CISO Circle

October 15, 2025

4 Minute Read

The Case for Human-Centered SOC Design

By David Bianco

It's not the instruments that make the orchestra, it's the musicians. Too often, SOCs are designed around technology rather than the humans tasked with using it.

This tool-centric myopia can undermine the very resilience it is supposed to create. I’ve seen untold talented analysts churn because their tools were working against them, not for them, and I’ve watched organizations pour money into technology without addressing the day-to-day challenges their security teams face.

Walk into almost any SOC and you will see threat intelligence platforms, orchestration tools, automated detection platforms, and dashboards for every metric. On paper, this should be the height of efficiency. In practice, it often leads to analyst burnout, unmanageable alert volumes, and a widening gap between the promise of the SOC and its real performance.

When tools are evaluated primarily on hyper-specialized features rather than how they fit into the daily work of analysts, security teams can end up adopting them one at a time without a unifying design philosophy. The result is a gap between good intentions and lived experience. The opportunity now is for executives to bridge that gap by ensuring new investments empower their people as much as they strengthen their security posture.

The human cost of tool-centric design

Human-centered design borrows from user experience principles, focusing on how tools feel to the people using them. Leaders must understand how analysts work best, from prioritization, collaboration, and decision making under pressure, and design workflows and systems to support those behaviors.

For example, in one SOC I observed, a team had adopted five overlapping detection platforms over two years. Analysts spent hours reconciling alerts between systems, and automated playbooks often failed because each tool had slightly different data formats. To investigate incidents, analysts often had to do multiple searches across different tools, then manually integrate the data into a cohesive timeline. This led to investigation delays, missed indicators, and ultimately a near-critical security gap when an active threat went undetected for multiple days.

A team based solely on tools creates a patchwork environment where integrations are fragile, data layers are siloed, and workflows rely on improvisation more than intention.

When security teams are overly organized and ruled by the tech stack, they can slow down SOCs, not threats. Analysts bounce between dashboards, reconcile conflicting alerts, and stitch together data that should already be connected. Splunk’s State of Security 2025: The stronger, smarter SOC of the future shows that 46% of security professionals spend more time maintaining tools than defending their organization. Over time, fatigue builds, investigations slow, and work that should feel engaging turns into busywork.

The end result? Analysts disengage or leave because their tools feel more like obstacles than support. Every departure increases costs to recruit and train replacements, drains institutional knowledge, and lengthens the time it takes for a team to reach peak effectiveness. That instability erodes resilience and leaves the organization exposed to threats for longer than necessary.

Even when teams remain intact, fragmented workflows increase the odds of missed signals, wasted effort, and costly security gaps. These outcomes are not the fault of weak tools or unskilled analysts, but the predictable result of systems designed without people in mind.

Four pillars of human-centered design

Building a human-centered SOC starts with understanding the analyst experience. How much time is spent chasing alerts or switching between tools instead of conducting meaningful investigations? Where are pain points, duplication, or bottlenecks? The answers reveal whether technology empowers the team or quietly erodes their effectiveness.

To help leaders translate this insight into action, CISOs can evaluate tools using four pillars of human-centered design:

Usability: Does the tool integrate seamlessly into analysts’ workflows? Look for intuitive interfaces, logical navigation, and minimal cognitive overhead. Tools should reduce clicks, consolidate relevant data, and allow analysts to focus on high-value work rather than administrative maintenance.
Integration: How well does the system connect with existing platforms and data sources? A human-centered tool eliminates silos, automates repetitive data stitching, and supports collaboration across teams. Integration reduces context-switching and accelerates investigation timelines.
Flexibility and Adaptability: Can the tool support varied workflows and decision-making approaches? Analysts have different methods for triage, prioritization, and escalation. Tools that adapt to user needs rather than forcing rigid processes empower teams to be more effective under pressure.
Measurable Impact on Analyst Experience: Beyond detection metrics, assess whether the tool improves workflow efficiency, reduces alert fatigue, and enhances analyst satisfaction. Surveys, observational studies, and usage data can reveal whether the investment truly supports human performance.

Beyond selecting new tools, leaders should regularly audit their existing stack. Key steps include mapping all tools against workflows, identifying redundancy, documenting integration gaps, and prioritizing upgrades or consolidations based on impact to analyst effectiveness and security outcomes. Evaluating each tool through these four pillars, both at purchase and during periodic audits, ensures investments strengthen the team, rather than creating hidden friction.

Strong security starts with people

Security is often described as a technology challenge. But fundamentally, it is a human one. A SOC built around tools alone will eventually buckle under the weight of its own complexity. Whereas a SOC built around people can adapt, endure, and thrive.

To get the most out of their organization, security leaders should reimagine their teams not as a collection of tools, but as a system designed for the professionals who make it work. In the end, resilience doesn’t come from the tools you buy, it comes from the people you empower.

To learn more about how teams can eliminate inefficiencies and build a smarter and more automated SOC, download the State of Security 2025 report.

David Bianco

David is a member of Splunk's SURGe team, where he conducts research in incident detection and response, threat hunting, and Cyber Threat Intelligence (CTI). He is also a SANS Certified Instructor, where he teaches FOR572 Network Forensics and Threat Hunting.

CISO Circle 8 Min Read

Ciso Q&A: Walking the Risk Tightrope to Drive Innovation

Understanding the evolution of threats as generative AI ups the stakes for defenders

CISO Circle 3 Min Read

5 Ingredients for a Robust Cybersecurity Culture

Shefali Mookencherry, Chief Information Security & Privacy Officer at the University of Illinois-Chicago, shares insights from the two decades she’s spent in cybersecurity and higher education.

CISO Circle 4 Min Read

Busywork Is Breaking the SOC — Here’s How to Fix It

It's time to re-imagine what success looks like in the SOC so the team stays focused on meaningful, strategic work.

About Splunk

The world’s leading organizations rely on Splunk, a Cisco company, to continuously strengthen digital resilience with our unified security and observability platform, powered by industry-leading AI.

Our customers trust Splunk’s award-winning security and observability solutions to secure and improve the reliability of their complex digital environments, at any scale.

Learn more about Splunk