This blog is the third in a series that explores specific findings from Attackers Don’t Sleep, But Your Employees Need To, a Forrester Consulting study recently commissioned by Pondurance.


How many cybersecurity experts does it take to run a SOC?

That’s not the start of a joke, but rather a sincere question that industry analysts and security vendors might all answer a little differently. But there’s probably one thing everyone knowledgeable about what it takes to staff and maintain a SOC could agree on: it takes significant resources, both in terms of technology and people, to run a SOC.

Let’s back up for a moment and define what a security operations center, or SOC, is. A SOC is “a centralized function operating as first responders for attempted intrusions with responsibilities that include detection, analysis, investigation and response on a 24/7 basis.” (Check out the nifty new infographic with this definition and a few other interesting factoids.) When it comes to staffing a SOC, it takes a combination of highly skilled security analysts, threat hunters and incident responders all working in concert to find, validate and remediate incoming cyberthreats. Supplementing those people with artificial intelligence (AI) certainly helps, but there’s no AI out there smart enough to separate out real threats from the many alerts and false positives that might be detected. Layer in all of the security technologies needed to monitor, detect and respond to threats across networks, logs, endpoints and clouds, and you’re looking at a lot of people

Understanding the significance of a SOC to the overall security posture of an organization, we were interested to know whether small and medium-size businesses (SMBs) today are relying on a SOC to protect their business and people. The Forrester Consulting study, Attackers Don’t Sleep, But Your Employees Need To, asked a few questions related to this:

  • If applicable, which of the following best describes the current state of your security operations center (SOC)?
  • How many employees work for your internal SOC?
  • When does your SOC operate?

The State of the SMB SOC

As we shared when we announced the availability of this study in July, we were impressed to learn that 81% of SMBs surveyed reported being monitored by a SOC; only 19% of the 232 respondents said “We don’t have a SOC at this time”. Not bad!

As the data revealed, it turns out more than 53% of SMBs surveyed ultimately need to rely on an external partner for some or all of their SOC coverage. As a managed detection and response (MDR) services provider protecting our clients with around-the-clock SOC coverage, we were pretty happy to see this response, not just because it reinforces the market opportunity for Pondurance, but because it demonstrates a smart use of security budget by SMBs; they can get so much more cybersecurity protection outsourcing to a partner that can bring best-in-class technologies and a broad security skillset working on their behalf 24 hours a day, 7 days a week, 365 days a year.


On the staffing question, for the 28% of organizations that reported “We staff our own internal SOC”, 64% of them responded that they have 10 or fewer employees staffing the SOC, and almost one-third have 5 or fewer. It’s true that some of the SMBs running their own SOC appear to be well-staffed and we applaud those organizations for recognizing that, to use a corny but apt phrase, it takes a village and many different skills to run an effective SOC. But for those that have 10 or fewer employees staffing their SOC? These are NOT enough resources to operate 24/7 without exhausting those employees.

Hours of Operation

Of the SOC-specific findings in the Forrester Consulting survey, the most concerning is that 57% of respondents reported that their SOC—whether in-house, hybrid or fully-outsourced—operates only during business hours, or extended business hours.

If cybercriminals were asked the question “What are your hours of operation and who are your preferred targets?”, you know what they’d likely say? “We operate 24/7/365 and love to strike on holidays and weekends. SMBs are our preferred targets because they’re usually not as well protected but their money spends the same and their corporate data is just as valuable on the black market.”

Last summer, the Cybersecurity and Infrastructure Security Agency (CISA) put out an Alert, Ransomware Awareness for Holidays and Weekends, in which they stated that, in partnership with the Federal Bureau of Investigation (FBI), they “have observed an increase in highly impactful ransomware attacks occurring on holidays and weekends—when offices are normally closed—in the United States, as recently as the Fourth of July holiday in 2021.” And that’s just ransomware… there are so many other vicious attack vectors.

The Necessity of a SOC

Here’s the thing: a SOC is the way to reduce risk to your organization. Period. A SOC is the right collection of technologies and people–security analysts, threat hunters, threat intelligence and incident response experts—all working together to detect and respond to cyberthreats.

If you’re a SMB and can find the scarce security talent and fund the best-in-class technologies necessary to run a SOC, that’s fantastic! But be sure it operates 24/7, because cyberattackers don’t respect business hours and will strike at the most inopportune times. If you need a partner, however, to provide your organization with 24/7 SOC services, Pondurance can bring you the experts and technologies you need to sock-it! to the bad guys and protect your organization from cybercrime.

Read the other blogs in this series: