Security teams are getting restless.
Before founding Tines, I spent 15 years in the SOC leading teams charged with protecting organizations from ever-evolving threats. Over that time, the challenge facing SOC analysts became harder, not easier: workloads are increasing, but teams aren’t growing alongside them. SOC analysts are burning out as a result of tedious and repetitive tasks. In the best-case scenario, staff will leave in search of new opportunities and leave their previous organizations scrambling to replace them. In the worst case, their burnout will lead to human error that could cost a company millions.
Last year, we examined these issues in detail in our first “Voice of the SOC Analyst” report. Our survey found that while SOC teams were passionate and engaged in what they do, they were plagued by endless manual tasks, inefficient processes, and overwhelming alert fatigue — all preventing them from focusing on high-impact work. The same holds true in 2023.
For the second edition of the “Voice of the SOC,” Tines surveyed 900 security professionals. We expanded the scope beyond the United States to include Europe and sought perspectives from security leaders up to and including the C-suite, rather than just analysts.
Like many, security teams have felt the added pressure of economic instability over the past 12 months. They were asked to do more with less, as business leaders scrutinized every line on the balance sheet.
This year’s data reveals that overall job satisfaction in the SOC remains high — security practitioners love the work they do. However, burnout is taking its toll. Leaders continue to feel their teams are understaffed and don’t have access to the tools that could automate the most mundane aspects of their work. The bottom line: more than half of respondents, across job levels, say they’re likely to switch jobs in the coming year.
This should be an alarm bell to business leaders. With both cyberattacks and skill shortages increasing, staff retention in the SOC is mission critical. The following report digs into the factors that undermine morale and offers practical solutions to help alleviate burnout and empower staff to do their best work.
We hope you find it useful in your SOC in 2023 and as you plan for 2024.
With more than 80% saying their workloads have increased in the past year, the problem is only getting worse.
Organizations could increase retention by increasing salaries, supplying modern tools with advanced capabilities, hiring more staff, and investing in solutions that automate tedious, manual tasks.
If respondents had to spend less time on manual tasks, they would most likely use that time to research and evaluate new tools, develop more advanced detection rules, and integrate more systems and logs.
Nine out of ten security teams are automating at least some of their work, and 93% of respondents believe that more automation would improve their work-life balance. Respondents expect automation to help their teams increase productivity, save time, and optimize performance and reliability.
Security teams now consider learning to code — along with computer forensics and malware analysis techniques — most important to succeed, likely because of coding’s key role in automation. No-code security solutions could provide similar benefits as organizations automate repetitive tasks.
To summarize, our respondents are typically security professionals, the majority of whom work for companies in the technology industry with more than 500 employees. Let’s explore their day-to-day experiences in the SOC.
Overall job satisfaction is up among security teams this year. The number of respondents satisfied with their current job rose from 88% last year to 99% in 2023. 54% are very satisfied this year.
Analysts aren’t just satisfied — they’re locked in. 50% of respondents are very engaged with their work, and 98% are at least somewhat engaged.
Security teams may sometimes feel like they are working in the shadows as they defend their organizations against threats, but their hard work does not go unnoticed. Almost all (99%) of respondents said they feel respected by their peers outside of the SOC team, and 52% feel very respected.
Despite 99% saying they’re satisfied with their job, nearly two thirds (63%) of respondents said they feel burned out at work. One in five feel very burned out. We’ll uncover some of the reasons for this shortly, along with ways to help SOC teams join the 37% who say they do not feel burned out at work.
Half of our respondents said their team is currently understaffed, and staffing problems are tied closely to burnout. Of those who felt understaffed, nearly four in five (79%) are burned out, compared to just 47% of those who felt they currently have the right amount of staff for their needs.
One of the reasons for burnout could be that 81% had more work than ever over the past year. This was particularly true in the United States, where 39% said their workload had increased substantially, compared to 22% in Europe. Just 2% of overall respondents said their workload had decreased.
SOC teams love what they do. The majority of respondents report feeling satisfied with their jobs, engaged in their work, and respected by their colleagues in other departments. They also indicated they are paid what they deserve, with 96% feeling fairly compensated.
However, 63% are experiencing some level of burnout at work, and many security teams feel understaffed and overburdened by ever-increasing workloads. These issues can lead to employee churn, even among those who love their jobs. In the next sections, we’ll take a closer look at the factors that have helped retain respondents who would otherwise look for new opportunities.
Computer forensics techniques
Knowing how to recover data from crashed servers and drives after an incident is a key step in uncovering what went wrong in the failure or attack.
Learning to code
Being able to code can help in task automation, which alleviates some of the most tedious processes. There are also no-code automation options that allow teams to focus on security analysis.
Malware analysis techniques
SOC teams must be able to examine malicious software to reveal its purpose and potential impact on their systems.
Threat hunting techniques
Obtaining high-level training and certifications
Operationalizing Mitre ATT&CK
Advanced query language techniques
Keeping up to date on threat actors’ TTPs
Learning penetration testing
Security orchestration, automation and response (SOAR)
The number one most time-consuming task is SOAR, likely because nearly every current SOAR tool uses an app-based integration model which relies on limited pre-built integrations and often requires teams to build their own custom apps. Direct integrations can address these challenges.
Troubleshooting system errors/system maintenance
Troubleshooting and maintenance take up a significant amount of time, preventing teams from doing the proactive work that could improve security postures.
Intelligence (i.e. researching threat actors, TTPs, ATT&CK)
Teams are also spending time researching threat actors — including their tactics, techniques, and procedures — and operationalizing the MITRE ATT&CK framework.
Respondents are spending valuable time monitoring for threats and alerts, despite the fact that respondents over the practitioner level should not be doing front-line monitoring.
Managing a knowledge base/operational documentation
Documentation rounds out the top five tasks — ensuring all essential documents are stored, backed up, and eventually discarded when they’re no longer needed.
Lower on the list, you’ll find more proactive, higher-impact tasks like managing IOCs and modifying alert rules — tasks that SOC would likely prefer to prioritize. One task that saw a steep decline this year? Reporting.
Data Loss Prevention (DLP)
Communicating (email, phone, messenger, etc)
Detecting (including intrusion detection)
Responding to security incidents
Vulnerability/compliance scanning (e.g. Nessus) and patching
Evaluating new vendors/products/services
Compliance and audits
Penetration testing, Red teaming, Purple teaming, etc.
Modifying alert rules
Communicating (email, phone, Slack, etc.)
One of the two tasks which respondents enjoyed the least was communicating. Slack notifications come for us all, but there are ways to automate communications internally and externally and increase transparency on shared projects.
The other top choice was reporting. Reporting matters, but it’s reactive — collecting what happened after an incident — rather than proactive. Streamlining the reporting process through automation frees up security practitioners to focus on analysis and increases job satisfaction.
Monitoring, one of the most time-consuming tasks, is also one of the least enjoyable. Much of this type of manual front-line monitoring can be automated.
Responding to security incidents
As you’ll see below, teams are judged on their ability to respond to incidents. It should be noted that 14% of respondents named this type of response their most enjoyable task — including 22% of VPs and above, suggesting a split between analysts and leaders on the task.
Mean time to investigate (MTTI)
The average amount of time between when a problem is detected and when the security team begins to investigate it. Successful SOC teams reduce the intervening window.
Time to detect
The time it takes an organization to discover an incident. SOC teams need solutions in place to identify issues quickly and catch zero-day vulnerabilities.
Number of incidents handled
SOC teams are measured by the amount of incidents they resolve successfully. They can slash this figure by implementing faster and more thorough alert and resolution tools.
Mean time to respond
The average time it takes to resolve an incident completely. Automation can help security teams investigate and remediate threats and return a system to operation after a failure.
Adherence to SOW/SOP/KBs (Statements of Work, Standard Operating Procedure, Knowledge Base articles)
Percentage of recurring incidents
Time to containment
Adherence to Service Level Agreements (SLAs)
Number of alerts
Percentage of escalated events
Knowledge base/wiki articles created or enhanced
Rules or detections created or enhanced
Time to eradication
False positives identified and reduced
False positive rate
Our respondents reveal that their time is mostly spent on necessary but tedious tasks like operating imperfect SOAR tools, troubleshooting system errors, and front-line monitoring (which is also one of the tasks they enjoy least). Effective automation can help maximize a SOC team’s time and improve the metrics — including time to detect, investigate, and respond — that they are measured against.
Too much data, not enough information
Security teams are drowning in data but struggle to turn that data into actionable insights.
Time spent on manual tasks
As we’ve seen elsewhere, tedious tasks — like reporting, monitoring, and detection — are a daily challenge.
Too many reporting requirements
Reporting is one of the least popular tasks, likely because of its arduous requirements.
Too many logs
Too many alerts
High staff turnover rate
Lack of training
Tools don’t integrate
Clunky, outdated, or misconfigured tools
Teams are very siloed
Poor visibility into our environment
Lack of time
Lack of budget
Lack of effective tools
Lack of people
Lack of buy-in from management or the rest of the organization
Lack of skills
Interpersonal challenges between team members