How Effective are Security Operations Centers?

A lot of organizations rely heavily on their security operations centers (SOCs) to maintain a strong cyber security posture. But just how effective are these centralized units that are designed to deal with security issues on an organizational level?

Based on recent research, they are not as effective as companies might hope. A study by the Ponemon Institute, “The Economics of Security Operations Centers: What is the True Cost for Effective

Results?,” found that many organizations are dissatisfied with their SOCs, despite the significant investments they’re making.

The report, sponsored by Respond Software, is based on a survey of 637 IT and IT security practitioners at organizations that have a SOC and are knowledgeable about cyber security practices in their organizations.

For the research, Ponemon Institute defined a SOC as a team of expert individuals and the facility in which they work to prevent, detect, analyze, investigate and respond to cyber security incidents.

The SOC is critical to working and performing in today’s digitized economy, the report noted, as a greater share of business operations and sensitive data are brought online. A majority of the survey respondents (73%) view their SOCs as crucial elements of their cyber security strategies.

The most important capabilities of SOCs, according to the survey, are minimizing false positives and reporting threat intelligence information. Other key functions include monitoring and analyzing alerts, detecting intrusions, leveraging technologies such as automation, supporting Agile DevOps initiatives, threat hunting, and cyber forensics.

A majority of respondents said their SOC monitors or manages firewalls or intrusion prevention systems (IPSs), multi-function or unified threat management (UTM) technology, or intrusion detection systems (IDS). Fewer mentioned vulnerability scanning of networks, servers, databases, or applications in the SOC.

The amount of money organizations spend on their SOCs reflect the importance of these entities. The survey showed that organizations on average spend $2.86 million annually on their in-house SOCs. And the spending rises dramatically to $4.44 million annually for organizations that outsource the function to managed security service providers (MSSPs).

Despite this substantial investment in these functions, nearly half of the organizations (49%) said they are dissatisfied with the effectiveness of their SOC in detecting cyber attacks. Of those organizations that hired MSSPs, 58% rated them as ineffective.

Only 17% of respondents find their MSSPs to be highly effective.

Part of the dissatisfaction with MSSPs stems from the high cost of these services, which the report said are often twice the cost of staffing and managing a SOC in-house. Many of the respondents (63%) are looking for a way out of these arrangements, including reviewing new vendors or bringing the SOC function in-house. 

But the research also uncovered challenges organizations face when running an in-house SOC as well. Those organizations that run their SOCs internally grapple with significant staff burnout and turnover. A majority of respondents (70%) noted that their SOC analysts burn out quickly because of the high-pressure environment and workload. They are facing information overload and chasing too many alerts, which are sources of stress.

In order to be effective, SOCs rely upon the expertise of individuals to prevent, detect, analyze and respond to cyber security incidents, the study notes. However, this type of expertise can be costly in terms of salaries, turnover, and the training of analysts.

The cost to hire, train, and retain employees is high and increasing, while turnover is rampant. It’s interesting to note that while the best performing SOCs have a greater number of employees and slightly less turnover, they cost significantly more, the report said. And most organizations don’t have the resources to build out that infrastructure.

The salary of the average analyst is $102,315 and 45% of the survey respondents said salaries are expected to increase an average of 29% in 2020. The time needed to hire and train a single analyst is nearly one year, and on average the analyst stays with the organization slightly more than two years.

Furthermore, the cost effectiveness of SOCs are diminished because those responsible for hiring and training analysts said it takes them away from their other responsibilities. The higher the headcount of an organization, the costlier a SOC is to maintain. Organizations with a headcount of between 25,000 and 75,000 spend an average of $6.27 million. By comparison, those with a headcount of less than 5,000 spend an average of $1.68 million.