Despite the benefits of having a security operations center, the majority of IT professionals consider it a difficult, high-pressure environment.
That was the most surprising finding from a recent survey on the cost and effectiveness of modern SOCs conducted by the Ponemon Institute and sponsored by Respond Software, a vendor of automated SOC software. According to the survey, 70% said SOC analysts burn out quickly because of the high-pressure environment and workload, with information overload and chasing too many alerts as the main stressors.
"The survey suggests that it's a very negative environment for a lot of people. There is a lot of pressure to get the job done right, and a lot of them work 24/7," said Larry Ponemon, chairman of the Ponemon Institute. He said that often, dissatisfaction arises from a lack of leadership and a difference in expectations. In addition, "[SOC operators] often must deal with inconsistent technologies that have interoperability and scalability issues."
Despite the negative feelings, most respondents believe a security operations center is an important part of their organizations' cybersecurity strategies. Respondents believe the most important functions to be detecting attacks, reporting threat intelligence and minimizing false positives. The top SOC services monitor and manage firewalls, along with intrusion prevention and detection systems.
At the same time, nearly half of the respondents don't believe their SOCs are living up to expectations, especially in the area of detecting attacks.
"If your SOC doesn't detect attacks, you're probably not going to get a second shot at it," Ponemon noted. "And there is evidence to show that it happens more than companies think."
The survey also uncovered the cost of running a security operations center. The average cost of a SOC run internally is $2.8 million annually, with half of that going to labor. The average annual cost of an outsourced SOC is $4.45 million annually. In general, SOCs at larger companies cost more than those of smaller companies, and costs are higher if the IT infrastructure it monitors is on-premises or mobile.
Ponemon says there are ways to reduce costs and improve the effectiveness of the SOC. It starts with deciding whether you have the capability and infrastructure to build and run a SOC internally, or whether you should consider outsourcing to a third party and treating it as a managed service. Sometimes, the best option is to start out by outsourcing the SOC and gradually transitioning to running it in-house or moving to a managed services model.
As far as reducing costs, "it's not like you can spend your way to better security, but if you do security really well, there's a point at which you start seeing economic savings as a result of having an effective security program," Ponemon said.
Here is one more fact that may surprise you: Your company may not need a SOC at all. While SOCs are a good way to coordinate threat intelligence and detection, they aren't the only way. As long as you have the right tools and processes in place, you can accomplish the same goal, Ponemon said. At the same time, many organizations see the SOC as a necessary evolution of their security function.