Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


11:20 AM

Security Operations Struggle to Defend Value, Keep Workers

Companies continue to value security operations centers but the economics are increasingly challenging, with high analyst turnover and questions raised over return on investment.

A growing majority of companies consider their security operations center (SOC) to be essential or important to their ability to secure their business and data, but the challenges in maintaining SOCs have expanded in the past year, the Ponemon Institute states in its second annual "Economics of Security Operations Centers" report, published on Jan. 12.

Questions regarding the return on investment of security operations and the increasing cost of retaining security analysts are among the most significant challenges uncovered by the study. More than half of respondents — 51% — consider SOCs to be less valuable, despite the number of breaches increasing, according to the Ponemon Institute. Exacerbating the issues, the average cost of a managed security service provider (MSSP) has increased to $5.3 million, up from $4.4 million in 2019, according to the report.

Related Content:

As 'Anywhere Work' Evolves, Security Will Be Key Challenge

How Data Breaches Affect the Enterprise

New From The Edge: Cartoon: Shakin' It Up at the Office

Along with the coronavirus pandemic, security teams have had to deal with the perennial problems of high stress, information overload, and a lack of network visibility, resulting in SOCs failing to live up to their potential in the minds of security leaders, according to the report. To combat negative security trends, automation, analyst training, and the adoption of more efficient technology can help, says Chris Triolo, chief customer officer at Respond Software, which sponsored the Ponemon survey. 

Companies need to "scale security operations past manual capabilities to deal with increasing threats and to reduce SOC workloads, while better enabling analysts to manage critical incidents," he says. In November, FireEye acquired Respond Software for approximately $186 million.

The last year has been challenging for security operations teams. Not only have most SOCs had to move to a remote or virtual model because of the pandemic, but the average employee is now connecting to business data and services from home. As a result, the Ponemon survey found that both endpoint security and denial-of-service attacks have become greater problems for security teams. 

"[S]ecurity teams struggle to secure remote employees and their access points to the organization," the report states. "SOCs have had to focus on bad actors trying to take advantage of the situation as more respondents report they are worried about nation states and criminal organizations attacking their companies."

Little surprise, then, that more respondents — 81% — consider SOC management to have become more complex, compared with 74% of respondents a year ago. 

Companies are trying to reduce that complexity and increase agility, with significant momentum for adoption of DevOps and other agile business and development models. More than 85% of survey respondents considered agile DevOps an important SOC activity, a 12-point jump from the previous year.

Making such efforts more complex, however, the high turnover of security analysts continues to be a significant problem for SOCs. The average tenure of an analyst is only two years, and while companies expect on average to hire five analysts in the coming 12 months, they also expect to lose three analysts over the same period.

More security workers — 75% — find the stress and repetitive work to lead to burnout, up from 70% a year ago. And a stunning 85% of security analysts consider their job working in a SOC as painful or very painful.

"For any profession, it's key to have a sense of accomplishment in your work — security is an especially mission-driven profession, and analysts want to know they're making an impact on protecting their organizations," Triolo says. "But it can be demoralizing to face false-positive security alerts all day or to think your skills are going to waste on less-technical tasks."

The pain and stress faced by workers have led to higher salaries, and thus greater cost for companies and a perceived lower ROI. The average salary for SOC analysts increased 9% in the past year, to $111,000, and nearly half of analysts expect their salary to increase again in 2021.

"SOC analysts are very overwhelmed with increasing workloads, the volume of alerts and false positives, which lead to burnout — but they are more often using their sought-after skills to find better paying opportunities," Triolo says. "We always recommend that organizations identify their best performing SOC analysts and find ways to keep them challenged, growing, and to provide leadership opportunities, or risk losing them."

The solutions do not appear simple nor clear. However, reducing complexity through automation and focusing on retaining workers should both be priorities, according to the report.

"The path taken by many security teams to solve these problems appears to be investments in technology that provide greater visibility, less information and alert overload, and the elimination of manual, mundane tasks," the Ponemon Institute states in the report. "It will be interesting to see if organizations can connect the dots with technology and in-house expertise to drive greater efficacy and efficiency in their SOC next year."

Story updated on Jan. 19.

Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT's Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Ransomware Is Not the Problem
Adam Shostack, Consultant, Entrepreneur, Technologist, Game Designer,  6/9/2021
How Can I Test the Security of My Home-Office Employees' Routers?
John Bock, Senior Research Scientist,  6/7/2021
New Ransomware Group Claiming Connection to REvil Gang Surfaces
Jai Vijayan, Contributing Writer,  6/10/2021
Register for Dark Reading Newsletters
White Papers
Current Issue
The State of Cybersecurity Incident Response
In this report learn how enterprises are building their incident response teams and processes, how they research potential compromises, how they respond to new breaches, and what tools and processes they use to remediate problems and improve their cyber defenses for the future.
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-06-22
Improper authorization in handler for custom URL scheme vulnerability in ????????? (asken diet) for Android versions from v.3.0.0 to v.4.2.x allows a remote attacker to lead a user to access an arbitrary website via the vulnerable App.
PUBLISHED: 2021-06-22
Cross-site scripting vulnerability in Welcart e-Commerce versions prior to 2.2.4 allows remote attackers to inject arbitrary script or HTML via unspecified vectors.
PUBLISHED: 2021-06-22
Cross-site scripting vulnerability in ETUNA EC-CUBE plugins (Delivery slip number plugin (3.0 series) 1.0.10 and earlier, Delivery slip number csv bulk registration plugin (3.0 series) 1.0.8 and earlier, and Delivery slip number mail plugin (3.0 series) 1.0.8 and earlier) allows remote attackers to ...
PUBLISHED: 2021-06-22
NoSQL injection vulnerability in GROWI versions prior to v4.2.20 allows a remote attacker to obtain and/or alter the information stored in the database via unspecified vectors.
PUBLISHED: 2021-06-22
Improper authentication vulnerability in GROWI versions prior to v4.2.20 allows a remote attacker to view the unauthorized pages without access privileges via unspecified vectors.