Before the Vicious Cycle Starts: Preventing Burnout Across SOC Roles Through Flow-Aligned Design
Kashyap Thimmaraju, Duc Anh Hoang, Souradip Nath, Jaron Mink, Gail-Joon Ahn
TL;DR
This paper investigates SOC burnout through flow theory and the Vicious Cycle, arguing that accurate, flow-aligned job descriptions at hiring can prevent skill-challenge misfit. By analyzing 106 public SOC postings across 11 countries with inductive content analysis, it identifies dominant communication requirements, diverse certification landscapes, and technology-specific patterns (notably Python and Splunk). The authors contribute a public dataset and a preliminary codebook, establishing a baseline for validating whether stated JD requirements align with actual on-the-job demands and how interviews can assess flow readiness. The work lays a foundation for flow-aligned hiring and outlines validation studies and AI-enabled workflows to sustain practitioner engagement and retention in SOCs.
Abstract
The sustainability of Security Operations Centers depends on their people, yet 71% of practitioners report burnout and 24% plan to exit cybersecurity entirely. Flow theory suggests that when job demands misalign with practitioner capabilities, work becomes overwhelming or tedious rather than engaging. Achieving challenge-skill balance begins at hiring: if job descriptions inaccurately portray requirements, organizations risk recruiting underskilled practitioners who face anxiety or overskilled ones who experience boredom. Yet we lack empirical understanding of what current SOC job descriptions actually specify. We analyzed 106 public SOC job postings from November to December 2024 across 35 organizations in 11 countries, covering Analysts (n=17), Incident Responders (n=38), Threat Hunters (n=39), and SOC Managers (n=12). Using Inductive Content Analysis, we coded certifications, technical skills, soft skills, tasks, and experience requirements. Three patterns emerged: (1) Communication skills dominate (50.9% of postings), exceeding SIEM tools (18.9%) or programming (30.2%), suggesting organizations prioritize collaboration over technical capabilities. (2) Certification expectations vary widely: CISSP leads (22.6%), but 43 distinct credentials appear with no universal standard. (3) Technical requirements show consensus: Python dominates programming (27.4%), Splunk leads SIEM platforms (14.2%), and ISO 27001 (13.2%) and NIST (10.4%) are most cited standards. These findings enable organizations to audit job descriptions against empirical baselines, help practitioners identify valued certifications and skills, and allow researchers to validate whether stated requirements align with actual demands. This establishes the foundation for flow-aligned interview protocols and investigation of how AI reshapes requirements. Dataset and codebook: https://git.tu-berlin.de/wosoc-2026/soc-jd-analysis.