Blog post

Our 2018 Update to “How to Plan, Design, Operate and Evolve a SOC” Publishes

By Anton Chuvakin | September 17, 2018 | 0 Comments


As Augusto already announced awhile ago, we have updated our “how to SOC” paper for 2018. His post even includes our main guidance visual (!), made that much more awesome by our new co-author, Anna. The paper is still titled “How to Plan, Design, Operate and Evolve a SOC.”

In any case, I wanted to provide some of my favorite quotes from the paper, and of course entice you [well, those of you who are Gartner GTP subscribers, that is] to read it.

Some of my fave quotes (there are a lot more in the paper):

  • “For the scope of this document, SOC refers to the group of people and processes delivering security operations functions under a single organizational structure. In essence, the SOC is a team, not a facility.”
  • “Outsourcing some SOC capabilities is nearly universal. Many hybrid SOC models have emerged that mix and match services with internally delivered SOC functions.” <- this is what we called informally “every SOC is a hybrid SOC” today.
  • “Gartner clients with successful SOCs put the premium on people rather than process and technology. People and process overshadow technology as predictors for SOC success or failure.”
  • “Building a SOC can take many months, if not years. In fact, achieving high maturity and effectiveness levels will unquestionably take years. SOC build-out is a marathon, not a sprint, and you must be prepared to have the patience to execute iteratively and consistently over these kinds of time frames.”
  • “Note that loss of such [executive] support after several years of SOC operation has led to “SOC decay” and decrease in capability maturity, detection effectiveness and, in some widely publicly reported cases, damaging data breaches.”
  • “Building a SOC is a big commitment of resources, effort and focus — both initial and ongoing. It is the ongoing part that determines whether you’ll still have a SOC in three years!
  • “One of the challenges that plague organizations that purchased many security tools [for SOC] is making the set of tools into a coherent whole. Having to check diverse tools in a disjointed manner saps analyst efficiency and allows threats to slip in and survive in the environment undetected.”

Enjoy the paper! [Gartner GTP access required]. If you read it, please provide feedback at

Blog posts related to SOC research:

Posts related to paper publication:

Comments are closed