TechTarget and Informa Tech’s Digital Business Combine. Dark Reading Resource Library Black Hat News Omdia Cybersecurity Advertise NEWSLETTER SIGN-UP Cybersecurity Topics World The Edge DR Technology Events Resources CYBERSECURITY OPERATIONS CYBERSECURITY ANALYTICS CYBER RISK Cybersecurity In-Depth: Feature articles on security strategy, latest trends, and people to know. How to Stay on Top of Future Threats With a Cutting-Edge SOC CISOs should focus on harnessing and securing AI and building new skills among their people. Vision and change management can transform security. Richard Thurston, Contributing Writer, Dark Reading February 10, 2026 6 Min Read SOURCE: DRAGOS CONDREA VIA ALAMY STOCK PHOTO The security operations center is a critical business function that must continually evolve to keep pace with new cybersecurity threats. CISOs remain under tight cost pressure, so they must be highly focused on transforming the SOC to meet their organization's future needs. One thing is certain: the capabilities of today’s SOC will not be fit-for-purpose in five or even three years' time. SOC transformation is complex, and artificial intelligence and people strategies are crucial. Harnessing AI to Accelerate Detection/Response The relevance of AI and security is two-fold. As well as harnessing AI to improve security posture, CISOs will need to implement security measures to protect it, because those assets are increasingly under targeted attack. This is a new focus for many security professionals, and therefore a focus of considerable learning. LOADING... AI is far from new to the SOC, but choosing the right AI tools from the proliferation that is now available will help CISOs sift through the noise of security events and identify the existence and nature of significant threats much faster. Related:Cyber Success Trifecta: Education, Certifications & Experience "The reality is the humans are not getting to everything that matters anyway," says Charles Jacco, principal, cybersecurity services at KPMG. "So, if you can get an AI to self-tune itself, find what matters, cross-correlate across these different events, look at known TTPs (tactics, techniques and procedures), and then escalate what matters, now we're getting somewhere." LOADING... This is evolving now in the detection side, says Jacco, with the use of agentic AI, a system of models that mimic human decision-making to accomplish specific goals with little supervision. As long as the models are correctly defined and given good input data, they can buy the security operations team precious time to start responding and remediating. The protection of AI assets is an area that’s grown so significantly that it already has its own dedicated staffing requirements in some enterprises. For example, the chief security officer of Lloyds Banking Group is hiring a security leader solely to develop a team dedicated to securing its AI systems and applications. This team will work on risk assessments, compliance, threat modelling and adversarial detection, risk mitigation, and detection and response, purely to protect these AI assets, and will have key touchpoints with AI developers. This role pays well for a position reporting to the chief security officer, reflecting the scarcity of the required skills. "Protecting AI systems requires specialized considerations for SOCs, such as monitoring for data poisoning attempts, model manipulation, prompt injection attacks, and AI supply chain compromises," says Maxine Holt, vice president of research at Omdia. "Our research suggests SOCs should implement dedicated monitoring for AI infrastructure, establish AI-specific incident response playbooks, and develop specialized threat intelligence focused on AI-targeted attacks," she says. Related:From Quantum to AI Risks: Preparing for Cybersecurity's Future Develop the SOC With More Advanced Skills According to research by the SANS Institute across the Americas and Europe, many of the required SOC skills are missing from organizations, with digital forensics and threat analysis the most common missing specialist skills, and incident management not far behind. This should concern CISOs, HR professionals, and business leaders. High levels of staff attrition compound the skills shortage, which has plagued SOCs for many years, so CISOs should prioritize the ongoing supply of skills to the SOC. As AI is deployed to accelerate repetitive detection activity, CISOs must upskill their staff for the more senior roles. This gives them an opportunity to make their teams' work more engaging and varied, thereby reducing attrition. "As we get more automated, there is an opportunity in my view for CISOs to be cross-training their people and giving them some incentive to do more, versus being stuck in the silo and only doing that one thing," Jacco says. "That's why you have an attrition issue right now; is because people feel stuck." Related:CISOs Rise to Prominence: Security Leaders Join the Executive Suite Holt feels that CISOs should do more to develop their SOC staff. "Developing specialized AI expertise for SOC analysts will support the CISO's people strategy, alongside clear career progression paths, and managing mentorship structures between senior analysts and those comparatively new to the industry," she says. Rik Turner, chief analyst at Omdia, argues that it will become a key requirement for SOC analysts to be familiar and comfortable with generative and agentic AI, and he expects lower-level analysts to show they're willing to move up the SOC hierarchy. In a future-oriented view of SOC evolution, Dutch research organization TNO is clear that staffing requirements will change significantly. It believes that in five years' time, SOCs will contain very few analysts as we know them today. TNO said roles in 2030 would focus on situational awareness, predictive analysis, risk assessment and determining the course of action. It added that the crisis manager will become a key SOC role to manage serious incidents. "Virtually all traditional Tier 1 and Tier 2 SOC analysts have been phased out," TNO wrote in its 2030 forecast. "The majority of SOC staff consists of highly-skilled experts in risk analysis, CTI (cyber threat intelligence analysis) or data analysis." Then the question is where the SOC staff should be located. Lessons learnt during the lockdowns due to the COVID-19 pandemic showed that remote SOC staff can be effective, so many enterprises will prefer to build a distributed workforce to improve work-life balance and reduce attrition. But should SOC analysts be centralized in a single country to create a single geographical center of excellence? This could work for some organizations, but it depends heavily on the organization's footprint. A business with customers in the US and Canada is likely to see benefits from consolidating staff in one country. But a company with operations in Europe and Asia that expects significant threats worldwide would be well-advised to recruit SOC analysts in all three regions to provide 24/7 coverage. An analyst working during the day is much more likely to perform well than an analyst working the night shift, lending weight to the adoption of a follow-the-sun SOC strategy. Build Relations with Business Leaders As cybersecurity becomes more important and more understood at a business level, CISOs will benefit from enhancing their relationships with other business leaders, and not just the CEO and other technology leaders. For joined-up thinking on risk management, regulatory compliance, and the resolution of incidents, the head of legal will be a good port of call, says Rebecca Blair, a cybersecurity author. "Legal should be a CISO's best friend," she says, and adds that the finance team and CIO or head of network should be high up the list for CISOs. In a marked contrast with the historically conservative approach of security operations, Blair also calls for CISOs to lead the charge on innovation. Proactivity, vision, and change management will be vital weapons for transforming the SOC, securing the trust of business leaders, and staying one step ahead of adversaries. About the Author Richard Thurston Contributing Writer, Dark Reading Richard Thurston is a contributing writer for Dark Reading. More Insights Industry Reports ThreatLabz 2025 Ransomware Report The Total Economic Impact™ Of Zscaler Private Access (ZPA) Zscaler ThreatLabz 2025 VPN Risk Report GigaOm Radar for CNAPP The Total Economic Impact™ of Google SecOps Access More Research Webinars Ransomware and the Supply Chain: A Fireside Chat with the CISOs Who Literally Wrote the Book on Third-Party Risk The Hidden AI Attack Surface: How GenAI Tools Expand Data Exposure Risk Beyond the Model: The Expanded Attack Surface of AI Agents AI-Powered Threat Hunting: Staying Ahead of Evolving Attack Patterns Attack Surface Management: Discovering and Securing Unknown More Webinars You May Also Like CYBERSECURITY OPERATIONS Japan Goes on Offense With New 'Active Cyber Defense' Bill by Nate Nelson, Contributing Writer FEB 13, 2025 CYBERSECURITY OPERATIONS JSON Config File Leaks Azure ActiveDirectory Credentials by Elizabeth Montalbano, Contributing Writer SEP 02, 2025 CYBERSECURITY OPERATIONS From FBI to CISO: Unconventional Paths to Cybersecurity Success by Kristina Beek SEP 23, 2025 CYBERATTACKS & DATA BREACHES DeepSeek Breach Opens Floodgates to Dark Web by Emma Zaballos APR 22, 2025 Edge Picks APPLICATION SECURITY AI Agents in Browsers Light on Cybersecurity, Bypass Controls CYBER RISK Browser Extensions Pose Heightened, but Manageable, Security Risks CYBERSECURITY OPERATIONS Video Convos: Agentic AI, Apple, EV Chargers; Cybersecurity Peril Abounds ENDPOINT SECURITY Extension Poisoning Campaign Highlights Gaps in Browser Security Latest Articles in The Edge CYBERSECURITY OPERATIONS What Organizations Need to Change When Managing Printers FEB 9, 2026 СLOUD SECURITY 'Encrypt It Already' Campaign Pushes Big Tech