Gartner Blog Network


Our 2018 Update to “How to Plan, Design, Operate and Evolve a SOC” Publishes

by Anton Chuvakin  |  September 17, 2018  |  1 Comment

As Augusto already announced awhile ago, we have updated our “how to SOC” paper for 2018. His post even includes our main guidance visual (!), made that much more awesome by our new co-author, Anna. The paper is still titled “How to Plan, Design, Operate and Evolve a SOC.”

In any case, I wanted to provide some of my favorite quotes from the paper, and of course entice you [well, those of you who are Gartner GTP subscribers, that is] to read it.

Some of my fave quotes (there are a lot more in the paper):

  • “For the scope of this document, SOC refers to the group of people and processes delivering security operations functions under a single organizational structure. In essence, the SOC is a team, not a facility.”
  • “Outsourcing some SOC capabilities is nearly universal. Many hybrid SOC models have emerged that mix and match services with internally delivered SOC functions.” <- this is what we called informally “every SOC is a hybrid SOC” today.
  • “Gartner clients with successful SOCs put the premium on people rather than process and technology. People and process overshadow technology as predictors for SOC success or failure.”
  • “Building a SOC can take many months, if not years. In fact, achieving high maturity and effectiveness levels will unquestionably take years. SOC build-out is a marathon, not a sprint, and you must be prepared to have the patience to execute iteratively and consistently over these kinds of time frames.”
  • “Note that loss of such [executive] support after several years of SOC operation has led to “SOC decay” and decrease in capability maturity, detection effectiveness and, in some widely publicly reported cases, damaging data breaches.”
  • “Building a SOC is a big commitment of resources, effort and focus — both initial and ongoing. It is the ongoing part that determines whether you’ll still have a SOC in three years!
  • “One of the challenges that plague organizations that purchased many security tools [for SOC] is making the set of tools into a coherent whole. Having to check diverse tools in a disjointed manner saps analyst efficiency and allows threats to slip in and survive in the environment undetected.”

Enjoy the paper! [Gartner GTP access required]. If you read it, please provide feedback at https://surveys.gartner.com/s/gtppaperfeedback

Blog posts related to SOC research:

Posts related to paper publication:

Category: detection  monitoring  security  soc  

Anton Chuvakin
Research VP and Distinguished Analyst
5+ years with Gartner
17 years IT industry

Anton Chuvakin is a Research VP and Distinguished Analyst at Gartner's GTP Security and Risk Management group. Before Mr. Chuvakin joined Gartner, his job responsibilities included security product management, evangelist… Read Full Bio


Thoughts on Our 2018 Update to “How to Plan, Design, Operate and Evolve a SOC” Publishes


  1. […] Our 2018 Update to “How to Plan, Design, Operate and Evolve a SOC” Publishes […]



Comments are closed

Comments or opinions expressed on this blog are those of the individual contributors only, and do not necessarily represent the views of Gartner, Inc. or its management. Readers may copy and redistribute blog postings on other blogs, or otherwise for private, non-commercial or journalistic purposes, with attribution to Gartner. This content may not be used for any other purposes in any other formats or media. The content on this blog is provided on an "as-is" basis. Gartner shall not be liable for any damages whatsoever arising out of the content or use of this blog.