For Mismanaged SOCs, The Price Is Not Right

New research finds security operations centers suffer high turnover and yield mediocre results for the investment they require.

The security operations center (SOC), considered a core component of many organizations cybersecurity strategies, is plagued with high costs and myriad challenges. Businesses running a SOC often struggle to achieve a high return for what proves to be an expensive investment.
These findings come from a new report entitled The Economics of Security Operations Centers: What Is the True Cost for Effective Results? conducted by the Ponemon Institute and commissioned by Respond Software. Researchers surveyed 637 IT and IT security practitioners who work in organizations running SOCs to learn about their economics and effectiveness.
The SOC has been a topic of conversation for much of the past five to six years, as experts seek to learn more about their cost and functionality, says Ponemon Institute chairman Larry Ponemon. Organizations spend an average of $2.86 million each year on their in-house SOC, researchers found. The annual cost jumps to $4.44 million if they outsource to a managed security service provider (MSSP), a number that researchers found surprising. Only 17% of respondents say their MSSP is highly effective.
Despite the pricey investment, only 51% of organizations surveyed are satisfied with their SOCs effectiveness in detecting cyberattacks. Forty-four percent say their SOCs ROI is worsening.
The most important SOC activities, they say, are the minimization of false-positives (84%), threat intelligence reporting (83%), monitoring and analyzing alerts (77%), intrusion detection (77%), use of technologies such as automation and machine learning (74%), agile DevOps (73%), threat hunting (71%), and cyber forensics (69%).
More than two-thirds (67%) of respondents say training SOC analysts is one of the most critical SOC activities. SOCs heavily rely on human expertise to prevent, detect, analyze, and respond to security incidents. Complexity and hiring challenges interfere with the ability to detect attacks.
We found that, on average, when individuals were recruited to the SOC, it took a better part of a year to become an active member of the team, Ponemon says. You cant just walk in and be an expert. It takes effort; it takes time. Further, researchers discovered, 74% of respondents say their SOCs are highly complex environments, which makes management more difficult.
Staffing the SOC is expensive – about $1.46 million of average SOC spend goes toward direct labor costs – because low-level analysts make high salaries and usually dont stay in their positions very long. The average salary for a tier-one analyst is $102,315, and 45% earn between $75,001 and $100,000. Thirty percent make $100,001 to $150,000, and 9% earn $150,000 or more. Only 16% of tier-one analysts make less than $75,000 per year.
The average SOC analyst leaves the organization after a little more than two years, and employers cant keep up with the turnover. An average of four analysts is expected to be hired in 2020; however, three analysts will be fired or resign in one year. It happens in security across the board, says Ponemon of the turnover. But in a SOC environment its pretty tough.
Why the short stay? Seventy percent of respondents agree that SOC analysts burn out quickly because of the high-pressure environment and workload. Youre constantly waiting for the next shoe to drop, he adds. When asked about what makes SOC work painful, respondents pointed to an increasing workload (75%), being on call 24/7/365 (69%), lack of visibility into IT and network infrastructure (68%), too many alerts to chase (65%), and information overload (65%).
The tier one analyst role traditionally has always been an entry-level job, says Dan Lamorena, security executive with Respond Software. Its the building blocks of a security career for a lot of people. Still, these employees are often hard to find. SOCs demand critical thinkers who are comfortable with technology and willing to take on tasks that tier two and three analysts dont want to do, like sit through the night shift.
Ultimately, he continues, the time that tier one analysts spend in an entry-level role prepares them to take on higher positions at other companies, where they can demand higher salaries.
Youre constantly learning how the adversary is acting, Lamorena says. Youre learning a lot of threat intelligence, the types of people attacking you. What are the tactics theyre using?
The IT infrastructure monitored by the SOC also influences cost, researchers report. On-prem environments cost the most ($3.19 million), followed by mobile ($3.06 million) and cloud ($2.75 million). Hybrid environments combining on-prem and cloud cost the least, with $2.5 million in annual costs.
Researchers also found
respondents who ranked their effectiveness as higher generally spent more to improve their SOCs ability to detect cyberattacks.
Spending also varies by industry. Financial services firms spend the most ($4.6 million) on their SOC each year, followed by industrial and manufacturing companies ($3.16 million), technology and software ($3.02 million), services ($2.56 million), and the public sector ($2.25 million).
Related Content:
Why DPOs and CISOs Must Work Closely Together
7 Free Tools for Better Visibility Into Your Network
Rethinking Enterprise Data Defense
How AI and Cybersecurity Will Intersect in 2020
Check out
The Edge
, Dark Readings new section for features, threat data, and in-depth perspectives. Todays top story:
The Y2K Boomerang: InfoSec Lessons Learned from a New Date-Fix Problem
.

Last News
▸ Security pros top concern: Rogue employees, study finds. ◂ Discovered: 26/12/2024 Category: security	▸ Obama supports NSA Prism program, Google denies access point ◂ Discovered: 26/12/2024 Category: security	▸ Glasgow Council fined for weak security. ◂ Discovered: 26/12/2024 Category: security

**Cyber Security Categories**
Google Dorks Database	Exploits Vulnerability	Exploit Shellcodes

CVE List

Tools/Apps

News/Aarticles

Phishing Database

Deepfake Detection

Trends/Statistics & Live Infos

Tags:
For Mismanaged SOCs, The Price Is Not Right