Skip to content
Security Operations

4 Security Operations Center Best Practices for Success

March 9, 2020

The security operations center (SOC) plays a critical role in an enterprise organization’s efforts to protect their data from rapidly evolving cybersecurity threats.

However, for a variety of reasons revealed in a report by the Ponemon Institute—based on a survey sponsored by Devo of more than 500 IT and security practitioners—organizations are frustrated with their SOC’s lack of effectiveness in performing its vital work. To combat the concerns the survey identified, it’s important for SOCs to refine how they operate. Here are four of the most valuable security operations center best practices to ensure success for enterprises:

  1. Ensure the SOC has full visibility into data across the enterprise
  2. Create business alignment on the organization’s cybersecurity posture, while working to acquire executive commitment for sufficient funding and staffing of the SOC
  3. Build a highly interoperable, enterprise-wide security intelligence technology stack
  4. Make analyst retention a top priority

Let’s dive into each of these security operations center best practices and the challenges they address.

SOC Best Practice #1: Ensure full visibility into enterprise data and cooperation of IT

Fifty-seven percent of survey respondents say turf or silo issues between the organization’s IT and security operations teams diminish the successful operation of the SOC, and 65 percent of respondents say the lack of visibility into the IT security infrastructure is a big problem.

It’s important for organizations to support and help increase their SOC teams’ effectiveness by creating stronger alignment between the SOC and security intelligence tools. With all of the challenges SOC analysts face, lack of access to the resources and information they need to do their jobs should not be one of them. In addition, turf or silo issues between IT security operations and the SOC must be addressed by empowered leaders who can facilitate information sharing and establish stronger collaboration between the teams.

SOC Best Practice #2: Create business alignment between the organization and the SOC

SOCs are not aligned with the objectives and needs of the business. Only 19 percent of respondents say the objectives of the SOC are fully aligned with their organizations’ business needs. Nearly half of respondents say they are not aligned at all. As a consequence, it is difficult to have senior leadership’s support and commitment to providing adequate funding for investments in technologies and staffing.

Given the crucial role SOCs perform for enterprises that are constantly barraged by sophisticated security threats, there’s no excuse for any misalignment between the SOC and the organizations’ objectives. If there are silos within an organization that stifle the necessary collaboration between the SOC team and other groups—especially IT security operations—it is incumbent upon leaders to break down those barriers. Doing so will create more strategic security processes and also likely will result in more budget money for the SOC, which will help it operate even more effectively.

SOC Best Practice #3: Make sure security tools and technologies are compatible throughout the enterprise

Only 37 percent of respondents say their SOCs have high interoperability with their organizations’ cybersecurity analytics and intelligence tools, and only 40 percent say their SOC is a mature (tried and tested) security entity.

With all that’s at risk for any business that suffers a serious security breach, it’s inconceivable for the tools and technologies used to protect the enterprise and its data are not fully compatible and optimized throughout the organization. Few organizations have unlimited financial resources to throw at any problem. But spending whatever budget there is in a smart, efficient manner is a reasonable expectation. SOC teams must have the highest possible level of interoperability with the security intelligence tools being used elsewhere in the organization. Again, the onus is on enterprise leaders and the heads of the affected teams to take the necessary steps to ensure there is openness and full collaboration. Security is not the place to take chances or allow turf wars to weaken what should be areas of strength.

SOC Best Practice #4: Make analyst retention a top priority

The challenge of working in a SOC makes it difficult to hire and retain experienced IT security analysts. Sixty-six percent of respondents say it is very likely or likely that experienced SOC analysts would quit because of the stress of the job.

As for what makes working as a SOC analyst so painful, respondents identified many issues.

Leaders have a responsibility to reduce the stress and pain that come with working in a SOC. There is a significant talent shortage of skilled SOC analysts. Working conditions that drive those already in the field to leave the work they’ve been trained to must be improved. Without experienced, skilled SOC analysts, organizations will be unable to maintain, let alone enhance, overall enterprise security. The best way to improve working conditions in the SOC, according to respondents, is to automate the analyst workflow. Other recommendations include normalizing the work schedule, giving analysts access to more out-of-the-box content, providing and more resources in general. No organization can have strong security without a strong, effective SOC.

There are many other valuable insights to be gleaned from this survey of professionals who must deal with the challenges posed by today’s state of the SOC. Read the full report by the Ponemon Institute to learn more.

More Data. More Clarity. More Confidence.