Security Operations / By Julian Waits Today we published the 2020 Devo SOC Performance ReportTM. The subtitle, A Tale of Two SOCs, underscores that there are two types of security operation centers (SOC): those that are performing reasonably well and those that are struggling. As someone who has worked in cybersecurity for more than 20 years, I find the results of our second annual SOC report informative, instructive, and also extremely irritating. For the second year, Devo commissioned Ponemon Institute to conduct a comprehensive, independent survey of nearly 600 IT and security practitioners who work in organizations that currently have a SOC. The survey took place in March and April of this year, right as most organizations began to face the upheaval caused by the COVID-19 pandemic. However, the results reflect respondents’ overall perspectives on conditions facings SOCs for the past year (or longer), not just what was happening in the early days of the crisis. When I first saw the survey results, I thought they showed that SOCs are making some nice progress. However, as I continued to wade through the data, it became obvious that budget growth and successes in a few areas do not camouflage the substantial pain too many SOC analysts continue to experience. It was unsettling to read that 78% of respondents say working in the SOC is “very painful.” Even worse, 69% say experienced analysts would quit the SOC because of stress. I don’t think I’m going out on much of a limb to say that SOCs have a lot of problems. Big problems. These statistics show just how urgently organizations must reform the way they run and equip their SOCs, as well as how they train and nurture their analysts. These improvements are critical if SOCs are to achieve greater efficiency and engagement—and reduce analyst stress—especially in the face of a new economic normal that seems likely to restrict investments for the foreseeable future. SOC Value is Recognized Let’s start by looking at one of the biggest positives in the report: The vast majority of respondents say their organization’s SOC delivers real value. Seventy-two percent of respondents say the SOC is a key component of their cybersecurity strategy. That’s up five percentage points from 2019. If only the overall results were that good. Now let’s dig a bit deeper. The Highs and the Lows High-performing SOCs are those with an effectiveness rated as a 7 or above on a 10-point scale. High performers are, for the most part, doing reasonably well in delivering business value. This group generally enjoys sufficient talent, tools, and technologies as they battle relentless threats. But even analysts who work in highly effective SOCs suffer from pain and burnout. Low-performing SOCs, on the other hand, lack the resources of their higher-performing brethren. They have trouble hiring and retaining talent, need better technologies, and have a much wider gap when it comes to aligning with the needs of their businesses. This chart makes the gaps between the two categories painfully clear. The gap between high- and low-performing SOCs is disturbing. And when you look at the shared pain experienced by the majority of SOC analysts—at both high and low performers—it’s obvious something needs to be done, and quickly. Take a look at what respondents had to say about the causes of analyst burnout: An increased workload is the top reason for burnout according to 75% of respondents, up from 73% last year Information overload is an even bigger problem this year (67%) than in 2019 (62%) 53% say “complexity and chaos” in the SOC is a major pain point, up from 49% 64% of respondents say these internal battles over who is in charge of what are a huge obstacle to their SOC’s success, a disheartening increase from 57% in 2019. I encourage you read the entire report to see for yourself the full extent of the issues challenging security operations centers and the dedicated professionals who work in them. I’ll leave you with this thought: A strong cybersecurity program is critical for all organizations. But due to the nature of their business, many organizations need a more extensive security operation because they are highly desirable targets for cybercriminals, hackers, and even internal threat actors. A well-equipped SOC, with a team of well-trained analysts who are not overworked, is a fundamental component of an effective cybersecurity program. Here’s hoping that the 2021 Devo SOC Performance Report reflects significant progress across industries. If that happens, we’ll all sleep better.