Strengthening cyber resilience with Security Operations Centres

Written by Merle Maigre, Head of Cybersecurity Competence Centre at the e-Governance Academy 

With cyber threats growing in sophistication and scale, organisations must rethink their strategies to safeguard digital assets and operational continuity. Security Operations Centres (SOCs) stand at the forefront of this effort, acting as centralised hubs where cybersecurity professionals monitor, manage and mitigate threats.

A SOC can be compared to a more elaborate organisation’s security system, which protects the organisation’s perimeter from intruders, alerts them to suspicious activity and takes action when something goes wrong.

The rise in cyber threats – estimated to have grown by 25% annually over the past half-decade – has amplified the importance of SOCs. Acknowledging the rising importance of SOCs is only the beginning: the increasing complexity of cyber threats, and the essential steps required to build and sustain effective cybersecurity infrastructures, are all part of the roadmap to effective cyber defence.

It goes beyond alert management

Traditionally, SOCs were seen as entities that handled alerts, but the scope of their operations has expanded significantly. Not only that – a modern SOC is becoming a safety net that works 24/7, ensuring that organisations can operate without disruption.

Building an infrastructure that anticipates and prevents cyber attackers from accomplishing their malicious efforts before they escalate is key. This means employing advanced analytics, integrating threat intelligence from multiple sources, and maintaining a strong connection between SOC teams and organisational leadership to align strategies and business goals.

SOCs today focus on understanding the root causes of threats and pre-emptively mitigating risks.

Leveraging AI for SOC teams

One of the critical advances has been the integration of AI and machine learning into SOC operations. Boosting threat detection, it enables predictive analytics and better discovery of anomalies. In fact, AI-powered tools can analyse patterns across vast datasets to identify subtle indications of an attack – something that otherwise might go unnoticed. And despite design and implementation challenges, the automation is crucial.

Automated responses help reduce the time it takes to contain incidents but also free up human resources to focus on more complex tasks. It is important to keep in mind, though, that technology alone cannot replace skilled professionals. Automation enhances efficiency, but the value of human intuition and expertise in navigating the nuances of cybersecurity remains unmatched. While AI and machine learning can process massive amounts of data quickly, human analysts – who spot anomalies, understand context and make critical judgment calls – are the ones who protect organisations from catastrophic breaches.

Another pressing challenge is the ethical use of AI in cybersecurity. AI provides immense potential for enhancing defence mechanisms, but it also raises concerns about biases and unintended consequences. SOCs must steer through these complexities and ensure that their AI tools are transparent, accountable and compliant with ethical standards.

Building a SOC – people, strategy, technology

The creation of a SOC, indeed, is something that requires proper alignment between technology, talent and organisational objectives. Concerning the latter aspect, one of the key considerations is deciding between an in-house SOC and an outsourced model. In-house SOCs provide greater control and alignment with internal processes, while outsourced SOCs offer scalability and access to specialised expertise, which may amplify a SOC’s capabilities.

Nevertheless, a successful SOC always relies on its team, with roles ranging from incident analysts to forensic specialists. The human element is the heart of any SOC. Without skilled and motivated professionals, even the best technology will fall short. A hacker mindset is encouraged – one based on curiosity, continuous learning and the ability to think like an adversary. These are all qualities that make the difference between an average response and truly effective threat mitigation.

SOCs in action, and a dynamic threat landscape

Effective SOCs can adapt to respond to emerging cyber threats. So as attackers grow increasingly sophisticated, SOCs are naturally adopting advanced strategies to stay ahead.

From siloed operations, they are now moving to more collaborative ecosystems, where they can leverage further threat intelligence to counteract offenses.

Responding to increased cybersecurity concerns, the governments of Albania, Montenegro and North Macedonia have embarked on increasing their technical and operational capabilities for large-scale cyber crisis management, through both increased risk mitigation and incident response in collaboration with eGA in EU-supported Cybersecurity Rapid Response projects.

The future of SOCs lies in their ability to act as interconnected nodes in a larger cybersecurity framework. The need is for collaboration across sectors and even between nations; no single organisation or country can tackle cyber threats in isolation. SOCs must then evolve to be both adaptive and collaborative, utilising shared insights to stay ahead of attackers.

Adding to the complexity is the proliferation of hybrid work models on the one hand, but also Internet of Things devices on the other – they have expanded the attack surface for organisations. SOCs must then remain vigilant, ensuring secure access controls and network monitoring.

Cybersecurity is a shared responsibility, but SOCs are at the centre of this ecosystem. While protecting individual entities, they contribute to the resilience of entire sectors and societies overall. When governments, businesses and communities work together, SOCs can serve as the backbone of a collective defence mechanism in the face of a dynamic threat landscape.

This will ensure a safer digital future for everyone.

Key projects

Cybersecurity Rapid Response 1.0 & 2.0

2022–2024; 2024–2025

The overarching goal of the projects and EU support is to bolster the cybersecurity preparedness, response and incident coordination capacities of Albania, Montenegro and North Macedonia to effectively address large-scale cyber threats.

A key focus of the projects is to enhance the technical and operational capabilities of beneficiaries in managing largescale cyber crises. Together with eGA, the operational cyber capacities of Security Operations Centres and Computer Security Incident Response Teams will increase and improve inter-institutional information-sharing and incident response coordination.

Funded by the European Union.

Challenges and opportunities of the past year

• Governments must invest in the institutional and technical capabilities needed to defend against sophisticated threats. This includes funding cybersecurity initiatives, fostering innovation and supporting research into emerging technologies
• Building a pipeline of skilled cybersecurity professionals is critical, as is ensuring that existing staff receive ongoing training. More generally, public awareness campaigns can play a significant role in reducing vulnerabilities, particularly those stemming from human error
• International cooperation must be deepened. The challenges of cybersecurity transcend borders, and collective action is the most effective way to address them. Whether through regional alliances, global forums or bilateral agreements, nations must work together to build a safer digital world.