AnchorSkills_and_Responsibilities_Skills_and_Responsibilities_Vulnerability analysis and response may require networking and forensics skills for certain classes of vulnerabilities, but often also requires some mix of the following skills:

...

In most organizations, these skills will likely be dispersed among a team of people rather than expecting a single person to be fluent with all of these topics.

...

Beware Analyst Burnout

<ac:structured-macro ac:name="anchor" ac:schema-version="1" ac:macro-id="5ceb41a4-8b7c-439e-b2d8-cfd949a239db"><ac:parameter ac:name="">Analyst_Burnout_</ac:parameter></ac:structured-macro>Some Some organizations may have a small enough flow of incoming vulnerability reports that all the CVD-related roles can be fulfilled by a single team, or even a single person. Other organizations might choose to split the technical analysis roles apart from the more human-oriented communication and coordination roles. No matter the arrangements, it is important that vendors and coordinators establishing a CVD capability mitigate the potential for analyst burnout.
 Burnout of security analysts is well-documented phenomenon \[141\1] \[1422\] \[1433\]. Analysts working full-time in a CVD process are at risk of this too. A vendor's CVD capability may receive a large amount of incoming reports each week, especially at larger vendors. This can result in CVD staff becoming stressed and having low job satisfaction, leading to lower quality of work and ultimately employee attrition. The costs of lower quality work (e.g., missing an important report), employee turnover (e.g., hiring and training a new analyst), and associated damage to the vendor's reputation suggest that this problem should be addressed ahead of time with reasonable precautions.
 At the CERT/CC, we have attempted to mitigate this issue with reasonable success by implementing the suggestions below. Research has shown that many of these are effective responses to commonly-held morale problems \[143\3].

• Staying well-staffed and rotating responsibility. Organizations may choose to have several team members, trained in the CVD process and tools, who can temporarily assist should a regular CVD analyst be unavailable for any reason, even if these additional team members do not typically do CVD day-to-day. Of course, handing off reports between temporary and full-time analysts leads to other operational concerns as previously discussed, so this must be done carefully. Organizations must also take care that these temporary team members are not pulled away from their own work so often that they themselves experience burnout.

...

Due to the possibility of burnout and the associated costs, the CERT/CC recommends that CVD capability be established within a well-resourced team or teams specifically created for this task, rather than concentrating the responsibilities to a small team, or even a single person. Our suggestions above may be helpful to combat analyst burnout, but do not form an exhaustive list of possible actions.

References

1. B. Rothke, "Building a Security Operations Center (SOC)," 29 Feb 2012. [Online]. Available: https://www.rsaconference.com/events/us12/agenda/sessions/683/building-a-security-operations-center-soc. [Accessed 24 May 2017].
2. S. Ragan, "Avoiding burnout: Ten tips for hackers working incident response," 30 April 2014. [Online]. Available: http://www.csoonline.com/article/2149900/infosec-careers/avoiding-burnout-ten-tips-for-hackers-working-incident-response.html. [Accessed 24 May 2017].
3. S. C. Sundaramurthy, A. G. Bardas, J. Case, X. Ou, M. Wesch, J. McHugh and S. R. Rajagopalan, "A human capital model for mitigating security analyst burnout," in Proceedings of the Eleventh Symposium on Usable Privacy and Security (SOUPS 2015), July 2015.