Matilda Bailey is a seasoned networking and security specialist who has spent the last decade watching the evolution of cellular, wireless, and next-generation security architectures. Her work often puts her at the intersection of infrastructure and defense, where she sees firsthand how technology can both empower and overwhelm a team. In this discussion, we dive into the latest SANS findings to explore the persistent staffing shortages, the uneven adoption of artificial intelligence, and the visibility gaps that continue to haunt security operations centers. Matilda provides a deep look into why the disconnect between the boardroom and the server room is the greatest vulnerability an organization can face today.
Leadership often believes they are prioritizing retention while frontline staff feel unheard. How can organizations bridge this perception gap?
This disconnect isn’t just a simple misunderstanding; it is a fundamental breakdown where executives describe a noble intent while practitioners are forced to describe a much grimmer outcome. We see a staggering 27-point gap that has persisted year after year, with 59% of cyber leaders claiming they focus on retention while only 32% of the workforce actually feels that support. To bridge this, leadership needs to move past the 22% of cases where they hear the request but ignore the urgency of the situation. It requires a cultural shift where management understands that a lack of staff is the number one operational challenge for 14% of their frontline practitioners. Real change happens only when management stops treating retention as a checkbox and starts acknowledging the daily exhaustion of the people keeping the lights on.
There seems to be a mismatch between the technical skills recruiters look for and the daily reality of SOC operations. How should hiring managers re-evaluate their priorities?
It is fascinating to see that SIEM expertise remains the most sought-after skill, commanding nearly double the demand of EDR, despite how the workday actually unfolds for most analysts. In reality, about 86% of daily SOC responses are triggered by endpoint security alerts, compared to only 78% coming from the SIEM. We are consistently hiring for the “big picture” tool while our analysts are spending the bulk of their time fighting fires and digging through the gritty details at the device level. Hiring managers need to recalibrate by seeking out specialists who can navigate the sensory-heavy world of endpoint detection rather than just high-level log aggregation. If we continue to prioritize the wrong tools in our job descriptions, we will keep seeing that mismatch between the theoretical needs of the business and the practical needs of the security team.
With nearly 80% of respondents using AI but very few having defined workflows, what risks are we taking with this unstructured adoption?
We are currently in a “wild west” phase of technology where 79% of professionals are reaching for AI, yet a mere 36% have actually integrated these tools into a formal, governed SOC workflow. This creates a dangerous maturation gap where individual analysts are using AI tools on their own, often without any organizational structure to validate whether the data coming out is actually accurate. When 38% of teams are just using vendor tools out of the box without any customization, they risk relying on “black box” logic that hasn’t been vetted for the specific nuances of their own network. Without a human in the loop to interpret and validate these outputs, we aren’t just gaining efficiency; we are potentially automating errors at a massive scale. Organizations must start by identifying specific capability gaps and measuring AI results against hard metrics before letting the technology run loose across the environment.
Why is there such a significant lag in monitoring OT and IoT assets, and how does this affect the overall security posture?
It is quite alarming that fewer than half of organizations—only 45%—are fully or partially monitoring their OT and IoT computing assets through their SOC. As these connected devices proliferate across factories, warehouses, and smart offices, this visibility gap becomes a massive, silent blind spot that adversaries are eager to exploit. We are seeing a similar underutilization with threat intelligence; while 74% of leaders use it for threat hunting, only 26% use that data to inform their actual budgets and spending. This means we are technically aware of the threats hiding in the shadows, yet we aren’t putting our money or our monitoring tools where the actual danger is located. Closing the gap on OT monitoring is no longer an optional project; it is a critical step in preventing a physical-world catastrophe that begins with a digital breach.
What is your forecast for the evolution of SOC metrics over the next few years?
For ten consecutive years, the “number of incidents handled” has been the top metric reported, but this is a hollow victory because it measures volume rather than actual business value. I forecast a shift away from these vanity metrics toward data that demonstrates real impact and resilience in the face of increasingly sophisticated attacks. We will likely see a push for metrics that account for the 74% of leaders using threat intelligence to move from a reactive stance to a proactive, strategic posture. As AI becomes more embedded and automated, the focus will move from “how many alerts did we close today” to “how much systemic risk did we actually mitigate for the business.” If we don’t make this shift soon, the SOC will remain a cost center in the eyes of the board rather than being recognized as the strategic asset it truly is.
