Inappropriate SOC Metrics Undermine Detection Effectiveness, NCSC Warns
What Happened – The UK National Cyber Security Centre (NCSC) published a blog highlighting how common security‑operations‑centre (SOC) performance metrics—such as tickets processed and time‑to‑close—can incentivise analysts to prioritize speed over thorough investigation, leading to missed detections and false‑positive fatigue.
Why It Matters for TPRM –
- Poorly chosen metrics can mask a vendor’s true security posture, giving a false sense of control.
- Incentive‑driven metric gaming may reduce the effectiveness of outsourced SOC services, increasing residual risk for third‑party environments.
- TPRM programs need to evaluate SOC KPIs, not just SLA compliance, to ensure genuine threat‑detection capability.
Who Is Affected – Organizations that rely on internal or outsourced SOCs across all sectors (finance, healthcare, technology, government, etc.).
Recommended Actions –
- Review SOC contracts for KPI definitions; demand security‑focused metrics (e.g., mean time to detect, true‑positive rate).
- Conduct periodic audits of SOC ticket handling to verify that metrics are not encouraging superficial closures.
- Align SOC performance reviews with risk‑based outcomes rather than volume‑based statistics.
Technical Notes – The advisory points out that metric‑driven behavior can lead to 99 % of tickets being dismissed as false positives, eroding detection depth. No specific vulnerability or CVE is cited; the issue is procedural and cultural. Source: NCSC – Could your choice of metrics be harming your SOC?