Inadequate budgets, a lack of visibility into network activity, and the pressures of managing a never-ending stream of operational data have turned security operations centres (SOCs) into highly stressful workplaces where 65 percent of workers are considering changing careers, according to new research that paints a damning portrait of current SOC practices.
Fully 73 percent of 554 IT and IT security practitioners, surveyed in the Ponemon Institute’s Devo-commissioned Improving the Effectiveness of the Security Operations Centre study, said the increasing workload that SOC staff face was causing burnout, while 71 percent blamed the 24/7/365 on-call culture and 69 percent said there were just too many alerts to chase.
Respondents also named a range of other problems that made 70 percent agree that working in a SOC is “very painful” – including the inability to recruit and retain expert personnel (68 percent), inability to capture actionable intelligence (55 percent), lack of resources (53 percent), and “complexity and chaos” within the SOC (49 percent).
“IT security personnel are approaching burnout as they spend increasingly more time on threat investigation while complexity and chaos, alert fatigue and workload grow, and the talent pipeline thins out,” the report’s authors concluded.
Fully 48 percent of respondents said their SOC team would benefit from stress management programs and psychological counselling, while 39 percent wanted better support and recognition from senior leadership.
In the absence of these and other factors, two-thirds of respondents agreed that it was likely or very likely that these issues would cause experienced security analysts to stop working in their SOC.
“I was surprised at the enormity of the issue,” Devo CEO Julian Waits, who told CSO Australia that “the root of all this is the dearth of people we have doing this job.”
“The SOC has always been this nebulous thing, with processes that happen inside of them that are behind the cloak of silence,” he added. “We forget that there are humans running this – and they just don’t have enough tools and automation to help them do the job effectively.”
An inability to prioritise threats (60 percent) reflected broader sentiment that the SOC was poorly aligned with broader business requirements, with 49 percent of respondents saying the SOC was not aligned with business needs.
Two-thirds of respondents nominated automation of the SOC workflow as the thing that would most ease the pain of working in the environment – echoing a recent Hays IT market analysis that noted many companies were embracing automation because it has become “incredibly hard to staff roles in the cyber function”.
Threat hunting was proving frustrating within the SOC because teams were being asked to track too many indicators of compromise (IOCs), buried in too much internal traffic, using systems that lacked adequate visibility and generated too many false positives.
Indeed, lack of visibility was named as the biggest barrier to successfully operating the SOC – named by 65 percent of respondents – while “turf or silo issues” between IT-security operations and the SOC were a problem for 57 percent of respondents.
“Visibility is so limited that it constantly puts them in the situation where they are chasing their tails,” Waits said, noting that SOC strategies were “generally so focused on technology, and on chasing events, that the organisation forgets about the people.”
“We overwhelm ourselves when the SOC really isn’t aligned with the business objectives.”
Fully 62 percent of respondents noted that outsourcing – an option commonly embraced within resource-constrained small businesses, and bigger companies seeking to proceduralise their SOC capabilities – was “inconsistent” with the organisation’s overall culture.
“Even though we have people working within the SOC environment, there are very few people dedicated to it,” report author Larry Ponemon told CSO Australia. “That’s true even in large organisations. Even though we are making great strides from our investments in cybersecurity, the pain factors around operating a SOC seem to persist.”