Despite gains in budget and strategic priority for SOCs, survey says burnout, overload, and chaos persist in many organizations; Major reforms in security operations required
CAMBRIDGE, Mass.—June 23, 2020—Devo Technology, the data analytics and security company, today announced the results of a survey on the current state of security operations center (SOC) performance, finding that while some organizations have increased funding, the overall gains have been meager, and the most significant issues have not only persisted, but worsened. This second annual Devo SOC Performance ReportTM, based on a survey conducted by Ponemon Institute, examines many of the same issues as last year, and found 60% of SOC team members are still considering changing careers or leaving their jobs due to stress. The survey, conducted in March and April 2020, queried IT and IT security practitioners in organizations that have a SOC.
On the positive side, the importance of investing in a SOC remains high, with 72% of respondents categorizing the SOC as “essential” or “very important” to their organization’s overall cybersecurity strategy, up 5% year over year. Additionally, the average annual cybersecurity budget for organizations rose $6 million to $31 million, with the SOC representing more than one-third of that total. For respondents whose organizations have invested in people, process, and technology, the performance differences are stark. Strong business alignment (73%) and extensive training (67%) help high-performing SOCs more than double the effectiveness of their lower-performing brethren. However, the pain and barriers facing SOC teams are universal and worsening, with higher performers citing 10% more pain at an extreme level (9-10 on a 10-point scale), and virtually no difference in the level below that (7-8).
The major areas of pain and resistance include:
- 70% suffer a lack of visibility into the IT infrastructure (up from 65%)
- 64% combat turf or silo issues between IT and the SOC (up from 57%)
- 71% need greater automation (up from 67%), especially as they continue to spend substantial manual cycles on tasks such as alert management (47%), evidence gathering (50%), and malware protection and defense (50%)
- Environmental factors are driving substantially higher pain, including information overload (67%, up from 62%), burnout from increased workloads (75%, up from 73%) and “complexity and chaos” in the SOC (53%, up from 49%)
Not surprisingly, the perennial issue of a skills shortage (seen by more than 50% of respondents) is close to the heart of the issue. But digging deeper, it’s quickly apparent that across the board people, process, and technology are misaligned and inefficient:
- Organizations have too many tools (nearly 40%), and more than half don’t have all the data necessary, nor the ability to capture actionable intelligence
- While 76% say training/retention is highly important, more than 50% have no formal programs in place, and more than 50% cite the lack of skilled personnel as a major factor in SOC inefficiency
- Mean time to response (MTTR) remains unacceptably high, with 39% saying their average time to resolve an incident is “months or even years”
“At first blush, the data from the survey made it appear that SOCs are advancing, but it turns out the budget growth and successes hide substantial pain—and to achieve even these modest successes consumes considerable resources,” said Julian Waits, general manager, cybersecurity, for Devo. “While the focus and efforts of high-performing SOCs are driving them to be successful in spite of increasing barriers, that success comes at an unacceptable human cost. Seventy-eight percent of respondents say working in the SOC is very painful. Even more troubling, 69% say that experienced analysts would quit the SOC because of stress. It’s clear that significant reforms must be made to achieve greater SOC efficiency and engagement—with less analyst stress—especially in the face of a new economic normal that will likely constrain investments for some time to come.”
For all the friction and pain, high-performing teams are continuing to advance the benefits SOCs provide organizations and should be commended for their efforts. Most importantly, high-performing teams have driven strong business consensus, with 73% of SOC objectives aligned with business objectives, versus low performers for whom 63% have no alignment at all. Among the lessons that can be learned from the findings, the top three actions cited to demonstrably alleviate SOC analyst pain are greater workflow automation (71%), implementing advanced analytics/machine learning (63%), and access to more out-of-the-box content (55%).
Commissioned by Devo, Ponemon Institute surveyed 585 IT and IT security practitioners in organizations that have a SOC and are knowledgeable about their organizations’ cybersecurity practices. Respondents’ primary tasks are implementing technologies, patching vulnerabilities, investigating threats, and assessing risks. The survey was conducted between March 11 and April 5, 2020.
Devo will host a virtual panel discussion, A Tale of Two SOCs: Striving for SOC Effectiveness, on Thursday, July 23, 2020. Moderated by Sean Martin of ITSPmagazine, industry cybersecurity leaders will share their experiences establishing highly productive security teams and key lessons that can be applied for improving the effectiveness of security operations.
Devo unlocks the full value of machine data for the world’s most instrumented enterprises, putting more data to work—now. Only the Devo Data Analytics Platform addresses both the explosion in volume of machine data and the new, crushing demands of algorithms and automation. This enables IT operations and security teams to realize the full transformational promise of machine data to move businesses forward. Headquartered in Cambridge, Mass., Devo is privately held and backed by Insight Partners. Learn more at www.devo.com.