D3 recently teamed up with Virtual Intelligence Briefing (ViB), an online community of more than one million technology professionals, to conduct a detailed survey about how SOAR technology is used and perceived by the people on the front lines of cybersecurity.
Our sample included hundreds of security professionals at large organizations in a wide range of industries. Their responses told us a number of interesting things about SOAR in the real world, and you can find five of those takeaways in the article below. Or if you want to get all of the insights from the survey, download the entire report here.
Awareness of the benefits of SOAR is way ahead of the level of implementation.
Only 16.8% of our sample had implemented SOAR in their organization, and that was in a sample that already excluded organizations that had no interest in it at all. Despite this low level of actual implementation, acknowledgement of the benefits of SOAR is quite widespread. Every question in our survey about the potential value of SOAR received an overwhelmingly positive response.
SOAR has met or exceeded expectations for those that have implemented it.
Among the group that had implemented SOAR, fewer than 4% of respondents said that their SOAR project did not solve their primary pain point. Also, fewer than 4% disagreed with the statements that SOAR had resulted in faster and higher quality incident response and investigations. There were many encouraging findings like this in the survey that reflected a high level of satisfaction among the respondents who had implemented SOAR. When asked what advice they would give to someone considering implementing SOAR, one respondent wrote, “You should definitely get it! It has been an amazing transition!”
Lack of human resources and skills is the leading driver of SOAR implementation, but almost no one intends to use SOAR to reduce headcount.
With the widespread cybersecurity skills gap, it is natural to ask if companies are looking to SOAR as a way to operate their SOC with less employees. In our sample, this was not the case. Only 4.8% saw reducing headcount as the most significant benefit of SOAR. Hopefully this finding puts security folks at ease. Automation isn’t viewed as a replacement for human analysts, but rather as a tool to reduce overwhelm, supplement skills, and allow people to focus on tasks that require their expertise. One respondent spoke to this directly in their written response, saying the primary driver for their SOAR project was “freeing up our talent to focus on more complex situations.”
Scripting integrations and runbooks is a significant concern.
60.4% of the organizations that implemented SOAR had the skills to internally handle scripting integrations and runbooks. However, this was only true for 29.3% of those that have not implemented SOAR, suggesting that organizations that lack internal scripting abilities struggle to get their SOAR project off the ground. If this conclusion is accurate, a SOAR platform that handles scripting of integrations and runbooks/playbooks primarily in the back end should be an easier sell to most potential customers.
High levels of automation are rare, but zero automation is even more rare.
11.7% of respondents reported high levels of security automation in their organization, but only 4.1% reported no security automation. This shows that most SOCs are already using some automation, so there is no significant categorical objection to this type of technology. However, there is a massive gulf between the amount of organizations using some automation and those using a lot of automation. Our survey did not reveal why this might be. It is possible that security leadership is comfortable with automating some processes but is still not entirely willing to trust automation with most processes.
Download the Full Survey Report
You can get the complete survey report from our Resource Hub. You’ll receive the complete set of data, along with detailed analysis of each response, and plenty of firsthand comments from security professionals who have implemented SOAR or are planning to soon.
