Blog by: Sjoerd Pellegrom

Increasing the grip on one’s SOC maturity has many benefits for an organization. When performed well, the improvements can not only assist in increasing the maturity, but it has a reach far beyond that. Once wellaligned with the business, it can be beneficiary to the organization as a whole. In the tips below, we discuss some important matters to keep in mind in achieving just that


Why is this important? A Security Operations Center (SOC) performs various services with the goal to protect an organization’s assets, by performing activities like security monitoring, threat intelligence and vulnerability management. Often it is seen that a SOC is regarded as a part of the IT department. Unfortunately, this perception greatly limits the reach of the SOC’s service.  

Ideally, SOC (Security Operation Center) services the organization in pro-active monitoring and detecting intrusions, also in responding and take the correct measures to mitigate. The key is to synchronise the services to the business drivers to add value in protecting the business goals.

Business drivers are the key inputs and activities that drive the operational and financial results of a business. When the business drivers are defined, the SOC can translate these into their goals. It is strongly advised to draft a ‘statement of success’, as this concretely states when the SOC is successful. This offers pragmatic milestones to work towards and it gives a well measured overview of the status so far.  

Naturally, it is important that the SOC and the organization align their expectations, needs and business goals regularly in order to create a smooth collaboration between the two parties. This does not only mean that there is an initial moment to set goals as discussed earlier, but also to reflect on the results so far and adjusting the course if needed. This process increases the effectiveness and efficiency of achieving the organization’s goals. 


When translating business risks into use cases the security specialists play a big role. They create use cases based on best practices, their experience and trend analyses within their own activities. Use cases can be seen as a set of rules or events that will trigger a warning in the form of an alert. This alert is then sent to the SOC for further investigation by a security specialist.  

These use-cases can be of immense value and contribute to adequately protecting the organization. Experience shows, however, that they are not always aligned with an organization’s risks. In this situation, the SOC only has a limited role in contributing to the business goals. 

When designed well, the use cases can contribute to the business goals. However, this requires a lot of expertise. For instance, it is vital that there are persons within the security organization are skilled at translating business risks into technical security measures. For this reason, these persons must master both the business and technical language, as they function as the bridge between the business lines and the SOC. Moreover, they help the information security team with the risk assessments and advise on the services the SOC can deliver to mitigate a risk. Therefore, the persons who occupy this role need extensive knowledge about the SOC service catalog.  

When the above-mentioned requirements are met and the business lines and the SOC align the risk management process, the SOC can adequately mitigate the risks identified by the business lines. SOC reports on the implemented use cases will support the information security team to accurately measure the effectiveness of their SOC services and therefore the business risks.  


To ensure the maturity level of the SOC is continually improving, a SOC maturity assessment is advised to be performed on a regular basis. At Northwave we use the Security Operations Centre Capability Maturity Model (link) (SOC-CMM) to measure and improve the capability and maturity level of our own SOC, and the Security Operation Centres of our clients.  

The SOC-CMM tool is used to measure the maturity level and technical capabilities of a SOC. It assesses 5 domains in which a SOC is set up: Business, People, Process, Technology and Services. The domains ‘business’, ‘people’ and ‘process’ focus on the Governance and overall organizational set up of your SOC department and services. The technology domain defines the maturity of the technology used to provide the SOC service. It also measures if the organization is in control with regards to the defined technical and functional responsibilities. Finally, the Services domain indicates if the provided SOC services are assessed on completeness and expected service delivery.  

Taking the assessment regularly gives several benefits: 

  • A periodic check on the achievements of the improvement goals of the SOC. 
  • Accurate insight in the maturity level compared to benchmarks or industry standards. 
  • Accurate insight in the improvement of the SOC maturity over time. 
  • A concrete roadmap to improve the SOC’s maturity in the designated improvement period.  

The maturity assessment yields an extensive overview of the maturity and capability of the SOC. The findings can be translated into a concrete roadmap to adequately improve the maturity and capability of the SOC, with taking just the right improvement steps. It is advised to involve various employees in the assessment. Interviewing people from the operational as well as the technical departments provides the most accurate and holistic view of the current status of the SOC maturity. 

Take aways:

Getting grip on one’s SOC maturity starts by setting up a well-organized process with the needed steps included. The initial action to take is to identify the business drivers and translating them into SOC goals as to align the two parties. Next, the risks of the organization should be translated into use cases and last but not least: repeat, repeat, repeat! By having these necessary processes set up, a method of managing the overarching goals will be achieved. In addition, the risks will be managed in a repeating manner so that even when your course changes, you will still be working on a safe digital journey.