SANS points out that staffing is the biggest challenge for SOC even as AI becomes widespread

AI News


According to the SANS Institute, the lack of skilled staff is the biggest operational challenge facing security operations centers (SOCs) today, but practitioners and leaders have different perceptions of hiring needs.

of 2026 SANS SOC Survey The study is based on interviews with 444 IT and security professionals actively working in surveillance or security operations (SecOps) roles, as well as an additional 69 CISOs and senior security executives.

It found that 14% of practitioners cited staffing as their main challenge. Top rated answer. However, more than half (59%) of the “cyber leaders” interviewed claimed that their executives actually pay close attention to the needs of SOC recruitment and retention. In contrast, only a third (32%) of practitioners said so.

“This 27-point difference has persisted every time this question has been asked,” the report said.

“Managers explain intent and practitioners explain outcomes. Both accurately describe different parts of the same decision-making process, and the distance between them creates retention issues.”

Read more: AI SOCs still need SOC analysts, security vendors say

But there is more agreement on the challenges facing SOCs than either side realizes.

One-fifth (22%) of cyber leaders admit that management listens to staffing requests but does not understand the urgency, and 14% say management is not involved at all with the SOC’s staffing needs.

Although SIEM is the most sought-after skill in employment and nearly twice as in-demand as EDR, most day-to-day SOC responses come from endpoint security alerts (86%) rather than SIEM alerts (78%).

AI is permeating the SOC

The study also revealed the extent to which AI is impacting SOC. Although 79% of respondents said they use AI or machine learning (ML) tools, only 36% have incorporated them into defined SOC workflows.

The most common approach is to use existing vendor tools without customization (38%). Only 31% customize existing tools and 20% build their own.

“Analysts are reaching out to AI tools independently, often without an established organizational structure for how they use, validate, or manage AI tools,” the report said. “This is not surprising given how quickly the technology came along, but it certainly points to a maturity gap with operational risks.”

SANS warned that using AI in an unstructured manner can be inefficient and produce unverifiable results. A human in the loop is still essential to interpreting the tool’s output, the company said.

“Most SOCs should start by identifying vendor-provided AI tools that address documented capability gaps, deploy them operationally, and measure results against existing metrics,” the report continues.

“Once the obvious use cases are covered, organizations can consider customization and, where warranted, purpose-built solutions.”

Maturity and coverage gap

This report also highlights several other challenges facing SOCs today.

  • Cyber ​​threat intelligence (CTI): 74% of cyber leaders use CTI for SecOps and threat hunting. But only a quarter (26%) use it to inform their budget and spending priorities.
  • OT/IoT coverage: Less than half (45%) of respondents fully or partially monitor their OT/IoT computing assets through a SOC. SANS warned that the gap will become even more acute as these deployments increase.
  • Measurement: “Number of Incidents Handled” has been the top reported SOC metric for 10 consecutive years. However, because it measures volume rather than value, it means that SOCs cannot effectively demonstrate business impact.



Source link