“Lack of organization-wide visibility is the biggest obstacle to effective security operations”
24% of cyber security leaders identify limited visibility as the main barrier to SOC effectiveness
For SOC teams, the visibility issue translates into a daily reality of large volumes of alerts that are not interconnected, along with a lack of shared context to respond quickly and effectively to threats. While most organizations have the necessary security tools, integration between these systems is often lacking.
“Visibility keeps coming up in this research because it is genuinely difficult to solve,” says Christopher Crowley, Senior Instructor at SANS Institute. “Most organizations have the right tools. The challenge lies in creating a coherent overview across teams that each have their own priorities.”
Persistent Gap Between Management and the Frontline
The research also shows that there is a significant perception gap between executives and SOC staff. For instance, 59% of cyber security leaders say that management pays a lot of attention to recruiting and retaining SOC personnel. Among security professionals on the ground, only 32% share that opinion.
This deviation of 27 percentage points has proven persistent and has remained visible in all the years this question has been asked. As a result, decisions regarding recruitment and personnel retention are often made by executives who have a significantly more positive view of the situation than the professionals who are daily responsible for executing security operations.
Threat Intelligence Remains Primarily Operational
There is also a gap at the strategic level. While 74% of cyber security leaders use threat intelligence for security operations and threat hunting, only 26% use this information to support budget and investment decisions.
Consequently, the same threat insights that guide analysts' daily work play only a limited role in strategic choices regarding future investments and priorities.
“These patterns are not new,” Crowley states. “What this research adds is ten years of data showing that little change has occurred. Organizations that manage to close this gap treat these issues as concrete operational problems rather than general management challenges.”
Human Capital as the Biggest Funding Challenge
Although 75% of cyber security leaders indicate that management understands that technology is only effective when supported by qualified professionals, the reality is more stubborn. This same group identifies human capital as the biggest limitation in funding cybersecurity priorities.
The results suggest that many organizations recognize the importance of personnel but struggle to translate this belief into budgets and investments. Thus, the availability of qualified staff remains one of the key factors for the success of modern security operations.
About the Research
The SANS SOC Research 2026 is based on responses from 444 security operations professionals and an additional survey among 69 CISOs and senior security executives. The research maps the development of SOC programs, operational challenges, and investment priorities for the tenth consecutive year.
About SANS Institute
SANS Institute was founded in 1989 as a cooperative research and training organization. Today, SANS is the most valued and by far the largest source for cybersecurity training and certifications for security professionals within government and commercial organizations worldwide. Renowned SANS instructors offer more than 60 different courses online and live during over 200 cybersecurity training events.
Additionally, SANS professionals develop and maintain the largest collection of research documents in the field of information security, which is freely accessible.
SANS Institute also manages ‘the Internet Storm Center’, the international alert system for cyber threats. The many security specialists representing various global organizations who collaborate to assist the infosecurity community form the core of SANS Institute. For more information: www.sans.org.
