A growing majority of companies consider their security operations center (SOC) to be essential or important to their ability to secure their business and data, but the challenges in maintaining SOCs have expanded in the past year, the Ponemon Institute states in its second annual "Economics of Security Operations Centers" report, published on Jan. 12.
Questions regarding the return on investment of security operations and the increasing cost of retaining security analysts are among the most significant challenges uncovered by the study. More than half of respondents — 51% — consider SOCs to be less valuable, despite the number of breaches increasing, according to the Ponemon Institute. Exacerbating the issues, the average cost of a managed security service provider (MSSP) has increased to $5.3 million, up from $4.4 million in 2019, according to the report.
Along with the coronavirus pandemic, security teams have had to deal with the perennial problems of high stress, information overload, and a lack of network visibility, resulting in SOCs failing to live up to their potential in the minds of security leaders, according to the report. To combat negative security trends, automation, analyst training, and the adoption of more efficient technology can help, says Chris Triolo, chief customer officer at Respond Software, which sponsored the Ponemon survey.
Companies need to "scale security operations past manual capabilities to deal with increasing threats and to reduce SOC workloads, while better enabling analysts to manage critical incidents," he says. In November, FireEye acquired Respond Software for approximately $186 million.
The last year has been challenging for security operations teams. Not only have most SOCs had to move to a remote or virtual model because of the pandemic, but the average employee is now connecting to business data and services from home. As a result, the Ponemon survey found that both endpoint security and denial-of-service attacks have become greater problems for security teams.
"[S]ecurity teams struggle to secure remote employees and their access points to the organization," the report states. "SOCs have had to focus on bad actors trying to take advantage of the situation as more respondents report they are worried about nation states and criminal organizations attacking their companies."
Little surprise, then, that more respondents — 81% — consider SOC management to have become more complex, compared with 74% of respondents a year ago.
Companies are trying to reduce that complexity and increase agility, with significant momentum for adoption of DevOps and other agile business and development models. More than 85% of survey respondents considered agile DevOps an important SOC activity, a 12-point jump from the previous year.
Making such efforts more complex, however, the high turnover of security analysts continues to be a significant problem for SOCs. The average tenure of an analyst is only two years, and while companies expect on average to hire five analysts in the coming 12 months, they also expect to lose three analysts over the same period.
More security workers — 75% — find the stress and repetitive work to lead to burnout, up from 70% a year ago. And a stunning 85% of security analysts consider their job working in a SOC as painful or very painful.
"For any profession, it's key to have a sense of accomplishment in your work — security is an especially mission-driven profession, and analysts want to know they're making an impact on protecting their organizations," Triolo says. "But it can be demoralizing to face false-positive security alerts all day or to think your skills are going to waste on less-technical tasks."
The pain and stress faced by workers have led to higher salaries, and thus greater cost for companies and a perceived lower ROI. The average salary for SOC analysts increased 9% in the past year, to $111,000, and nearly half of analysts expect their salary to increase again in 2021.
"SOC analysts are very overwhelmed with increasing workloads, the volume of alerts and false positives, which lead to burnout — but they are more often using their sought-after skills to find better paying opportunities," Triolo says. "We always recommend that organizations identify their best performing SOC analysts and find ways to keep them challenged, growing, and to provide leadership opportunities, or risk losing them."
The solutions do not appear simple nor clear. However, reducing complexity through automation and focusing on retaining workers should both be priorities, according to the report.
"The path taken by many security teams to solve these problems appears to be investments in technology that provide greater visibility, less information and alert overload, and the elimination of manual, mundane tasks," the Ponemon Institute states in the report. "It will be interesting to see if organizations can connect the dots with technology and in-house expertise to drive greater efficacy and efficiency in their SOC next year."
Story updated on Jan. 19.