Busywork Is Breaking the SOC — Here’s How to Fix It

In the SOC, speed is survival. Yet busywork often takes away critical time from stretched security analysts who are qualified for much more than mere data wrangling.

The issue is that some SOC cultures can incentivize teams to focus on low-impact tasks that provide quick wins and instant gratification, as opposed to priorities that have a great impact across an organization’s security posture.

For example, nearly half (46%) of respondents in State of Security 2025: The Smarter, Stronger SOC of the Future say they spend more time configuring and troubleshooting tools than actually defending the organization. So instead of investigating and responding to threats, analysts are stuck acting as digital housekeepers.

It's time to re-imagine what success looks like in the SOC, from the metrics to the outputs, so the team stays focused on meaningful, strategic work that invests in building maturity and future-proofs the SOC.

Top contributors to SOC bottlenecks

The first step to building a more efficient SOC is identifying the biggest time traps. Splunk’s State of Security 2025 research report points to three key areas of inefficiency:

• Data wrangling. Simply getting the data into a tool like a SIEM (and even more importantly, in a usable format) can be time-consuming. Manually formatting and normalizing data doesn’t simply involve parsing logs, but also requesting data from other teams, extracting fields, and testing across multiple log types. Yet the ability to access the right data in the right place is crucial for SOC teams facing time-sensitive threats. Over half (57%) say they’ve lost valuable investigating time due to gaps in their data management strategies.
• Tool maintenance. Maintaining tools is a prominent pain point for SOC teams, with 59% of State of Security respondents pointing to it as the number one source of inefficiency. Some tool-related tasks do help to maintain basic functionality — for example, resetting a rickety on-premise instance after going offline yet again. Others, like building and refining detections, can drive resilience if done right. Leaning on strategies like detection as code can maximize efficiency, speed, and scale while improving an organization’s security posture.
• Handling alerts. Alerts can overwhelm SOC analysts, but they’re impossible to live without. Too many false positives — which 55% of respondents experience — drain analysts’ time and attention, often forcing them to second-guess or ignore alerts altogether. In fact, 47% cited alert-related problems as a cause of inefficiency in the SOC.

Cultivate a cybersecurity culture built on quality

Busywork can feel good, but it can also be a psychological trap. For example, after some much-needed PTO, most of us start with simple tasks just to shrink the inbox and address low-hanging fruit to get a quick dopamine hit. While it’s comforting and helps to ease one back into work-mode gently, it's typically not the most impactful.

But busyness does not always equal productivity or translate to real risk reduction. Security leaders shouldn’t prize activity over strategy. This means avoiding rewarding busywork or tolerating presenteeism, where people work while unwell but achieve little. For many organizations and leaders, that requires a cultural and mindset shift of what productivity really looks like.

Measure what matters

Metrics like MTTD and MTTR have long been used as a simple way to communicate an organization’s security posture. While important indicators, they are also relatively straightforward benchmarks that don’t fully capture the complex goals of a SOC — for example, the strength of its detections or depth of its investigations.

To improve those MTT* metrics, some SOC leaders will measure and incentivise closing or interacting with as many tickets as possible — and quickly. However, this encourages analysts to favour easy tickets, and a quantity-over-quality mentality. Unfortunately, this doesn’t promote resilience. Analysts can close hundreds of low-priority tickets and the job, and the risk, still looks the same the next day.

Leaders need to shift their view on what it means to create output for the organization, and then recognize analysts for that output. This work should be meatier than simply closing a ticket and performing repetitive tasks. It could include creating an automation, removing friction from a process, refining a detection, or implementing a proper washup after an incident.

Find opportunities for automation

Automation and routine tasks are a match made in heaven. Automate the boring and tedious. When a workflow always includes the same repeatable steps, it’s well-suited for automation.

Phishing investigations are a great place to start because they’re often predictable processes, where delay is a risk and volumes are high. Typically, the standard workflow goes like this:

• Research the artefacts in the email and score it for badness
• Check the firewall logs to see if anyone clicked on the link — and if so, which device was affected
• Block any callouts on the firewalls and then quarantine the affected device(s)

So far, so boring — this is a pretty standard workflow for a true positive, and it is ripe for automation.

In 2025, no analyst should be manually investigating phishing when it’s so basic and the response is so standard. Implementing automation is a no-brainer to free up time for more strategic efforts. Given that many analysts find themselves overstretched and underwater, automation is an effective way to free up time. It empowers teams to focus on higher-value tasks, new training to uplevel skills, and writing more playbooks. It's a virtuous cycle. This will boost teams’ confidence and excitement around automation, rather than elicit anxiety over being replaceable.

Reevaluate high-level initiatives

Security leaders don’t need automation or AI to improve efficiency. Simply reevaluating priorities and initiatives is one way to cut down tasks that aren’t contributing to a SOC’s success. Technology changes fast, and initiatives that were decided on a few years ago might not be as pertinent or valuable today. To set the right priorities, everyone in the SOC should understand the organization’s most critical services and processes. This knowledge helps identify the true “crown jewels” to protect and strengthen overall business resilience.

Fuel your security posture with purpose

Freeing teams from routine tasks doesn’t simply save time. It restores purpose to analysts’ roles, reduces burnout, and enables teams to focus on the work that truly strengthens security. By reevaluating priorities, embracing thoughtful automation, and redefining what success looks like, security leaders can build a culture of efficiency that empowers their teams to defend smarter.

To learn more about how teams can eliminate inefficiencies and build a smarter and more automated SOC, download the State of Security 2025 report.