Skip to main content

Modernizing a Security Operations Center (SOC) is a complex challenge for many organizations, often leading to delays, difficulties and considerable frustration, in achieving a truly effective security operations transformation. 


Throughout this post, we will try to answer the questions of "Why SOC modernization lags?” and “Why is modern SOC so hard?". These questions do not have a simple or unique answer, but rather are a blend of enduring challenges and complexities. 


Whether organizations are facing an optimization of their SOC, making incremental improvements, (such as adding new tools and technologies or refining some processes) or they are completely transforming their SOC, (from its architecture and processes to its staffing and training), in both cases it usually entails a multi-year journey demanding significant investments, organization-wide commitment, and often external assistance.


Many organizations express a desire for the benefits of a transformed SOC but are unwilling to bear the associated costs or undertake radical changes. This leads to a "transformation lite" trap, where superficial changes fail to deliver meaningful improvements. Simply acquiring modern tools without fundamentally changing people and processes is unlikely to succeed.


The difficulties in SOC modernization can be categorized into four key areas: People, Process & Strategy, Technology & Resource Constraints, and broader Organizational Factors.



The Human Element: Why People Struggle with SOC Modernization


The effectiveness of any SOC is directly linked to the skill, dedication, and well-being of its personnel. Yet, people-centric issues remain some of the most significant obstacles.



  • It's about skills, not just numbers (The talent gap): There are constant reports of a shortage of qualified cybersecurity professionals, especially in SOC operations. We won't go into the debate about the possible reasons for this shortage: lack of adequate academic training, balance between supply and demand, compensation commensurate with experience and training, etc. 

    However, this is not simply a statistical problem, but rather a mismatch between available skills and the evolving demands of a modern SOC, which now requires specialized expertise in areas such as detection engineers, data scientists with security knowledge, automation engineers, proactive threat hunters, etc. Instead of trying to hire more personnel, the focus must be on cultivating the right skills for continuously emerging requirements. 

    Upskilling the first levels of a SOC requires significant investment and effort, which, a priority, does not correspond to the myth that "more automation directly means cost savings."



  • Old habits die hard (Mindset change): Many SOC teams are resistant to adopting new tools and processes, often clinging to familiar methods due to fear of job displacement, lack of understanding, or simply inertia -“if it works, don’t touch it”. This "NOC DNA" or "helpdesk DNA" mindset, rooted in hierarchical industrial-age assembly lines, often struggles to envision or adapt to a more proactive and automated approach.


  • Too exhausted to transform (Alert Fatigue and Analyst Burnout) : The day-to-day of a traditional SOC, where analysts are inundated by a tsunami of alerts—many of which are also false positives—leads to severe burnout and a high turnover rate. If, on top of that, the intention is to involve them directly in the transformation in parallel, you add a workload and a responsibility that is often impossible for the teams to assume. This is a very common point of failure in these types of transformations; the people dedicated to the 'Run' must also dedicate time to the 'Change,' and for that to happen, the effort and execution times must be very well-scoped. (We mentioned earlier that these transformation projects usually last several years; it is not a simple task).


  • Fear of the unknown (AI and Automation): Automation's becoming a must-have, but some SOC analysts worry AI will take their jobs. Even more to the point, there's a real distrust of full automation. Many security issues need a nuanced human touch, not just a "one-size-fits-all" machine approach. This lack of trust ties directly into an organization's type, its engineering culture, and partly its tech stack. Sometimes, I've heard excuses about service criticality, regulations, or risk appetite. Yet, even in the same regulated sector, like financial services, you can see both extremes: a neobank with super high automation in its security operations, and more traditional banks that just can't seem to make it to the finish line with automation. To me, that's definitely a cultural thing.



Process and Strategy Challenges: Operational Hurdles


Beyond individual skill sets, inefficient processes and a lack of strategic business alignment can severely impede SOC modernization.



  • No Game Plan? Your SOC Modernization Is Doomed. (Lack of a Clear Modernization Strategy): Organizations often lack a well-defined strategy and step-by-step process for SOC modernization, leading to initiatives that lack direction and fail to achieve their goals. We can look at two main paths when it comes to modernizing a SOC: simple optimization, which means making incremental improvements (in technology or processes), and transformation, which involves completely overhauling your SOC—from its architecture and processes to its staffing and training. This usually means moving to a more engineering-led approach like Autonomic Security Operations.

    Sometimes, even when organizations know the right path forward, they just don't have a clear strategy for such a complex journey. In either case, these are complicated, long-term projects, and without a defined strategy upfront, they're likely to fail sooner or later.

    It's crucial to remember that we can't think of this strategy in isolation from the rest of the organization. Transforming security operations impacts many areas—both technical and business—so our modernization strategy absolutely needs to be aligned with the company's overall strategy.



  • More Than Just Tech Stats: (SOC metrics and difficulty demonstrating value): A significant challenge for SOCs is establishing and tracking meaningful Key Performance Indicators (KPIs) to effectively show their value to the organization.

    When you can't quantify risk reduction and operational efficiency, the SOC can end up being seen as just a cost center, which then impacts executive support, funding and resources.

    Given the lack of standardization and the difficulty of truly measuring business risk reduction, organizations typically start by measuring what's easy to represent and explain. I'm talking about more operational, technical metrics. While these can be actionable, they don't help us demonstrate the strategic value of a SOC, and they're certainly not metrics anyone would want to present to the Board of Directors. I can't imagine talking to the Board about ingestion volumes, pipeline latency, or False Positive Rate (FPR).

    The well-known Mean Time to Detect (MTTD) or Mean Time to Respond (MTTR) can be a good start for partly showing what a SOC is achieving in terms of risk reduction. Unfortunately, more than 50% of security teams aren't even tracking KPIs like MTTD and MTTR.



  • Finding the sweet spot: (Balancing consistency and creativity) : A modern Security Operations Center (SOC) needs to walk a fine line. On one hand, you want consistent, repeatable processes so things run smoothly and predictably. But if those processes get too stiff, they can really stifle the creativity and new ideas you need to tackle brand new threats.

    From our perspective, modernizing a SOC has to come with some flexibility, especially when it comes to processes that used to be too rigid. Specifically, designing use cases or developing new detections for emerging threats needs a different approach than the traditional one. The complexity of new threats, combined with the new technologies we have at our fingertips (like cloud-native and AI enhanced tools), makes it essential to really unleash our creativity.



Technology and Resource Constraints: Tooling and Data 


The dynamic technological landscape, while offering solutions, also introduces substantial challenges.



  • Spaghetti Architecture: (Legacy Systems and Tool Sprawl) Many organizations are hampered by outdated systems, and sometimes it's really tough to even get the necessary logs or telemetry from them for proper monitoring. Other times, you can extract the data, but you have to build a Rube Goldberg machine just to send that data to the final monitoring system. 

    There are still security technologies out there that are incompatible with modern automation and integration. This often results in a "Frankenstein's monster of tools that don't talk to each other," leading to analysts constantly toggling between multiple consoles and missing crucial correlations. "Too many tools that are not integrated" is a top barrier.



  • Siloed technology and data: One of the main problems leaders face when tackling a transformation like the one we're discussing stems from an organizational design flaw, which we'll cover later. Organizations that operate in silos—by department, business area, or even within engineering and security teams—transfer that organizational issue directly into a technology and data problem.

    It's really complicated to inventory the assets, technologies, and data within each of these silos to properly design what needs to be included in your SOC modernization plan.

    Ideally, we'd break down these silos, but as we mentioned earlier, that's deeply tied to company culture. We'll settle for at least knowing which systems we need to ingest critical information from and which data sources should be integrated with our SOC. But let's not go crazy. Despite the amazing data ingestion, processing, storage, and scaling capabilities that new cloud-native technologies offer, it's not a good strategy to get carried away by Diogenes Syndrome (hoarding everything). This can lead us to the following hardness.



  • The Data Deluge: SOCs are "drowning in data" from logs, alerts, and threat feeds, much of which is "useless noise". Effectively sifting through this massive volume to find actual threats is a significant challenge, transforming what was once manageable log management into a "significant Big Data problem". The capacity to process and analyze this data has not kept pace with the exponential increase in data volume. SOCs should focus on having the ‘right’ data that is specific, well structured and contextualized.


  • I want to modernize my SOC, but am I modern enough?: Today's SOCs are really having a tough time keeping pace with all the security challenges that come with cloud computing, microservices, containers, and serverless models. Seriously, a big chunk of security breaches nowadays are thanks to simple cloud misconfigurations, as described in the latest Google Cloud Threat Horizons Report.

    The way these modern systems get rolled out so fast often means security teams just can't keep up with putting the right safeguards in place. Trying to secure these new cloud technologies with an "old school" mindset is a recipe for disaster and just creates more weaknesses.



Organizational Factors: The Resistance to Deep Change


Beyond immediate operational and technical hurdles, the broader organizational culture and dynamics significantly impact modernization efforts.



  • Silos everywhere! We previously mentioned the difficulties derived from a siloed organization. It's pretty likely that from within a company's cybersecurity department, or even the engineering department, we won't have enough influence to gradually break down these silos. 

    But what if we start with ourselves? I've seen many security operations teams that are highly fragmented, operating like independent groups with different processes, varied technologies, and worst of all, different (often duplicated) data.

    The first step toward transforming how we do cybersecurity operations is to break down those internal silos. Where possible, unify technology (while still keeping specific needs in mind), but most importantly, share data and the insights we get from it.



  • Too Much on their Plate: (Lack of Organizational Capacity for Change) When we talked about people earlier, we mentioned the huge effort it takes to both run a SOC, protect a company, and go through a major transformation. You really need to be aware of these limitations when planning change projects of this scale. 


  • "Transformation Lite" Trap: A common issue is the desire for substantial results from superficial changes, reflecting either a misunderstanding of the required depth of transformation or an unwillingness to commit necessary resources. This often leads to failed or incomplete modernization efforts.


  • "Not Invented Here" Syndrome: Some organizations exhibit a strong culture of believing their own solutions are superior, leading to reluctance to adopt proven new technologies or best practices, even when they could be more effective. 

    To pull off a transformation of this size just by building capabilities "in-house”, you'd need a really powerful engineering team (trust me, I tried!). And we're not just talking about super-skilled security engineers; you'd also need developers, architects, SREs, data scientists, AI engineers—and I'm probably forgetting some other key roles.

    You might have all those people internally, but is your core business actually building cutting-edge security systems? You've got to find the right trade-off between what you do internally and what you acquire from the market.



  • "Set It and Forget It" Mentality: Modernizing a SOC is not a one-time project; it requires continuous improvement and adaptation.


  • No Boss Buy-In? (Lack of Leadership Support and Organizational Alignment): Without strong leadership support and a clear vision for SOC modernization, initiatives may flounder. Securing executive sponsorship and aligning SOC strategy with business goals is critical.



In conclusion, the difficulties in modernizing a SOC are multifaceted and deeply intertwined. They stem from a complex interplay of human resistance, outdated processes, technological sprawl, and organizational inertia. Understanding these fundamental challenges is the first step toward charting a course for SOC resilience, recognizing that true transformation requires a holistic, adaptive, and sustained strategic effort across all dimensions of people, process, technology, and organizational culture. The SOC evolution is a continuous journey, not a fixed destination.

Be the first to reply!

Reply


Terms & ConditionsCookie settings
Privacy Policy Terms of Service Gen AI Policy Community Guidelines Cookie Settings

© 2025 Google. All rights reserved.