As SOCs Redefine Missions, Staff Retention Is Key: Results of a SANS Survey

Bethesda, Md. – As security operations centers (SOCs) continue to mature, they are facing critical staffing and retention issues, according to a new SANS survey to be released in a two-part webcast on August 14 and August 16. In it, respondents indicate that SOCs have no choice but to evolve, as the use of cloud, mobile, personal and Industrial IoT force their evolution.

The reality of security operations is that marginal improvements are hard to win, with the resulting pace of change impeding SOC evolution. Lack of skilled staff was listed as the top barrier to improving SOC performance and effectiveness. This performance shortfall can be directly tied to problems with metrics and automation. Slightly more than half of respondents--54%--collected SOC metrics; and most of the metrics were quantity metrics, rather than business-relevant effectiveness metrics. SOCs are also lagging in automation/orchestration, which in turn stymies limited staff from adequately identifying issues, keeping up with vulnerabilities and threats, and prioritizing action and response.

"Hiring skilled staff is challenging and expensive, while the business culture at most companies is focused on reducing labor costs and shifting to consuming services," says SANS Analyst and Instructor Christopher Crowley. "SOC managers need to focus on better recruitment and internal talent development processes to meet the challenge of securing appropriate staffing levels."

Organizations must also improve their use of metrics to better demonstrate value to the organization. Crowley sees a brighter future for SOCs that focus on "better orchestration both with the network operations center (NOC) and internal to the SOC using orchestration tools to drive consistency."

Full results will be shared during a two-part webcast. Part 1, covering SOC staffing, the value of cloud-based services to augment staff and technology, and respondents' levels of satisfaction with the architectures they've deployed will be held on August 14, 2018 at 1 PM EDT. The Part 2 webcast, airing on August 16, 2018 at 1 PM EDT, will cover the tools and technologies SOCs are deploying to integrate and manage all their security, operational and response data for better protection, detection and response. Both webcasts are sponsored by Authentic8, Awake Security, Cyberbit, DFLabs, ExtraHop, LogRhythm and hosted by SANS.

Register to attend the August 14 webcast at and the August 16 webcast at

Those who register for the webcast will also receive access to the published results paper developed by SANS Analyst and SOC expert Christopher Crowley with advice from SANS Director of Emerging Technologies John Pescatore.

Tweet This:

SANS SOC Survey | SOCs Face Staffing Issues | Aug. 14 |

SANS SOC Survey | SOCs Redefine Missions | Aug. 16 |

Learn what SOCs are doing now and what lies ahead | Part 1, | Part 2,

About SANS Institute

The SANS Institute was established in 1989 as a cooperative research and education organization. Today, SANS is the most trusted and, by far, the largest provider of cyber security training and certification to professionals in government and commercial institutions world-wide. Renowned SANS instructors teach more than 60 courses at in-person and virtual cyber security training events and on demand. GIAC, an affiliate of the SANS Institute, validates practitioner skills through more than 35 hands-on, technical certifications in cyber security. The SANS Technology Institute, a regionally accredited independent subsidiary, offers a master’s degree, graduate certificates, and an undergraduate certificate in cyber security. SANS Security Awareness, a division of SANS, provides organizations with a complete and comprehensive security awareness solution, enabling them to easily and effectively manage their ‘human’ cybersecurity risk. SANS also delivers a wide variety of free resources to the InfoSec community including consensus projects, research reports, webcasts, podcasts, and newsletters; it also operates the Internet's early warning system–the Internet Storm Center. At the heart of SANS are the many security practitioners, representing varied global organizations from corporations to universities, working together to support and educate the global information security community. (