SANS Survey Explores Path to Closing the Critical Skills Gap for a Modern and Effective Security Operations Center (SOC)

While security staff attrition rates are low, the new survey finds a lack of meaningful cybersecurity metrics being employed at many organizations.

Bethesda, Md. – CISOs who can reduce or close their critical skills gaps have the highest probability of minimizing the business impact of cyberattacks – even when budgets and staffing are constrained. This is according to the results of a new SANS Institute survey, “Closing the Critical Skills Gap for Modern and Effective Security Operations Centers (SOCs),” to be released in a two-part webcast on July 29 and July 30.

The survey happened to kick off within days of the World Health Organization (WHO) declaring COVID-19 a pandemic. As such, the results reflect a high degree of uncertainty around future hiring plans as well as an increase in plans to use outsourced services until staffing plans stabilize.

Even with the future uncertainty brought on by the pandemic, the survey covered staff changes in 2019, qualitative responses on what skills security managers see a need for, which needs they plan on staffing internally, and where they plan on using external service providers.

Other than at very small businesses and in the government vertical, the survey found that turnover and attrition rates for cybersecurity staff is at or below industry averages. Even so, security managers indicated they tend to fall back on attrition as the reason for requesting staff increases, which reflects a lack of meaningful cybersecurity metrics being employed at many organizations.

Security operational skills were cited as most needed by survey respondents, and cloud security skills were more sought after than network or endpoint security skills. While the most successful source for new cybersecurity employees was the company’s existing internal IT staff, hiring managers indicated they would most like to see new hires with hands-on experience using common cybersecurity products – open-source tools, in particular.

“This skills gap survey once again pointed out that despite all the headlines about a cybersecurity headcount shortage, it is really a skills gap – security people with hands-on experience with the top security tools and how to use them across hybrid cloud/on-premises systems are being hired for the skills, not just to add bodies,” says John Pescatore, survey author and SANS Director of Emerging Security Trends. “By investing in training and tools skills as well as the maintenance of those skills, the increased productivity and reduced security staff attrition provides a huge return on investment.”

Webcast Details

Full results of the survey will be shared during a webcast on Wednesday, July 29, 2020 at 1:00 p.m. EDT (17:00 UTC), sponsored by Awake Security, Anomali, Cisco, ExtraHop, LogRhythm, ReversingLabs, Swimlane, and ThreatConnect, and hosted by SANS Institute. Register to attend this webcast at

Get additional perspective on the survey results in a second webcast on Thursday, July 30, 2020 at 1:00 p.m. EDT (17:00 UTC), in which representatives from ExtraHop, ReversingLabs, and ThreatConnect will join a panel discussion to dive deeper into the results with survey author John Pescatore. Register to attend this webcast at

Those who register for either webcast will be among the first to receive the associated whitepaper written by John Pescatore, SANS Director of Emerging Security Trends.

About SANS Institute

The SANS Institute was established in 1989 as a cooperative research and education organization. Today, SANS is the most trusted and, by far, the largest provider of cyber security training and certification to professionals in government and commercial institutions world-wide. Renowned SANS instructors teach more than 60 courses at in-person and virtual cyber security training events and on demand. GIAC, an affiliate of the SANS Institute, validates practitioner skills through more than 35 hands-on, technical certifications in cyber security. The SANS Technology Institute, a regionally accredited independent subsidiary, offers a master’s degree, graduate certificates, and an undergraduate certificate in cyber security. SANS Security Awareness, a division of SANS, provides organizations with a complete and comprehensive security awareness solution, enabling them to easily and effectively manage their ‘human’ cybersecurity risk. SANS also delivers a wide variety of free resources to the InfoSec community including consensus projects, research reports, webcasts, podcasts, and newsletters; it also operates the Internet's early warning system–the Internet Storm Center. At the heart of SANS are the many security practitioners, representing varied global organizations from corporations to universities, working together to support and educate the global information security community. (