SANS Institute Research Shows What Frameworks, Benchmarks, and Techniques Organizations Use on their Path to Security Maturity

Expel-sponsored research unveils how companies measure SOC performance and the frameworks they rely on to assess and guide their security strategies

December 19, 2023

5 Min Read


Respondents overwhelmingly prefer the NIST CSF framework

Results show that companies lag in training and cyber-readiness exercises

Herndon, Va., December 19, 2023 Expel, the security operations provider that aims to make security easy to understand, use and improve, today released a new research report, “Frameworks, Tools and Techniques: The Journey to Operational Security Effectiveness and Maturity” by the SANS Institute. Commissioned by Expel, the report shares and analyzes research on a range of security operations center (SOC) practices and outlines the current state of the SOC within many organizations, based on in-depth survey findings of IT and cybersecurity professionals from around the world. This research set out to: 

  • Determine if frameworks are used to define, measure and assess SOC functions and, if so, which framework(s) organizations prefer

  • Assess SOC metrics currently in use and the presence of any policies and training, as well as respondents’ sentiment regarding efforts to improve cybersecurity

  • Capture respondents’ self-assessment process for their organization’s security program maturity and examine the security program components that contribute to maturity

  • Learn if organizations benchmark performance and whether they use KPIs to drive improvements in security processes

“Our research sheds some light on the wide range of frameworks and metrics organizations use, but also shows that respondents have mixed feelings about the maturity of their security programs,” said Dave Shackleford, senior instructor at the SANS Institute. “Not enough respondents’ organizations have executive-level governance, and too many are missing well-defined training programs. These are important gaps that must be addressed. As security operations mature, we expect to see these areas improve over time, but it will require intentional investment to see impactful results.” 

Below are a selection of the insights from the SANS Institute’s research: 

The majority of respondents employ a cybersecurity framework, with the National Institute of Standards and Technology Cybersecurity Framework (NIST CSF) being most popular.

The survey found that 69.4% of respondents currently use a framework to help define and measure policies, processes, and controls, where only 22.1% don’t. Almost three-quarters (74%) of respondents that employ a framework use the NIST CSF—almost twice as many as the next three most popular frameworks (ISO 27001, NIST 800-37, and MITRE).

Good news: two-thirds of respondents use metrics to assess and improve security. 

Two-thirds of respondents are currently using metrics to assess operational security performance. Just under 22% are not, and another 11.8% aren’t sure. The top three metrics collected and measured by respondents include security incidents (74%), vulnerability assessments (58.5%), and intrusion attempts (43.9%). 

Organizations can improve their use of IT and security training programs and cyber-readiness exercises. 

More than 40% of respondents said they don’t have formal IT/security training programs in place. Of those that have training, more than 72% consume materials via video content, 60% use third-party certification exams, 55% get regular emails with educational content, and about 34% reported that they train through a Wiki or knowledge center. Upwards of 30% of respondents don’t perform cyber-readiness exercises on a routine basis. Those that do perform cyber-readiness exercises rely on penetration tests and tabletop exercises (tied at 73.7% each) along with incident response testing (71.7%). Disaster recovery tests (56.1%) and red/blue/purple team exercises (38.6%) round out the responses.

Read the full report to see data on other SOC trends, like hybrid SOC usage, how respondents view the usefulness of security metrics and key performance indicators (KPIs), and how organizations rate their SOC maturity.

“The research revealed a lot of encouraging information, especially around how respondents are leaning on frameworks to help assess and drive their security programs. These frameworks are some of the most useful tools for driving the effectiveness of security operations,” said Greg Notch, Chief Information Security Officer, Expel. “That said, there are certainly a lot of areas for improvement, specifically in terms of preventative measures. SOC teams seem to be making progress, but there’s more work to be done to avoid repeating mistakes that have vexed organizations for years.”

Download the “Frameworks, Tools and Techniques: The Journey to Operational Security Effectiveness and Maturity” report or watch the webcast discussion of the research results with Dave Shackleford and Greg Notch.

Visit to learn more about how Expel improves and simplifies security operations, or book a product demo. 


The SANS Institute conducted a comprehensive online survey of IT and cybersecurity professionals from private- and public-sector organizations across industries and geographies between August 2023 and September 2023.

About Expel

Expel helps companies of all shapes and sizes minimize business risk. Our technology and people work together to make sense of security signals—with your business in mind—to detect, understand, and fix issues fast. Powered by our security operations platform, Expel offers managed detection and response (MDR), remediation, phishing, vulnerability prioritization, and threat hunting. For more information, visit our website, check out our blog, or follow us on LinkedIn or Twitter.

About SANS Institute

SANS Institute is the world's largest provider of cyber security training. For over twenty-five years, SANS has provided cutting edge training to governments and organizations across the world. Technology may have changed in that time, but SANS' core mission has remained constant: to protect through sharing cyber security knowledge and skills.

SANS offers over 60 cyber security courses, operates across dozens of countries and has over 200,000 alumni. SANS training is built around a promise: students will be able to put into practice what they've learned as soon as they get back to their desk.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like

More Insights