In this Q&A article, Kaspersky GM for sub-Saharan Africa Chris Norton explains why security operations centres (SOCs) are becoming a boardroom priority.
What is a SOC, and should CEOs care, or is it just for CIOs?
Cyberthreats are now constant, fast-moving and increasingly sophisticated. And cybersecurity has become a core business requirement that helps companies maintain trust and stay operational.
A SOC – pronounced “sock” – is the function responsible for continuously monitoring, detecting, analysing and responding to threats across an organisation’s IT environment. In practical terms, a SOC combines skilled analysts with advanced technologies to identify suspicious activity and stop incidents before they escalate.
A serious breach – whether ransomware, prolonged downtime or data loss – can trigger a cascade of financial and reputational damage. Compared to those risks, investment in a SOC is less about cost and more about resilience. This is why SOCs should be on the CEO’s radar.
What should organisations consider before building a SOC?
Kaspersky’s global study involving senior IT security specialists, managers and directors from companies with 500 or more employees, showed that high capital costs were among the top difficulties mentioned by respondents (33%) for building a SOC. Many organisations struggle with evaluating SOC effectiveness (28%), as this often involves a wide range of KPIs.
Additionally, companies grapple with managing complex security solutions (27%) and integrating multiple systems and technologies (26%). A quarter of organisations also point to a lack of expertise, both among existing employees (25%) and in the external labour market (25%).
The key to overcoming these challenges is strategic clarity. Companies need to define objectives, processes and milestones from the outset. A SOC should not be built as a collection of tools, but as a structured capability aligned with business risk. For organisations lacking in-house expertise, partnering with managed detection and response (MDR) providers, such as Kaspersky MDR and Incident Response, or using SOC consulting services can accelerate maturity and close critical gaps.
How is AI changing modern SOCs?
AI is increasingly seen as a force multiplier: it enhances threat detection by analysing vast volumes of data, identifying anomalies and flagging suspicious behaviour more quickly than human analysts alone. It also enables automation of routine responses, allowing predefined actions to be executed rapidly.
Kaspersky provides a comprehensive suite of AI-powered tools across its B2B portfolio to meet the rising demand for timely detection of more advanced threats, while also making our solutions more efficient and user-friendly.
One good example is the AI Analyst in Kaspersky MDR, which helps to reduce the workload of SOC teams by automatically filtering out false positives, allowing experts to respond to threats faster and avoid burnout. Another solution – Kaspersky Security Information and Event Management (SIEM) platform – features an AI-enabled mechanism for detecting potential account compromise, enhanced data integrity and improved customisation. Recently, this solution was empowered by AI capability to identify signs of DLL (dynamic link library) hijacking.
What defines an ideal SOC?
An effective SOC is built on integration, visibility and usability. It secures continuous 24/7 monitoring and full visibility across networks, endpoints and cloud environments. Systems must work seamlessly within the existing IT environment, allowing analysts to access and correlate data from multiple sources through a unified interface.
Strong threat intelligence integration is also critical. Kaspersky SIEM, for example, enriches security events with up-to-date threat data which helps teams prioritise risks and respond more effectively. This solution provides access to more than 800 pre-configured detection rules, which are being quarterly updated with Mitre mapping and response guidance – all developed by Kaspersky SOC team.
AI-enhanced analytics play an important role in identifying suspicious activity across infrastructure, improving detection accuracy and reducing noise. This, in turn, helps organisations respond faster and minimise the impact of incidents.
Ultimately, the goal is not just technical sophistication but operational efficiency, which means enabling teams to detect, understand and act on threats with speed and confidence. Skilled analysts remain at the core of any SOC. Technology provides insights, but human judgment is needed to interpret context, make decisions and guide response strategies.
Finally, flexibility and scalability should be mentioned. Many organisations now favour hybrid or outsourced SOC models, reflecting the difficulty of maintaining all capabilities in-house. The ability to scale operations and incorporate external expertise is important.
What is your key advice to business leaders?
Focus on outcomes. The value of a SOC is not measured by the technology deployed, but by the organisation’s ability to detect and respond to threats effectively. Whether built internally or delivered through a partner, a SOC should ultimately strengthen resilience. Return on investment in cybersecurity is about protecting continuity, enabling growth and operating with confidence.