Digital Newsletter
Each week our editor Phil Alsop rounds up the most popular articles, videos and expert opinions. We compile this into a Digital Newsletter and send it straight to your inbox every week.
Digital Magazines
We'll let you know each time a new edition of MSP Channel Insights is released so that you're always kept up-to-date with the latest and greatest news and press releases.
Video Magazines
The MSP Channel Insights Video magazine contains the latest Zoom interviews with experts in the industry.
In the security operations centre (SOC), speed is survival. Yet busywork often takes away critical time from stretched security analysts who are qualified for much more than mere data wrangling. Some SOC cultures incentivise teams to focus on low-impact tasks that provide quick wins and instant gratification, as opposed to progressing priorities that have a great impact across an organisation's security posture.
Shockingly, nearly half (46%) of the 2000 security professionals surveyed in Splunk’s ‘State of Security 2025: The Smarter, Stronger SOC of the Future’ report claim they spend more time configuring and troubleshooting tools than actually defending the organisation.
Part of the problem is cultural and part is pyschological. Busywork issues steal time from already-stretched experts, who are left playing digital housekeeper instead of investigating and responding to threats. Being deliberate about what to do - and not to do - is crucial to changing this mindset and security posture.
Where do SOCs slow to a crawl?
Here are three of the biggest time traps in the SOC:
Getting data in order
Getting data into a SIEM (not to mention into a usable format) can be laborious. Manual formatting and normalisation isn’t just parsing logs; it can be slow to request data from other teams, manually extracting fields and testing across multiple log types.
We know this is important work; having easy access to the right data in the right place is non-negotiable when threats are time-sensitive. Over half (57%) of those surveyed in the State of Security 2025 say they’ve lost valuable investigation time due to gaps in data management strategies.
It’s a step that can’t be skipped, but we can reduce the time drain. Use OOTB features in your tooling to make onboarding quicker, get leadership to unblock data sharing issues between teams, and prioritise the data you put in so that you do what’s important, not what’s quick.
Tool maintenance
Maintaining tools is another major pain point, with 59% of survey respondents naming it the number-one source of inefficiency. But not all tool maintenance work is created equal.
Some tool-related tasks serve to preserve basic functionality: an admin patching a security update to a platform, resetting a rickety on-premise instance after yet another outage, or removing a new but noisy detection that is blasting the SOC. Other tool tasks, such as building new playbooks, leveraging new content packs, or fine-tuning detections, can build net-new capability and resilience.
Tooling has changed over the years and the maintenance burden should have got lighter, not heavier, as vendors offer more features, hosting (SaaS), and more OOTB content. Keep updated with the offerings to minimise unnecessary lift, and for things you can’t avoid, agree SLAs with stakeholders to ensure appropriate resource is allocated to performance of the tool. Additionally, leaning on strategies like detection-as-code can to help boost efficiency and scale.
Handling alerts
Alerts are the lifeblood of the SOC, but they can suffocate your SOC with their volume and poor quality. False positives drain time, add to mental load and waste valuable attention. After consistently dealing with false positives and huge volumes, teams never reach the highest priorities, and often just simply ignore alerts.
Our survey found that 55% of respondents experience too many false positives, and unsurprisingly, 47% cite alert-related issues as a primary source of inefficiency. Make a dedicated function or role so that tuning detections is someone’s responsibility. You can either train analysts to improve or validate detections themselves, as part of closing a ticket, or open feedback channels so analysts can share their experience easily with detection engineers.
Reimagine success: Build a culture that values quality over quantity
Alongside the inefficiencies, SOCs also need to address the cultural and psychological problems they face. It feels good to do ‘busywork’ tasks. After time off, many of us start with easy tasks to shrink the inbox and chase a quick dopamine hit, which may feel good but won’t be the most impactful in the long run.
A shift in thinking and incentivisation needs to happen, with organisations and SOCs recognising that busyness isn’t productivity, and it doesn’t equate to risk reduction.
It’s time to reimagine what success looks like in the SOC. This means security leaders should resist rewarding activity over strategy, avoid kudos for low-value work, and start pushing back on presenteeism. Instead, reward output. Highlight teams that stay focused on meaningful, strategic work that builds maturity and actually future-proofs operations. There’s a few ways to achieve this:
Step 1: Measure what matters
Metrics like MTTD and MTTR are useful for communicating posture, but they’re blunt instruments. They don’t fully capture SOC goals such as detection strength or investigative depth.
In the race to improve those MTT* numbers, some leaders inadvertently incentivise closing as many tickets as possible — quickly. That nudges analysts toward easy tickets and a quantity-over-quality mentality. It doesn’t build resilience, when these are easy jobs that can (and should) be done by automation. You can close hundreds of low-priority tickets and wake up to the same risk tomorrow.
Leaders should redefine what meaningful output is, and most importantly, recognise analysts for producing it. This could be implementing a new frictionless process, building an automation playbook, refining a detection or implementing a proper washup after an incident — but it’s certainly not the volume of tickets closed.
Step two: Automate routine tasks
If a workflow follows the same repeatable steps every time, automate it and free up your people for higher-value tasks. For example, phishing investigations are a prime candidate for automation: they are fairly predictable, high-volume, and need to be handled without delay.
In 2025, no analyst should be manually investigating phishing when the process is so basic and the response so standard.
Automating predictable tasks creates breathing room for teams that are stretched, allowing them to strategise, pursue training to uplevel skills, and work on materials to improve their future responses. Rather than worrying about being ‘replaced’, staff should be able to recognise automation as helping them perform smarter, more fulfilling tasks - probably the work they were hired for in the first place.
Step three: Re-evaluate the high-level initiatives
Technology evolves quickly; programmes launched a few years ago may no longer deliver meaningful value. To set the right focus, ensure everyone in the SOC understands the organisation’s most critical services and processes. That clarity helps identify the true crown jewels, and strengthens overall resilience.
Put purpose back into the SOC
Freeing teams from routine, low-impact work doesn’t just save time. It restores purpose, reduces burnout and enables analysts to concentrate on what genuinely strengthens security.
By revisiting priorities, embracing thoughtful automation and redefining success, security leaders can build a culture that empowers teams to defend smarter.
