2017].
3. S. C. Sundaramurthy, A. G. Bardas, J. Case, X. Ou, M. Wesch, J. McHugh and S. R. Rajagopalan, "A human capital model for mitigating security analyst burnout," in Proceedings of the Eleventh Symposium on Usable Privacy and Security (SOUPS 2015), July 2015.

...