While some organizations have increased security operations center (SOC) funding, the overall gains have been meager, and the most significant issues have not only persisted, but worsened, according to Devo Technology.
SOC team overload and burnout
The report, based on a survey conducted by Ponemon Institute, examines many of the same issues as last year, and found 60% of SOC team members are still considering changing careers or leaving their jobs due to burnout. The survey, conducted in March and April 2020, queried IT and IT security practitioners in organizations that have a SOC.
On the positive side, the importance of investing in a SOC remains high, with 72% of respondents categorizing the SOC as “essential” or “very important” to their organization’s overall cybersecurity strategy, up 5% year-over-year.
Additionally, the average annual cybersecurity budget for organizations rose $6 million to $31 million, with the SOC representing more than one-third of that total.
For respondents whose organizations have invested in people, process, and technology, the performance differences are stark. Strong business alignment (73%) and extensive training (67%) help high-performing SOCs more than double the effectiveness of their lower-performing brethren.
SOC team members continue to face barriers
However, the pain and barriers facing SOC teams are universal and worsening, with higher performers citing 10% more pain at an extreme level (9-10 on a 10-point scale), and virtually no difference in the level below that (7-8).
The major areas of pain and resistance include:
- 70% suffer a lack of visibility into the IT infrastructure (up from 65%)
- 64% combat turf or silo issues between IT and the SOC (up from 57%)
- 71% need greater automation (up from 67%), especially as they continue to spend substantial manual cycles on tasks such as alert management (47%), evidence gathering (50%), and malware protection and defense (50%)
- Environmental factors are driving substantially higher pain, including information overload (67%, up from 62%), burnout from increased workloads (75%, up from 73%) and “complexity and chaos” in the SOC (53%, up from 49%)
The perennial issue of a skills shortage
Not surprisingly, the perennial issue of a skills shortage (seen by more than 50% of respondents) is close to the heart of the issue. But digging deeper, it’s quickly apparent that across the board people, process, and technology are misaligned and inefficient:
- Organizations have too many tools (nearly 40%), and more than half don’t have all the data necessary, nor the ability to capture actionable intelligence
- While 76% say training/retention is highly important, more than 50% have no formal programs in place, and more than 50% cite the lack of skilled personnel as a major factor in SOC inefficiency
- Mean time to response (MTTR) remains unacceptably high, with 39% saying their average time to resolve an incident is “months or even years”
“At first blush, the data from the survey made it appear that SOCs are advancing, but it turns out the budget growth and successes hide substantial pain—and to achieve even these modest successes consumes considerable resources,” said Julian Waits, general manager, cybersecurity at Devo.
“While the focus and efforts of high-performing SOCs are driving them to be successful in spite of increasing barriers, that success comes at an unacceptable human cost. Seventy-eight percent of respondents say working in the SOC is very painful.
“Even more troubling, 69% say that experienced analysts would quit the SOC because of stress. It’s clear that significant reforms must be made to achieve greater SOC efficiency and engagement—with less analyst stress—especially in the face of a new economic normal that will likely constrain investments for some time to come.”
Alleviating SOC team pain
For all the friction and pain, high-performing teams are continuing to advance the benefits SOCs provide organizations and should be commended for their efforts. Most importantly, high-performing teams have driven strong business consensus, with 73% of SOC objectives aligned with business objectives, versus low performers for whom 63% have no alignment at all.
Among the lessons that can be learned from the findings, the top three actions cited to demonstrably alleviate SOC analyst pain are greater workflow automation (71%), implementing advanced analytics/machine learning (63%), and access to more out-of-the-box content (55%).