The Cyentia Institute has begun a new research project to study various aspects of Security Operations Centers (SOC) and Incident Response Teams (CIRT). While there are several existing studies on SOCs/CIRTs, they tend to focus on the entity itself (structure, performance, tooling, etc) rather than the individuals that comprise it. Our study is designed to do just that; we want to focus on the human side of the SOC to build understanding, share insight, and ultimately empower SOC/IR teams to be the best they can be.
We are kicking off two components of the data collection phase for this project. First, we’re sampling individual analysts and inviting them to participate in an anonymous survey. If you received an invitation directly from a Cyentia Institute representative with a link to this post, you were among that sample. The primary incentive for participating is that you will ultimately contribute to a public report on an important topic that we hope will benefit other analysts and the community at large. We will also share the results directly with you in an anonymized, aggregated, and summarized format that won’t be available to readers of the published report (but that will still, of course, preserve the privacy of those who participated).
Second, we’re seeking volunteer SOCs/CIRTs to participate in our research as a whole entity. This would involve anonymous surveys of analysts within the SOC/CIRT. We understand that this imposes extra work on SOC/CIRT teams that are already time-constrained. To make this worthwhile, we’re offering to analyze the collected data, generate benchmarks, and create a custom report for each participating SOC/CIRT. We believe this will provide valuable insight and actionable results for SOC/CIRT directors, especially if the example research questions listed below resonate. If interested in learning more about this, please contact us at [email protected].
Research questions we have for this project include:
- How do analysts perceive common SOC/CIRT activities? Which do they perceive as most challenging/enjoyable/valuable vs repetitive/boring/wasteful?
- Which SOC/CIRT activities have higher time-to-value and investment-to-value ratios?
- Are existing tools and information sufficient to enable analysts to perform necessary activities well?
- What would most improve analyst satisfaction, retention, and effectiveness?
- What’s the role of AI and automation in enabling the analyst and improving SOC/CIRT performance?
Whether you receive an individual invitation directly or volunteer as a SOC/CIRT, we appreciate your support of this research. In turn, we will do our best to publish a report that is worthy of the time you invest.
Full Disclosure: We’ve received sponsorship from a security software vendor to publish a report based on the results of this survey. We have a policy of not disclosing the name of sponsoring organizations while research is underway to avoid any biases that may result. Vendors participate in the design of our studies and help identify research questions, but we collect, analyze, and report findings independently to ensure integrity. We do not undertake projects “just for the money.” Anything we spend our time on is something we believe will bring value to the infosec community and we take our job as researchers seriously.