When it comes to maintaining your car’s performance, getting regular wheel alignments can prevent uneven braking, reduced fuel efficiency, and accelerated tire wear. For all four tires to work together, traveling in the same direction, proper alignment is vital.

So, too, it is for the modern SOC. Or at least it should be.

However, research from the 2021 Devo SOC Performance ReportTM shows that SOC leaders and staff do not see eye to eye on many key issues — from overall SOC effectiveness to solutions on how to reduce team burnout. The misalignment between these groups, which should work in unison to protect their organizations from constant cyberthreats, can create downstream consequences including:

  • Difficulties in staff retention and training
  • Team burnout
  • SOC ineffectiveness
  • Improper tool and technology selection
  • Reduced ROI

This post, the first in a series examining results from the 2021 SOC Performance Report, presents 7 signs of SOC misalignment.

#1: SOC Effectiveness
When SOC leaders and staff are not in sync, they don’t see things with a unified vision. For example, the two groups are not likely to agree on how well their SOC is operating. When asked how effective their SOC is, leaders scored it a 5 and staff a 3.9 on the 10-point scale. The gap widens in response to the question of how effective their SOC is in its ability to gather evidence, investigate and find the source of threats, which earned a 5.5 from leaders and only a 3.3 from staff.

#2: Root Causes
When it comes to areas of ineffectiveness in their SOCs, leaders and staff members agree that those issues exist — but they disagree on the root cause.

For example, when asked to identify the biggest cause of SOC ineffectiveness, 65% of leaders cited “visibility into the attack surface.” 61% of staff, on the other hand, believe the primary factor contributing to SOC ineffectiveness is “having too many tools.”

Another subject with some sharp disagreement is the two groups’ perceptions about their SOCs’ effectiveness in mitigating risks after they are identified. 51% of leaders say their SOC does an effective job mitigating risks once they’re identified, but only 35% of staff feel the same.

#3: The “Big Picture” vs. Individual “Events”
What’s causing these disparate perspectives between SOC leaders and staff? It’s reasonable to conclude that leaders may be looking at “big-picture” issues, such as has the organization been breached, did it suffer any financial losses or reputational harm due to a cyberattack, malware, etc.

Staff, however, tend to focus on how many events come across their screens that require some degree of action to determine which are innocuous and which require further investigation and response. But even if that’s the case, it shows the two groups are not in sync about what is happening in SOCs on a daily basis and the toll this nonstop work is taking on staff members.

#4: Lack of Available Analyst Talent
Having an understaffed SOC or constant turnover of security talent can cripple an organization’s security posture. Interestingly, 64% of respondents from high-performing SOCs said the lack of available analyst talent is a problem, while only 49% of respondents from low-performing SOCs saw that as an issue. Given the difficulties most organizations have been experiencing for the past several years to recruit and retain technical talent, which has been compounded by the pandemic-related Great Resignation, this skills shortage is a problem across the board.

#5: Perception of their SOCs’ Security Posture
Another area of misalignment comes from each group’s perceptions of the SOCs security posture. The disparities seemingly point to a lack of awareness by leaders about the capabilities and skills of their teams. The greatest area of disagreement is about the effectiveness of mitigating risks after they have been identified and the SOC team’s ability to provide incident response capabilities, including attack mitigation and forensic investigation services.

For example, when asked about the security postures of disagreement, 51% of SOC leaders but just 35% of staff agreed “Our SOC effectively mitigates the risks after they are identified” while 67% of staff and 45% of leaders said, “Our SOC provides incident response capabilities that include attack mitigation and forensic investigation capabilities.”

#6: Lack of Alignment Between SOC Objectives and Business Needs
This lack of alignment between the SOC and the overall business can be detrimental to SOC effectiveness. The allocation of resources for the SOC requires support from leadership. However, 79% of SOC leaders and 77% of staff agree that their SOC is only partially or not at all aligned with their organizations’ business needs. This lack of alignment presents a likely barrier to obtaining the budget and support required for success.

#7: Lack of Communication
The dissatisfaction of SOC workers is exacerbated by poor communication from SOC leaders. Almost 60% of staff respondents gave low grades to leaders for how well they communicate SOC strategy to those “in the trenches.” 13% of respondents rated their bosses a 2 or lower on the 10-point scale, while the majority rated this important skill for building and managing teams at no higher than 6. This is unacceptable. However, budgets, skills training, tools, etc., require investment, which many organizations may not be able to afford during challenging economic times.

Whether taken individually or collectively, these signs of misalignment in the SOC can result in significant disconnects in perception between SOC leadership and staff in terms of organizational effectiveness and capability, implications on overall SOC efficacy, and analyst retention.

Fortunately, there are fixes available to help tune up SOC performance, many of which we’ll explore in upcoming blogs. Next up: 4 Security Operations Center Best Practices for Success.

Read the 2021 Devo SOC Performance report to learn more.