Among the primary reasons for establishing a Security Operations Centre (SOC) are strengthening cybersecurity posture, enabling faster detection and response and gaining a competitive edge.
Interestingly, despite the increasing demand for automated cybersecurity solutions, businesses rely on skilled security professionals to make key decisions, as human expertise remains essential for effective security management.
A SOC is a dedicated organisational unit responsible for continuous monitoring and safeguarding of a company’s IT infrastructure. Its core mission is to proactively detect, analyse and respond to cybersecurity threats.
To identify the main drivers, strategic priorities, and potential challenges in SOC planning and implementation, Kaspersky has conducted a comprehensive global study involving senior IT security specialists, managers and directors from companies with 500 or more employees. All participants operate without a SOC but have plans to establish one in the near future. The study spans 16 countries across APAC, META, LATAM, Europe, and Russia, providing valuable insights into the emerging trends and best practices in SOC development worldwide.
Findings reveal that 50% of companies intend to establish SOCs to strengthen their cybersecurity posture, and 45% are motivated by the need to address increasingly sophisticated and dangerous threats. Other drivers include budget optimisation, the necessity for faster detection and response, and the expansion of software, endpoints and user devices – factors that demand more comprehensive and layered security measures. These are cited by 41% of organisations.
Additionally, 40% seek better protection of confidential information, 39% aim to meet regulatory requirements and one-third (33%) expect SOC capabilities to provide a competitive edge. Larger enterprises tend to cite each of these reasons more often, reflecting the broader operational and regulatory pressures they experience.
Continuous monitoring the leading SOC requirement
Among the key functions organisations plan to delegate, 24/7 security monitoring leads at 54%.
This around-the-clock vigilance enables early detection of anomalies, prevents escalation and sustains cyber resilience in real-time. This demand highlights a strategic requirement for proactive risk management, as organisations aim to defend against persistent threats that can strike at any moment.
Companies intending to fully outsource SOC operations show a stronger interest in applying “lessons learned” methodologies, whereas those developing internal SOCs focus more on access management to maintain tighter control.
Human expertise drives SOC technology choices
While SOCs use advanced technology, the choices made by organisations show that human analysts are very important.
Among the solutions that organisations plan to include in SOC are Threat Intelligence Platforms (48%), Endpoint Detection and Response (42%) and Security Information and Event Management systems (40%) – sophisticated solutions that automate data collection and reduce operational load. However, they depend heavily on skilled security professionals who provide critical context, interpret complex findings and make final decisions when guiding appropriate responses.
Other solutions chosen include Extended Detection and Response (38%), Network Detection and Response (37%) and Managed Detection and Response (33%). Large enterprises tend to adopt more technologies (5,5 per SOC on average), while smaller ones integrate fewer (3,8).
“To successfully build a SOC, companies must prioritise not only the right mix of technology but also the careful planning of processes, clear goal-setting and effective resource distribution. Well-defined workflows and continuous improvement are essential to ensure that human analysts can focus on critical tasks, making the SOC a proactive and adaptable component of their cybersecurity strategy,” comments Roman Nazarov, head of SOC Consulting at Kaspersky.