Security operations centers are feeling the skills shortage.
More than 4 in 5 companies admit they either have fewer than five security analysts or don’t have enough analysts to run the SOC, according to research conducted by ManageEngine.
For some, outsourcing is the answer.
The SOC’s function is to provide 24/7/365 security for an organization through monitoring, detection, prevention and response services. But a SOC needs skilled analysts who follow up on alerts to determine if they are legitimate or false alarms. They decide the appropriate response.
Without skilled analysts to monitor the SOC, the risk of a successful cyberattack breaking through a company's defenses grows.
“Modern day security operations require a multilevel approach,” said Manikandan Thangaraj, vice president of ManageEngine. “A shortage in SOC staff increases gaps and impacts the organization's overall security posture.”
How the staff shortage impacts the SOC
Not only are cybersecurity professionals needed to proactively hunt and address threats lurking in the network, they are necessary for regulatory mandates across regions and industries. Each function within the SOC is exhaustive and requires different expertise.
For example, an enterprise might struggle to implement proactive security strategies if it lacks SOC staff. This increases the mean time to detect an attack, which leads to higher costs surrounding data breaches.
On top of that, when there are limited professionals to spot and remediate a security incident, the mean time to resolve security incidents also increases. This allows attackers to lurk inside the network for longer, expanding the attack surface until the threat actors are contained.
“If the compliance functionality is short-staffed, the enterprise might fail to ensure compliance across its network infrastructure, which leads to non-compliance violations,” said Thangaraj.
The role of the managed security service provider
Too many organizations do not have mature enough teams to detect real threats, which does not bode well for the future of detections.
“There is already an exorbitant amount of signal to noise that transpires and creates a ‘can't keep up’ pace,” said Matt Mullins, senior security researcher with Cybrary.
Without the in-house SOC workforce, organizations are turning to managed security service providers (MSSP) to fill the gaps. Thangaraj sees this as a win-win situation for the enterprise and MSSPs.
In the past organizations may not have wanted to give this much network control to an outside vendor. But today’s complicated cybersecurity landscape needs clear definitions of various functionalities, including network security, threat hunting, threat response, attack neutralization, and data security.
MSSPs can provide the support to navigate the threat landscape and can work closely with their enterprise partners, who have greater control and visibility into their corporate network.
“Choosing between an MSSP or rapid incident or threat response services depends on various factors including the size of the organization and its SOC, as well as its budget, industry, and security maturity level,” said Thangaraj.
The rate at which companies adopt MSSPs will rise because of the skill shortage, but Mullins believes there is another issue lurking that must be addressed: is the skills shortage in the SOC only due to a talent gap, or is it a budget problem?
“If there isn't enough funding to have appropriate staffing then certainly having managed services will be a budget issue as well,” said Mullins.
Do you even need a SOC?
With MSSPs available to fill the gaps of the analyst shortage in the SOC, it begs the question of whether organizations even need to have a SOC.
The answer is yes — it plays a vital role in overall security coverage, even if you have to add outside help.
SOCs also offer visibility into vulnerabilities throughout the network, according to Mullins. With the SOC, you can see what endpoints are being hit with the most traffic, what items are out of patch cycle, and where phishing attacks are getting through network filters.
Too often, these are areas that aren’t automatically covered by MSSPs or require additional investments.
Considering the complexities and varied techniques that are used to launch an attack, it becomes essential for enterprises to invest in a dedicated SOC that focuses only on preempting, spotting, remediating, and containing attacks. Threat actors care most about the value of the data, and they will find a way to get it if organizations aren’t prepared.
“It's mandatory for every organization, irrespective of its size, to invest in building a strong SOC and imbibe security as a part of its culture,” said Thangaraj.