SOC Leaders and Employees Aren’t on the Same Page

Cybersecurity center leaders and non-IT employees are often at odds as security practitioners and the people they work to protect have differing priorities and don’t always understand where the other is coming from, according to a recent survey.

Security operations centers, or SOCs, around the world have been through hard times over the past two years, as the pandemic forced their system users to work remotely, vastly expanding the endpoints that must defended.

The challenge is compounded by “significant, and even crippling, disconnects in perception between SOC leadership and staff in terms of organizational effectiveness and capability,” according to a new global survey released by Devo, a Cambridge, Massachusetts-based, cloud-native logging and analytics firm.

Of just over 1,000 SOC professionals and leaders who participated in the survey—roughly 10% of which work in public sector organizations—more than 60% said communications between SOC teams and the rest of the organization is “average to below-average.” More than a third ranked it below average.

More than 70% of SOC staff respondents rated their work “pain level” at 7 or higher, on a 1-to-10 scale. Over 60% said “turf and silo” issues are a primary barrier to their success, and more than 40% blamed lack of leadership or lack of executive-level support as another significant barrier.

Compounding these dismal numbers, SOC leaders and their staffs judge their effectiveness very differently, the survey found. For instance, more than 50% of the leaders highly rated the investigative capabilities of their SOC, but only a third of staff gave the same rating.

“The growing perception gap over SOC efficiency between operational leaders and practitioners should be seen as a warning sign of simmering frustrations that can have implications on SOC efficiency and analyst retention,” Gunter Ollman, Devo’s chief security officer, said in a company statement. “Whether [it’s] complacency or still navigating new modes of work and staffing in the past year, organizations can’t afford to stall in advancing their defenses against what is a growing onslaught of attacks.”

Just like the broader cybersecurity field, SOCs are having problems finding and hiring talent—half of both leaders and staffers said it was a major impediment. That may contribute to their pain factor; 63% of all respondents said that “on-the-job pain in the SOC has caused them to consider changing careers or leaving their jobs,” the survey found.

In addition, only 21% of the respondents graded their SOCs as high performing in the survey, at a 9 or 10 on a 10-point scale measuring SOC effectiveness.

Even these high performers faced the same challenges. The single biggest difference, out of many, in their success compared to low-performing SOCs involved turf or silo issues. Well under half—42%—of high performing SOCs considered that to be a significant barrier to success, while two-thirds of low-performing SOCs cited it as a main barrier.

Staff members at both high- and low-performing SOCs agreed that a lack of visibility into the IT security infrastructure hurts their performance. Almost two-thirds of both groups listed a lack of visibility as a key factor in their performance.