2023

Voice of the SOC

Discover insights and recommendations from our survey of 900 security professionals – and the takeaways for leadership.

Download PDF

A word from Eoin Hinchy

CEO and Co-Founder, Tines

Security teams are getting restless.

Before founding Tines, I spent 15 years in the SOC leading teams charged with protecting organizations from ever-evolving threats. Over that time, the challenge facing SOC analysts became harder, not easier: workloads are increasing, but teams aren’t growing alongside them. SOC analysts are burning out as a result of tedious and repetitive tasks. In the best-case scenario, staff will leave in search of new opportunities and leave their previous organizations scrambling to replace them. In the worst case, their burnout will lead to human error that could cost a company millions.

Last year, we examined these issues in detail in our first “Voice of the SOC Analyst” report. Our survey found that while SOC teams were passionate and engaged in what they do, they were plagued by endless manual tasks, inefficient processes, and overwhelming alert fatigue — all preventing them from focusing on high-impact work. The same holds true in 2023.

For the second edition of the “Voice of the SOC,” Tines surveyed 900 security professionals. We expanded the scope beyond the United States to include Europe and sought perspectives from security leaders up to and including the C-suite, rather than just analysts.

Like many, security teams have felt the added pressure of economic instability over the past 12 months. They were asked to do more with less, as business leaders scrutinized every line on the balance sheet.

This year’s data reveals that overall job satisfaction in the SOC remains high — security practitioners love the work they do. However, burnout is taking its toll. Leaders continue to feel their teams are understaffed and don’t have access to the tools that could automate the most mundane aspects of their work. The bottom line: more than half of respondents, across job levels, say they’re likely to switch jobs in the coming year.

This should be an alarm bell to business leaders. With both cyberattacks and skill shortages increasing, staff retention in the SOC is mission critical. The following report digs into the factors that undermine morale and offers practical solutions to help alleviate burnout and empower staff to do their best work.

We hope you find it useful in your SOC in 2023 and as you plan for 2024.

Key findings

Here are a few of the insights we learned from the security professionals we surveyed:


#1

63% of practitioners experience some level of burnout.

With more than 80% saying their workloads have increased in the past year, the problem is only getting worse.

#2

55% say they’re likely to switch jobs in the next year.

Organizations could increase retention by increasing salaries, supplying modern tools with advanced capabilities, hiring more staff, and investing in solutions that automate tedious, manual tasks.

#3

Spending time on manual work is the most frustrating aspect of the job.

If respondents had to spend less time on manual tasks, they would most likely use that time to research and evaluate new tools, develop more advanced detection rules, and integrate more systems and logs.

#4

There’s hope in automation.

Nine out of ten security teams are automating at least some of their work, and 93% of respondents believe that more automation would improve their work-life balance. Respondents expect automation to help their teams increase productivity, save time, and optimize performance and reliability.

#5

Security practitioners are learning to code.

Security teams now consider learning to code — along with computer forensics and malware analysis techniques — most important to succeed, likely because of coding’s key role in automation. No-code security solutions could provide similar benefits as organizations automate repetitive tasks.

Methodology and participant demographics

Tines surveyed 900 full-time security professionals from companies with 200 or more employees. Nearly half (46%) work at companies with more than 1,000 employees. There were 500 U.S. respondents, along with 100 each from the United Kingdom, Ireland, Benelux, and the Nordic region. The survey was conducted online by Sago, a research panel company, in May and June 2023.

Demographic breakdown

Gender

Male 78.4%
Non-binary 0.4%
Agender 0.1%
Female 21%

Age

25–34 33%
35–44 45%
45–54 15%
55+ 7%

Country

United States 500
UK 100
Ireland 100
Benelux 100
Nordics 100

Employment status

Full-time employee 100%

Company size

200–499 20%
500–999 34%
1,000–4,999 31%
5000+ 15%

What best describes the industry you work in?

How many people are on your security team in total?

Which of the following best describes your security team in terms of work location?

How many different tools do you use for your security-related work?

Which of the following best describes your title?

To summarize, our respondents are typically security professionals, the majority of whom work for companies in the technology industry with more than 500 employees. Let’s explore their day-to-day experiences in the SOC.

Chapter 1

Job satisfaction and workloads

Security teams enjoy the work they do and feel appreciated by the organization. But all is not well in the SOC — burnout and understaffing threaten stability and security. To better understand how leaders can fix the challenges at play, we first must take stock of how security teams are feeling today.

99% are satisfied with their job

Overall job satisfaction is up among security teams this year. The number of respondents satisfied with their current job rose from 88% last year to 99% in 2023. 54% are very satisfied this year.

98% are engaged with their work

Analysts aren’t just satisfied — they’re locked in. 50% of respondents are very engaged with their work, and 98% are at least somewhat engaged.

99% feel respected by their peers outside the SOC

Security teams may sometimes feel like they are working in the shadows as they defend their organizations against threats, but their hard work does not go unnoticed. Almost all (99%) of respondents said they feel respected by their peers outside of the SOC team, and 52% feel very respected.

63% are experiencing some level of burnout at work

Despite 99% saying they’re satisfied with their job, nearly two thirds (63%) of respondents said they feel burned out at work. One in five feel very burned out. We’ll uncover some of the reasons for this shortly, along with ways to help SOC teams join the 37% who say they do not feel burned out at work.

50% say their SOC team is understaffed

Half of our respondents said their team is currently understaffed, and staffing problems are tied closely to burnout. Of those who felt understaffed, nearly four in five (79%) are burned out, compared to just 47% of those who felt they currently have the right amount of staff for their needs.

For 81%, workloads have increased over the past year

One of the reasons for burnout could be that 81% had more work than ever over the past year. This was particularly true in the United States, where 39% said their workload had increased substantially, compared to 22% in Europe. Just 2% of overall respondents said their workload had decreased.

Summary

SOC teams love what they do. The majority of respondents report feeling satisfied with their jobs, engaged in their work, and respected by their colleagues in other departments. They also indicated they are paid what they deserve, with 96% feeling fairly compensated.

However, 63% are experiencing some level of burnout at work, and many security teams feel understaffed and overburdened by ever-increasing workloads. These issues can lead to employee churn, even among those who love their jobs. In the next sections, we’ll take a closer look at the factors that have helped retain respondents who would otherwise look for new opportunities.

Top three skills needed to succeed as an analyst

15%

Computer forensics techniques

Knowing how to recover data from crashed servers and drives after an incident is a key step in uncovering what went wrong in the failure or attack.

14%

Learning to code

Being able to code can help in task automation, which alleviates some of the most tedious processes. There are also no-code automation options that allow teams to focus on security analysis.

14%

Malware analysis techniques

SOC teams must be able to examine malicious software to reveal its purpose and potential impact on their systems.

11%

Threat hunting techniques

9%

Obtaining high-level training and certifications

9%

Operationalizing Mitre ATT&CK

9%

Advanced query language techniques

7%

Keeping up to date on threat actors’ TTPs

7%

Learning penetration testing

4%

SOAR integration

Chapter 2

Where time goes

We know security teams are frustrated by time spent on tedious tasks, and this repetitive work prevents them from engaging in the improvements that will enhance their organization’s security posture. In this section, we find out exactly what these necessary but mundane tasks are, and learn more about the internal metrics guiding this time management.

Top five time-consuming tasks

18%

Security orchestration, automation and response (SOAR)

The number one most time-consuming task is SOAR, likely because nearly every current SOAR tool uses an app-based integration model which relies on limited pre-built integrations and often requires teams to build their own custom apps. Direct integrations can address these challenges.

17%

Troubleshooting system errors/system maintenance

Troubleshooting and maintenance take up a significant amount of time, preventing teams from doing the proactive work that could improve security postures.

16%

Intelligence (i.e. researching threat actors, TTPs, ATT&CK)

Teams are also spending time researching threat actors — including their tactics, techniques, and procedures — and operationalizing the MITRE ATT&CK framework.

15%

Monitoring

Respondents are spending valuable time monitoring for threats and alerts, despite the fact that respondents over the practitioner level should not be doing front-line monitoring.

15%

Managing a knowledge base/operational documentation

Documentation rounds out the top five tasks — ensuring all essential documents are stored, backed up, and eventually discarded when they’re no longer needed.

Lower on the list, you’ll find more proactive, higher-impact tasks like managing IOCs and modifying alert rules — tasks that SOC would likely prefer to prioritize. One task that saw a steep decline this year? Reporting.

13%

Data Loss Prevention (DLP)

12%

Communicating (email, phone, messenger, etc)

11%

Detecting (including intrusion detection)

11%

Responding to security incidents

11%

Vulnerability/compliance scanning (e.g. Nessus) and patching

9%

Malware analysis/forensics

8%

Threat hunting

8%

Evaluating new vendors/products/services

8%

Log analysis

8%

Operations/ShiftOps

7%

Compliance and audits

7%

Managing IOCs

7%

Tracking

6%

Penetration testing, Red teaming, Purple teaming, etc.

6%

Reporting

5%

Phishing triage/response

5%

Recovery

4%

Modifying alert rules

3%

Containment

Top four taskssecurity teams enjoy the least

18%

Communicating (email, phone, Slack, etc.)

One of the two tasks which respondents enjoyed the least was communicating. Slack notifications come for us all, but there are ways to automate communications internally and externally and increase transparency on shared projects.

18%

Reporting

The other top choice was reporting. Reporting matters, but it’s reactive — collecting what happened after an incident — rather than proactive. Streamlining the reporting process through automation frees up security practitioners to focus on analysis and increases job satisfaction.

10%

Monitoring

Monitoring, one of the most time-consuming tasks, is also one of the least enjoyable. Much of this type of manual front-line monitoring can be automated.

10%

Responding to security incidents

As you’ll see below, teams are judged on their ability to respond to incidents. It should be noted that 14% of respondents named this type of response their most enjoyable task — including 22% of VPs and above, suggesting a split between analysts and leaders on the task.

9%

Triaging

9%

Threat hunting

8%

Tracking

6%

Intrusion detection

6%

Detecting

6%

Operations/ShiftOps

Top four key metrics used to measure job performance

What key metrics are used to measure a security team’s job performance? In other words, what metrics should SOC teams prioritize to improve team performance?

When we asked this question last year, the top five responses were mean time to investigate (54.1%), number of alerts (43.8%), mean time to respond (40%), time to detect (37.6%), and number of incidents handled (34.2%). Four of those answers cracked the top five again this year, with only the number of alerts falling off — possibly because security teams are learning that an avalanche of alerts is an impediment to success, not a marker of it.

36%

Mean time to investigate (MTTI)

The average amount of time between when a problem is detected and when the security team begins to investigate it. Successful SOC teams reduce the intervening window.

36%

Time to detect

The time it takes an organization to discover an incident. SOC teams need solutions in place to identify issues quickly and catch zero-day vulnerabilities.

36%

Number of incidents handled

SOC teams are measured by the amount of incidents they resolve successfully. They can slash this figure by implementing faster and more thorough alert and resolution tools.

36%

Mean time to respond

The average time it takes to resolve an incident completely. Automation can help security teams investigate and remediate threats and return a system to operation after a failure.

33%

Adherence to SOW/SOP/KBs (Statements of Work, Standard Operating Procedure, Knowledge Base articles)

33%

Percentage of recurring incidents

31%

Time to containment

31%

Adherence to Service Level Agreements (SLAs)

30%

Number of alerts

28%

Percentage of escalated events

28%

Knowledge base/wiki articles created or enhanced

28%

Rules or detections created or enhanced

26%

Time to eradication

25%

False positives identified and reduced

22%

False positive rate

Where you can find them

As a fun aside, we asked our participants which conferences they’re aware of or have attended in the past two years. If you’re looking for your peers, your best bet is AWS re:Inforce, followed by Black Hat and AWS re:Invent.

AWS re:Inforce

39%

Black Hat

37%

AWS re:Invent

35%

InfoSec

27%

DefCon

27%

BSides

24%