24% of Cyber Leaders Cite Lack of Enterprise-Wide Visibility as the Biggest Barrier to SOC Effectiveness, the 2026 SANS SOC Survey Finds

Bethesda, MD, June 11, 2026 — Security operations practitioners describe a visibility problem in plain terms: too many alerts that do not connect and not enough shared context to act on. Their leaders report the same issue, with 24% identifying lack of enterprise-wide visibility as their single biggest barrier to effective security operations, ranking it above staffing shortfalls and automation gaps. In most organizations, the tools are there, but the integration that makes them useful together is not. The findings draw on 444 responses from security operations professionals and a parallel survey of 69 CISOs and senior security executives.

“Visibility keeps showing up in this survey because it is genuinely hard to fix. Most organizations have the tools. Getting them to produce a coherent picture across teams that do not share priorities is where the work actually is,” said Christopher Crowley, SANS Senior Instructor and Independent Consultant at Montance, LLC, who has authored the SANS SOC Survey for a decade.

59% of cyber leaders say management pays close attention to SOC hiring and retention needs. Only 32% of practitioners agree. That 27-point gap has held every year this question has been asked. Hiring and retention decisions are made by the leaders who hold that more favorable view, which means those decisions are regularly being made on a different picture than the one practitioners are living with.

74% of cyber leaders apply threat intelligence to security operations and threat hunting. Only 26% use it to inform budget and spending decisions. The same intelligence that drives what analysts prioritize on a given day rarely makes it into planning conversations about what gets funded next quarter.

“These patterns are not new. What this survey adds is ten years of data showing they have not moved. The organizations that close them are the ones that treat them as specific operational problems rather than general management challenges,” Crowley said.

75% of cyber leaders say management understands that technology only works when skilled people run it. Yet when asked what most limits their ability to fund cybersecurity priorities, the same leaders cite human capital as the top constraint. Most security executives know people are the binding variable. Fewer are in organizations where that knowledge has changed how budgets are set.

The findings will be presented during the 2026 SANS SOC Survey Insights webcast on Tuesday, June 17, 2026, at 10:30 AM EDT. Attendees will receive access to the complete Insights report alongside live analysis from Crowley. Register and download the report at sans.org/webcasts/2026-sans-soc-survey-insights.

About SANS Institute

The SANS Institute was established in 1989 as a cooperative research and education organization. Today, SANS is the most trusted and, by far, the largest provider of cybersecurity training and certification to professionals in government and commercial institutions worldwide. Renowned SANS instructors teach more than 85 courses at in-person and virtual cybersecurity events and OnDemand. GIAC, an affiliate of the SANS Institute, validates practitioner skills through more than 50 hands-on technical certifications in cybersecurity. The SANS Technology Institute, a regionally accredited independent subsidiary, offers master’s and bachelor’s degrees, graduate certificates, and an undergraduate certificate in cybersecurity. SANS also delivers a wide variety of free resources to the InfoSec community, including consensus projects, research reports, webcasts, podcasts, and newsletters; it also operates the Internet's early warning system–the Internet Storm Center. At the heart of SANS are the many security practitioners representing varied global organizations, from corporations to universities, working together to support and educate the global information security community. www.sans.org