SOC Management Gets Poor Marks, with 42% of MSSPs ‘Completely Ineffective’

A high number of organizations find their investment in security operations centers (SOCs), including those outsourced to MSSPs, to be expensive and yielding mediocre results, according to a new report from the Ponemon Institute and Respond Software.

The report is based on a new survey on the cost and effectiveness of today’s SOC. Ponemon surveyed 637 IT and IT security practitioners in organizations that have a SOC and are knowledgeable about cybersecurity practices in their organizations.

Among the report’s findings:

• Forty-two percent find their MSSP to be completely ineffective.
• Organizations spend nearly $2.9 million annually on their in-house SOC.
• That cost significantly increases to more than $4.4 million annually if they outsource to an MSSP.
• Sixty-five percent say the time spent hiring and training SOC analysts has a significant impact on the ability for those responsible to complete their other responsibilities.

Chris Triolo, Respond’s vice president of customer success, tells us a few findings “surprised our team.”

Respond Software’s Chris Triolo

“Almost half of IT security practitioners (49%) surveyed are dissatisfied with their SOC model (in-house or outsourced) and 44% report the ROI of their SOC is getting worse,” he said. “Part of this dissatisfaction stems from the high cost of MSSPs. Sixty-three percent of those who outsource to an MSSP plan to bring the SOC back in-house or move to another vendor.”

Similar to in-house SOCs, MSSPs still focus on a human-centric “brute force” approach, which is inefficient, Triolo said. There also is high attrition when it comes to SOC employees. It typically takes seven months to hire and train an analyst, but the average tenure afterward is two years, he said.

“MSSPs have limited access to internal IT environments, which prevents broad coverage, and they still deliver high false positive rates with minimal context and remediation capabilities to customers,” he said.

MSSPs can’t operate like they have been, Triolo said. Just like in-house SOCs, they have to think differently about how they provide security monitoring and incident response services, he said.

“While humans will always have an important role in cybersecurity strategy and response, security monitoring is better left to machines,” he said. “The organizations that come to this conclusion too slowly will be left behind, unable to scale their businesses or respond quickly to adversaries.”

There also is improved morale and less turnover associated with freeing up tier-1 security analysts to focus on threat hunting, incident response and other automation projects, Triolo said.

The report does include some encouraging signs, such as 73% of respondents reporting that their SOC is crucial to their security programs, and industries are starting to dedicate more budget toward their SOC.

“This study highlighted many of the challenges and perceptions regarding company SOCs, including the substantial impact and cost of personnel for in-house SOCs,” said Larry Ponemon, chairman and founder of the Ponemon Institute. “Many organizations thus turn to outsourcing, but 58% find their MSSPs to be either ineffective or only moderately effective. This creates a conundrum that suggests a third-way solution is necessary.”