A new report points to a growing perception among organizations that the return on investment for security operations centers (SOCs) is declining – due to the complexity of running them in-house as well as cost considerations.
Furthermore, the same problems exist for internally managed SOCs and those managed externally by service providers, said Dan Larson, senior vice president of marketing at Arctic Wolf, which provides a SOC-as-a-service.
“The data has been trending in this direction for a while now. Internal SOCs are suffering from alert fatigue and outright burnout," he said. "They often turn to MSSPs to solve the problem, but [some of them] end up over-charging and under-delivering in terms of security outcomes and meeting customer expectations.”
Per the Second Annual Study on the Economics of Security Operations Centers – a survey conducted by the Ponemon Institute and sponsored by Respond Software – 51% of 17,200 IT and security practitioners said that their SOC’s ROI has gotten worse. This figure represents increase from 44% of respondents in 2019.
Four out of five survey participants reported that their SOC’s operations featured a high level of complexity – a contributing factor toward overall cost. According to the report, companies that ran their SOC in-house spent an average of about $2.72 million annually on security engineering work alone. This work is designed to “integrate disparate security data, build out rules and content, and automate processes,” the report states. And yet only 23% of respondents said their efforts in this area were effective.
Ross Young, CISO of Caterpillar Financial in Nashville, Tennessee, provided an end user's point of view: "ROI of SOCs is becoming more complex. They have to manage more apps, more tools, more alerts, and it’s getting harder for folks just out of college," said Young. "The big problem is SOCs require 24x7 monitoring and most people don’t want shift work. If you are only a U.S. company it makes it harder to retain talent."
But trying to simplifying matters by outsourcing your SOC can also have its drawbacks. Based on survey responses, the average annual cost of delegating SOC operations to an MSSP was calculated at roughly $5.31 million – up from approximately $4.44 million in 2019 (a 20% year-over-year increase).
Plus, outsourcing to foreign countries can present its own issues, and CISOs may want SOC operations in "the same time zone and country to avoid data locality requirements," said Young.
Another reason SOCs could be losing their luster in the eyes of some organizations are the high burnout and turnover rates among employees, plus ever-rising salaries: “It looks like the burden that security analysts face from information overload, high stress, inability to hire top talent and lack of visibility into network and IT infrastructure are still resulting in lower results than security leaders expect,” Ponemon Institute notes in the report.
The report says the average SOC employs 12 IT security pros, and in 2020 the average salary for a tier-one analyst increased year-over-year from $102,315 to $110,610. Moreover, 46% of survey-takers said they expect salaries to increase an average of 32% in 2021. Still, employees don't last long: the average length of stay in an organization is just over two years.
"Frankly, most people come in after college and stay for a few years in the role, After, that they get offered 50k more to go to a different employer," said Young. "Hard to match pay when internal promotions are at 10 to 15 percent for most organizations. I think the cost of training only to lose folks later is discouraging."
"To improve SOC productivity and analyst retention, security leadership needs to be actively focused on managing the career progress of SOC analysts and in finding ways to boost morale," said Chris Triolo, chief customer officer of Respond Software. "One way to do this, is to identify high performers and help them rise to senior positions, while they coach and show other analysts a career path worth striving for. While security attacks are only increasing, organizations should also limit the amount of time analysts are on call to help reduce burnout."
Covid-19 certainly only added to the stress and high workloads experienced by SOC employees. "The report may not directly show that Covid-19 increased the costs of operating a SOC, but the pandemic and shift to remote operations did impact performance which correlates to ROI," added Triolo. "The report found that 34% of organizations quickly transitioned to remote SOCs, and 51% said that this change impacted their security operations significantly."
"Covid-19 has accelerated our business," acknowledged Larson. "As the workforce went home, the attack surface changed, and companies had to adapt quickly. They also needed guidance on how to enhance their security posture as new pandemic-related attacks emerged.
One way to potentially improve ROI is to invest in SOC-related technology. Indeed, the researchers extrapolated that by the end of 2020, organizations would on average spend $183,150 on Security Information and Event Management (SIEMs), $285,150 on managed detection and response (MDR), $333,150 on extended detection and response (XDR), and $354,150 on Security Orchestration, Automation, and Response (SOAR).
While investing in technology results in short-term costs, there can be long-term savings in terms of efficiencies and automation.
“The path taken by many security teams to solve these problems appears to be investments in technology that provide greater visibility, less information and alert overload, and the elimination of manual, mundane tasks,” the report states. “It will be interesting to see if organizations can connect the dots with technology and in-house expertise to drive greater efficacy and efficiency in their SOC next year.”
Whether SOCs are operated internally or externally, "incorporating AI, machine learning, and automation can help to cut costs and boost efficiencies, especially in the SOC," said Triolo. "By investing in tools like XDR, organizations can use automation to help reduce operations and security engineering costs and to lower security management complexity."
Additionally, SC Media asked a couple of SOC-as-a-service providers what they are doing to help increase the value of their offerings in the eyes of their customers.
Larson at Arctic Wolf noted that where certain service providers go wrong is only getting organizations to a “medium level of maturity,” and settling for that. "At this point, the number of hair-on-fire emergencies goes down, and once the smoke alarm stops beeping, the customer asks, 'What have you done for me lately?'"
The answer, he continued, is to establish a higher lever of maturity – "one where they are not just reacting to alerts but proactively improving their security posture and hardening their defenses against future threats." The overall risk to the customer goes down, because the provider reduces both the likelihood of an incident occurring and the impact of incidents that do occur.
"The key way that we add more value is to act in a more consultative manner," Larsons said. Such an "approach is all about doing more than just identifying attacks and responding to incidents... We continually work with our customers to do security posture reviews where we can identify not just software vulnerabilities but the presence of incorrect or risky configurations of endpoint, network, or cloud assets."
Theresa Lanowitz, director at AT&T Cybersecurity, which also offers a SOC-as-a-service product, said her company adds to perceived value by providing such benefits as "thorough communication and comprehensive reporting to clients," service-level agreements, and a platform that enables "integration, automation across network-centric managed security services and software-defined security controls."