Coordinate Efforts for SOC Improvement: Results of the 2019 SANS Security Operations Center Survey

Bethesda, Md. – Integrating efforts of network operations centers (NOCs) and outsourcing security operations tasks offer major avenues toward improving SOC effectiveness and efficiency, according to results of a survey to be released by SANS Institute on July 10 and discussed on July 11.

Organizations often realize improved efficiency through integration with internal resources, such as NOCs. We did see an uptick in organizations integrating NOC and SOC operations, an important way to increase both effectiveness and efficiency, especially when outsourcing is not feasible. Thirty-four percent of respondents reported either fully integrating or effectively working with their NOC.

“Though we saw some improvement this year, most SOCs still aren’t fully leveraging the potential of interaction with their NOCs,” says Christopher Crowley, SANS security operations and incident response team management instructor, and author of the survey. “If you aren’t consistently leveraging this ‘sibling’ in your organization, you’re missing efficiency and knowledge-sharing opportunities.”

Survey results indicate that staffing continues to be a problem for security-minded organizations, with 58% of respondents citing lack of skilled staff as a barrier to excellence. Outsourcing such tasks as pen-testing, digital forensics and threat intelligence—at least until organizations have developed standard use cases appropriate for their business operations—is one way to reduce the burden on in-house staff.

“A SOC is an expensive proposition with substantial operational costs and staffing needs,” continues Crowley. “To minimize these costs, or to deal with staffing restrictions, organizations need to consider their options. And, outsourcing some functions offers opportunities to reduce in-house responsibilities and improve SOC functionality.”

These and other suggestions for improving the efficiency and effectiveness of SOCs are discussed in the SANS 2019 Security Operations Center Survey, along with context provided by SOC managers from small-to-medium size organizations.

Full results will be shared during a July 10 webcast at 1 PM EDT, sponsored by Anomali, BTB Security, Cyberbit, DFLabs, ExtraHop, Siemplify, and ThreatConnect, and hosted by SANS. Register to attend the webcast at

Representatives of ExtraHop, Siemplify, and ThreatConnect join Chris Crowley and SANS director of emerging technologies John Pescatore for a panel discussion on the results on July 11 at 1 PM EDT. Register to attend that webcast at

Those who register for the webcast will also receive access to the published results paper developed by SANS analyst and security operations expert, Chris Crowley, with advice from John Pescatore.

Tweet This:

What challenges inhibit integration and utilization of a centralized #SOC model? Find out in our upcoming 2019 SANS #SOC Survey results with SANS @CCrowMontance & @john_pescatore |

See what #security practitioners have to say about their SOC experiences in our upcoming 2019 SANS #SOC Survey webcast with @CCrowMontance & @john_pescatore on 7/10 @ 1PM ET |

Gain greater insight into capabilities and implementations | @CCrowMontance & @john_pescatore discuss selected results with sponsors on 7/11 @ 1PM ET |

About SANS Institute

The SANS Institute was established in 1989 as a cooperative research and education organization. Today, SANS is the most trusted and, by far, the largest provider of cyber security training and certification to professionals in government and commercial institutions world-wide. Renowned SANS instructors teach more than 60 courses at in-person and virtual cyber security training events and on demand. GIAC, an affiliate of the SANS Institute, validates practitioner skills through more than 35 hands-on, technical certifications in cyber security. The SANS Technology Institute, a regionally accredited independent subsidiary, offers a master’s degree, graduate certificates, and an undergraduate certificate in cyber security. SANS Security Awareness, a division of SANS, provides organizations with a complete and comprehensive security awareness solution, enabling them to easily and effectively manage their ‘human’ cybersecurity risk. SANS also delivers a wide variety of free resources to the InfoSec community including consensus projects, research reports, webcasts, podcasts, and newsletters; it also operates the Internet's early warning system–the Internet Storm Center. At the heart of SANS are the many security practitioners, representing varied global organizations from corporations to universities, working together to support and educate the global information security community. (