Operational Challenges in Security Operations Centers: Insights from the SANS Institute Report
According to the recent 2026 SANS SOC Survey, a critical challenge continues to plague Security Operations Centers (SOCs)—the shortage of skilled personnel. This conforms with widespread feedback from professionals in the field, though discrepancies exist in how various stakeholders perceive hiring needs.
The survey, which encompassed interviews with 444 IT and security professionals engaged in monitoring or Security Operations (SecOps) roles, along with 69 Chief Information Security Officers (CISOs) and senior security executives, unveiled notable differences in viewpoints. While 14% of the practitioners identified staffing as their primary hurdle, a significant 59% of the cyber leaders interviewed asserted that management is attentive to SOC hiring and retention. This stark contrast is marked by a noticeable gap: only 32% of practitioners feel that management genuinely understands the urgency of their staffing necessities.
The report highlighted this discrepancy, observing, “That 27-point gap has persisted across every year this question has been asked.” This persistent gap indicates a fundamental misalignment in perceptions—executives articulate intention while practitioners describe outcomes. Such divergence suggests that the area between the two perspectives could be nurturing retention issues within SOCs.
Interestingly, a fifth of the cyber leaders acknowledged a disconnect; 22% confessed that while management listens to retention requests, they often fail to grasp the urgency behind them. Additionally, 14% stated that their management is entirely disengaged when it comes to addressing SOC staffing requirements. This gap signifies a crucial hurdle that organizations must overcome to improve their operational functionality.
In the realm of hiring, Security Information and Event Management (SIEM) skills emerged as the most sought-after expertise. The demand for SIEM knowledge stands at nearly double that of Endpoint Detection and Response (EDR). It’s worth noting that daily SOC responses primarily originate from endpoint security alerts—86%—while SIEM alerts are responsible for only 78% of responses. This statistic illustrates a need to align hiring criteria more closely with actual operational requirements.
The Role of AI in Modern SOCs
The survey also delved into the increasing influence of artificial intelligence (AI) within SOCs. A substantial 79% of respondents affirmed their use of AI or machine learning (ML) tools, but a mere 36% have successfully incorporated these technologies into structured SOC workflows. The predominant approach remains the application of pre-existing vendor tools without any significant customization—38% of respondents fall into this category. Only 31% are customizing existing tools, while a modest 20% report developing their own solutions.
This individualized approach to AI tool usage—often lacking organizational structure—poses risks. The report articulated these concerns, stating, “Analysts are reaching for AI tools individually, often without organizational structure around how they are used, validated, or governed.” This operational inconsistency highlights a gap in maturity that could affect efficacy. SANS urged organizations to adopt a more structured approach, emphasizing that a human participant is crucial for interpreting the outputs generated by AI tools.
The report advised that the most prudent starting point for SOCs would be to identify vendor-supplied AI tools that address documented capability gaps, operationalize them, and measure their effectiveness against existing metrics. Once basic use cases are addressed, organizations can contemplate further customization and, where applicable, develop specialized solutions.
Addressing Maturity and Coverage Gaps
Beyond staffing and AI implementation, the SANS report spotlighted several additional challenges confronting today’s SOCs. For instance, a striking 74% of cyber leaders reported using Cyber-Threat Intelligence (CTI) for SecOps and threat-hunting purposes. However, only 26% of organizations leverage this intelligence to inform budget and spending decisions, indicating a missed opportunity for strategic resource allocation.
Furthermore, when it comes to Operational Technology (OT) and Internet of Things (IoT) coverage, fewer than half (45%) of respondents indicated that they fully or partially monitor these critical computing assets through their SOC. This oversight is likely to become increasingly significant as the deployment of OT/IoT systems expands.
Finally, the report critiqued the prevailing metric for measuring SOC efficacy: “number of incidents handled,” which has been the predominant metric for a decade. This metric focuses on volume rather than value, rendering it insufficient for demonstrating tangible business impact.
In summary, the 2026 SANS SOC Survey paints a nuanced picture of the operational challenges faced by SOCs today. From staffing shortages and the role of AI to strategic resource allocation and effective measurement, organizations are urged to address these multifaceted issues to enhance their cybersecurity frameworks and operational resilience.