While the whole concept of cyber security is pretty broad, at its core is the ability to have control over information. To do this well, organizations need to have a combination of the right tools and competent personnel. However, in the Security Operations Center (SOC) environment, the personnel may have security skills, but they aren’t the level needed for a SOC Tier 1 or Tier 2.
SOCs are vital to an organization’s security posture, with eight in 10 companies saying they are essential, according to the Ponemon Institute and FireEye survey, Second Annual Study on the Economics of Security Operations Centers: What is the True Cost for Effective Results? However, having the wrong personnel in charge—even with the right technological solutions—won’t allow SOCs to operate at maximum levels and can impact the organization’s ROI.
SOCs aren’t a one-size-fits all approach, but they all have a common characteristic: It is the central arena designed to monitor for potential threats and respond to incidents. It is ground zero for an organization’s cyber security posture. Minimizing false positives, having a more agile DevOps program, and threat intelligence reporting are the three most important activities for the SOC, according to the Ponemon study.
However, complexity in managing the SOC increased from 2019 to 2020, making personnel hires even more crucial. “Opportunities for SOC analysts are improving although the ‘pain’ of working in this environment continues to increase,” the report states. Turnover is high because workloads are increasing, and burnout is a real problem. Experienced analysts are leaving, and in order to fill the positions, organizations are hiring people with the cybersecurity skills, but not those with the skills necessary to keep the SOC running at peak efficiency.
The skillset most often missing is the ability to communicate an idea or a problem to non-IT management so they can understand this. It is a problem seen over and over—CISOs and other security analysts are very technical people first, but if they can’t explain cyber security in a meaningful way, they lose the support of boards of directors or C-level executives. Further, leadership doesn’t understand the value proposition of the SOC and that factors into how they look at the ROI of technology systems and personnel brought on board.
Organizations also share threat data across companies, but the data needs to be accurate. A single mistake can change the data points of everything being measured, opening businesses up to risk. Corrupt threat data can ruin the reputation of the organization sharing it. Having someone in the SOC with leadership skills to oversee the validity of the shared threat data and to handle any mistakes is another key job skill that is often overlooked and can impact ROI.
While having SOC analysts with both technical and leadership skills is important to the success of the cyber security system and, in turn, to the company’s overall business operations, it must be noted that ROI isn’t the best measure of the SOC’s success. Cyber threats are constantly changing so the net benefit of cyber security technology is always shifting, so it is hard to come up with a calculation that is meaningful. But since ROI is used across other areas of the business, it is naturally used to measure the value of the SOC. Because of this, 51 percent of the Ponemon study’s respondents said the ROI value of their SOC is getting worse, not better.
Good leadership—who not only possesses those aforementioned soft skills, but can also manage SOC staff to help prevent issues such as burnout and high turnover—will benefit the SOC ROI. But so will the tools that are used in the SOC.
“Extended Detection and Response (XDR) is an emerging technology category that organizations are spending on to improve the performance of their SOC,” the study reported. “In 2020, organizations represented in this research intend on spending an average of $183,150 for SIEMs, $345,150 for SOAR, $285,150 for MDR, and $333,150 for XDR.”
Having a combination of good leadership and the right tools, as well as good governance, is the approach to meeting the skills gap and ROI expectations. But the time has come to rethink the metrics of success of the SOC. Time metrics are easier to identify and measure, for example, so it may be better to consider the time it takes to discover a threat and mediate it, and if you can improve those variables, it is a better measure than ROI. However, as long as there are boards of directors and non-technical C-suite executives, ROI will be the benchmark, which is why it is important to build a SOC based on strong personnel and the best tools.
For the full results, download the survey, Economics of Security Operations Centers: What is the True Cost for Effective Results?