As a leading voice in endpoint security and cybersecurity strategy, Rupert Marais has a unique perspective on the evolution of the modern Security Operations Center. With the relentless pressure of new threats and the transformative power of AI, the SOC is at a critical inflection point. Today, we’re delving into how security leaders can navigate this complex landscape, from harnessing AI as both a shield and a potential vulnerability, to reshaping their teams for the future and forging crucial alliances across the business.
CISOs are harnessing AI to accelerate threat detection while also facing new attacks against AI systems like data poisoning. How should security leaders balance investing in AI for defense versus building capabilities to protect these new AI assets? Please share some practical first steps.
This is the central challenge we’re facing. It’s a two-front war. On one side, we absolutely must invest in AI to stay ahead. The truth is, our human teams are already overwhelmed; they simply aren’t getting to everything that matters. Using agentic AI that can self-tune, correlate disparate events, and escalate only what’s truly critical is no longer a luxury—it’s a necessity. It buys our teams the precious time they need to respond effectively. On the other front, these AI systems are now high-value targets. The first practical step is to treat AI security as its own discipline. We’re already seeing major enterprises, like Lloyds Banking Group, hire dedicated leaders to build teams focused purely on securing AI systems—handling everything from threat modeling to adversarial detection. A crucial starting point for any SOC is to begin developing AI-specific incident response playbooks and implementing dedicated monitoring for threats like data poisoning and model manipulation. You can’t protect what you can’t see.
High staff attrition and a shortage of skills in forensics and threat analysis plague many SOCs. As AI automates repetitive tasks, how can CISOs effectively upskill their teams for more senior roles and make the work more engaging to reduce turnover?
This is an incredible opportunity disguised as a problem. The high attrition we see is often born from monotony and a feeling of being stuck. Analysts burn out sifting through endless, repetitive alerts. AI is the perfect tool to break that cycle. By automating the Tier 1 and Tier 2 grunt work, we free up our most valuable assets—our people—to do more interesting, high-impact work. The key for CISOs is to build a culture of continuous learning and growth. We need to be actively cross-training our people, giving them incentives to develop expertise in forensics or threat intelligence. Instead of being siloed, an analyst can now work on a broader range of challenges. Establishing clear career progression paths and mentorship programs where senior analysts guide junior ones is also vital. This makes the work more engaging, shows people they have a future, and directly tackles the attrition issue by making them feel valued and invested in.
Forecasts suggest that by 2030, traditional analyst roles will be phased out, replaced by experts in risk analysis, threat intelligence, and crisis management. What does this evolution look like in practice, and what career paths should junior analysts pursue now to remain relevant?
The evolution is already underway. We’re moving from a reactive model of “find and fix the alert” to a proactive model of “anticipate and mitigate the risk.” In practice, this means the SOC of 2030 won’t be filled with rows of analysts staring at screens of alerts. Instead, it will be a hub of highly skilled experts. You’ll have data scientists building predictive models, threat intelligence specialists who deeply understand adversary tactics, and risk analysts who can translate technical threats into business impact. A central figure will be the crisis manager, someone who can orchestrate a large-scale response. For a junior analyst today, the path to relevance is specialization and a business-centric mindset. Don’t just learn the tools; learn the “why.” Pursue skills in data analysis, become an expert in cyber threat intelligence (CTI), and get comfortable with generative and agentic AI. The goal is to move up the value chain from being a tool operator to a strategic thinker who can determine the best course of action before an incident even happens.
For global companies, a “follow-the-sun” SOC model with distributed teams is often recommended over a single centralized location to improve analyst performance. What are the key operational and cultural challenges in implementing this model, and how can leaders ensure seamless, 24/7 collaboration?
The “follow-the-sun” model is fundamentally about human performance. An analyst working a day shift is simply more effective and less prone to burnout than one working through the night. While the pandemic proved remote SOCs can be highly effective, distributing teams across Europe, Asia, and the Americas introduces its own complexities. The biggest operational challenge is the handover. You need ironclad processes to ensure that context isn’t lost when one team’s shift ends and another’s begins. This requires standardized reporting, shared knowledge bases, and clear communication protocols. Culturally, the challenge is creating a single, unified team identity, not three separate ones. Leaders must actively foster a shared mission and encourage cross-regional collaboration through shared projects, virtual team-building, and consistent training. The goal is to make it feel like one continuous operation, where an analyst in one region can seamlessly pick up where a colleague on the other side of the world left off.
Building strong relationships with business leaders, especially in legal and finance, is becoming critical for CISOs. Beyond incident response, how can security leaders proactively integrate with these departments to improve overall risk management, and can you share an example of a successful collaboration?
This is about moving security from a cost center in the basement to a strategic partner in the boardroom. Historically, security has been seen as a function that says “no.” To change that, CISOs must be proactive. The head of legal should be your best friend, not someone you only call when there’s a breach. A great example of proactive collaboration is working with Legal on data governance policies before a new product launch. By integrating security and privacy by design, you avoid costly regulatory fines and reputational damage down the line. Similarly, by partnering with Finance, you can model the financial impact of different cyber risks, which helps justify security investments in a language the CFO and the board understand. It’s about building a shared understanding of risk, where the security team provides the technical context, and the business leaders provide the business context. When that happens, you get much smarter, more resilient decision-making across the entire organization.
What is your forecast for the future of the SOC?
My forecast is that the SOC will evolve into a nerve center for business risk intelligence. The focus will shift dramatically from reactive incident response to proactive threat anticipation and risk management. Automation and AI will handle the bulk of detection and routine tasks, elevating human experts to roles centered on strategic analysis, threat hunting, and crisis leadership. The most successful SOCs will be deeply integrated with the business, with teams that are geographically distributed yet culturally unified. Ultimately, the SOC of the future won’t just be protecting the organization’s technology; it will be a key enabler of business resilience and innovation, helping the company navigate a complex and hostile digital world with confidence.
