Skip to content
Menu
menu
Illustration of a two-level security operations center under construction with video walls and data center equipment

Illustration by iStock

How to Create and Maintain an Effective SOC

A security operations center (SOC) can greatly support a facility or an entire organization. But how do you build one? How do you ensure that the employees working in these centers don’t burn out or quit because of the high-stress environment?

These physical and psychological considerations are more linked than many might initially imagine.

Space, Form, and Function

Step one of creating a SOC is determining if there’s a clear need for one. No facility is the same—even when two identical buildings are built, their different locations, functions, and occupants would contribute to different risk profiles.

When an organization is looking at its facilities to determine the need for a SOC, it should consider which assets are housed within the buildings, their value, and the level of access that the public may have to the site.

Jason Larkin, director of security operations for Menkes Property Management Services, adds that it comes down to not only public access, but also the space itself. Some buildings, especially historical ones, might not offer sufficient square footage or infrastructure to support a SOC.

While new builds may be able to dedicate space for a future SOC, security teams considering creating a center in an existing building may have to reimagine existing rooms, like storage spaces. But floor space is often limited and in high demand.

“I find one of the greatest barriers in commercial real estate is having space, because all space equals dollars,” Larkin says. “…You can’t turn it into a storage room. You can’t lease that to a tenant. Being able to sacrifice space to create the proper SOC space is sometimes a challenge.”

Larking stresses that you should always aim for securing the largest room available. He recently dealt with this issue when creating a SOC for Menkes in an existing building in Toronto, Canada. The value of space comes into play when setting up equipment, like a video wall, and allowing for a more comfortable working and viewing experience for SOC staff.

Next, it’s important to clarify what work will and will not be undertaken by the SOC. This helps outline which applications are needed to support the work and ensures that the SOC will be dedicated to security activities and responsibilities—preventing it from becoming a catchall for other departments hoping to outsource tasks.

“Oftentimes, SOCs become a dumping ground for customer work that’s not security-related because of their 24/7 nature,” says Brian Adkins, who leads Johnson Controls’ Security Operations Center-as-a-Service (SOCaaS) solutions.

Without a clear definition of duties for the SOC, organizations can add on tasks unrelated to security, further increasing SOC staff’s risk of fatigue or even burnout.

Essentially, anything that the building needs to support operations should be monitored by the SOC. These can include access control, building automation systems, elevator controls, emergency management systems, additional communications systems used by building personnel, and video surveillance systems. “Those are your lifeline things,” Larkin says. “You have to be able to see where people are. You have to be able to open or close doors and either secure the space or unsecure it. You need to be able to communicate. That’s the core of that SOC.”

Taking stock of what work a SOC will be focused on can help identify which applications are necessary. Adkins points to customers who have less effective SOCs and staff because of an overwhelming number of applications, which force staff to juggle between platforms. He suggests that security leaders be mindful about which applications they include and be mindful to not have too many.

“We have a customer who came to us whose SOC was using 52 different applications,” he recalls. “You can imagine when an employee bounces from all of those applications, how difficult it could be.”

To prevent this source of fatigue, Adkins recommends using a physical security information management (PSIM) system, which provides a single interface that SOC employees can use, a “single pane of glass that allows them to use different systems from that one window.”

When it comes to function, J. Kelly Stewart, president and CEO of Newcastle Consulting, says that he sees the overall mission of SOCs as one of communications.

“The biggest thing I always mention to clients is the communication piece,” says Stewart, who has been in the physical security industry for about 30 years and works with clients who want to design and create a SOC for their facility or organization. “Obviously, you’re there to monitor and then report. You’re also there to advise and be proactive in the sense that you’re giving information to people that have to make decisions. It’s a communication vehicle.”

Identifying the need and the function of the SOC can greatly help in the next step: figuring out where to put it.

As mentioned above, there’s a difference between building a SOC from scratch, in conjunction with construction of the building itself, and creating one in an existing space. But you also need to determine how far your SOC is from crucial elements that will support the center, such as network infrastructure, and how much work it will take to run necessary wiring into the SOC, or how close any posted guards may be if security personnel require additional support.

When figuring out ideal (or relatively ideal) locations for this hub, Larkin notes that the SOC needs to be accessible to authorized personnel beyond SOC staff. Equipment and technology will need fixing in the future, typically by contractors and integrators. Will they be able to access the proposed area without causing significant disruption?

It’s worth considering whether a SOC may be better situated as a detached facility for business continuity purposes. Is your high-rise building on a fault line or prone to flooding? Assess any common emergencies that could affect your building and what the SOC will be expected to do during these situations to help determine its best location.

Once you have a set location, Larkin advises doing as little as possible to advertise that the room is a SOC. By keeping it unobtrusive so only authorized personnel know its location and are permitted entry, it becomes less of a target.

“We don’t put windows on our SOC doors. They’re always solid. They just look like a storage room if they’re near the garage,” Larkin says. “…It allows you to control who should and shouldn’t be in there.”

Invest in User-Centric Equipment

So, now you’re sure you need a SOC, where you’re going to put it, and what issues it can address and support within the scope of the larger organization. Next comes the fun step: picking out the tech and equipment.

This equipment will support the staff who will be working in this room, day and night. Just remember, “each company is different,” Stewart says. “Not all solutions of what the best practices are are going to fit within their model.”

In order to create the most effective and efficient SOC for a specific organization and team, Stewart focuses on the ergonomics of the room and the equipment, which will be an important consideration as you determine which equipment you’ll need.

“What are some of the things, especially thinking of the people that you’re going to have in there? Do you understand what they can do? What can’t they do? What are their limitations?” Stewart says.

Perhaps one of the first tools that someone thinks of when they hear the word “SOC” is a massive wall of video monitors, showcasing a plethora of video feeds covering a facility. But not all SOCs are built the same, and that includes those monitors.

If you’ve succeeded in grabbing a bigger room to create your SOC in, it makes sense to opt for larger screens, which can make the job easier on staff. With smaller screens, “it’s like looking at a wall of postcards,” says Larkin. Bigger screens mean that staff won’t be squinting and are more likely to quickly comprehend the images in front of them.

If the room is smaller, it might be better to forgo an entire video wall and instead provide a few screens, along with multiple monitors at individual desks.

“For me, it’s important that our SOC can see that so they know what’s going on outside of their building,” Larkin says. The desktop monitors and wall screens can divide the various programs, including monitoring, access control, data mining, emergency management, and email—allowing staff to focus on specialized tasks at their desk while still able to look up and keep an eye on the facility at-large.


Being able to sacrifice space to create the proper SOC space is sometimes a challenge.


Stewart has experienced the discomfort of smaller screens firsthand. In the first operations center he worked in during the 1980s, the screens featured surveillance feeds roughly the size of a 3”x5” notecard. But even today, he has seen SOCs where staff are forced into uncomfortable positions while trying to watch surveillance feeds, faces far too close to the monitors, or necks forced into awkward positions for prolonged periods.

“It’s going to destroy your neck and your eyes. A lot of things have to be thought into when you’re doing this from a best practice standpoint,” Stewart says.

Other equipment that will be used every day or regularly, especially items like desks and chairs, should be ergonomic and durable, with consideration given to any equipment that staff may have to wear or carry, like a utility belt.

“When you sit down with your radio on your belt and it hits the foam on your armrest, it just shreds the armrest,” Larkin says. “When a guard is up and down 24 hours a day, that armrest goes to crap.” Eventually, Larkin purchased chairs from a company that also supplies chairs to 911 dispatch centers.

Consideration should also be given to how the environment interacts with equipment. Larkin learned his lesson with sealed concrete, which damaged the wheels of desk chairs. In the end, the floor had to be refinished.

For desks, Larkin looked for a supplier that produces multi-level desks that offer seated and standing positions. The desks usually hold computer monitors on the upper level, while the lower level is where the keyboard sits.

“You’re in there for a long time. The ability to stand and work just makes it a better work environment for that guard,” Larkin says. “We can’t move what we mounted to the wall, but we can move the desk to help cooperate with whatever you’re most comfortable in.”

Adkins also agreed with the benefits of a standing desk. Staff may be encouraged to get up and walk around, “but sometimes they’re so engaged in the work, it’s difficult to do that,” Adkins says. “Having desks that they can stand up when they want to go from sitting to standing, it gives them that opportunity to do that.”

Other environmental elements, like light and atmosphere, are also of crucial importance.

With proper lighting, you can help staff avoid eye strain, headaches, and injuries, instead keeping them alert and able to successfully identify any security issues from their desks. Adkins recommends using indirect lighting—achieved by aiming light onto the ceiling and upper walls, which reflect and distribute the light evenly throughout a room—to reduce eyestrain and counteract the glare generated by monitors.

Larkin also focuses on lighting, noting, “We put all of our SOCs on dimmer switches so it’s not just on or off. You can set the lighting for what’s less stressful for your eyes.”

Working air conditioning units and proper ventilation are also helpful, keeping staff comfortable and focused on the tasks at hand.

If a SOC has thin walls or multiple operators, background noises might prove distracting. To counter these distractions, Adkins uses white noise generators. “That helps because now employees can hear. It’s not fatiguing, if you will, to hear all the conversations around you,” he says.

In SOCs, a lot of noise and activity is not uncommon, but the never-ending pace can be stressful. There are alarms from access control or video platforms, inbound phone calls, conversations, and more.

“Because you have such an incredibly high level of activity, oftentimes, it leads to burnout because you have somebody or multiple people that are trying to keep up with that load,” Adkins says. Without a triage strategy or way of prioritizing alerts, “it’s just too much for them to handle. What happens is you end up having incidents or calls being ignored, or it takes a long time to answer a call, or whatever it might be, and it just increases liability for a company,” he adds.

Aside from the white noise generators, Adkins recommends dealing with the tasks the alarms and calls all signify by working off established categories. In his SOC teams, these are listed as highest, medium, and lower risk. The activity is prioritized by both risk and importance, with life safety events always tagged as highest risk and most important. Something that qualifies as medium risk is an alert about an equipment malfunction, while a lower risk alert may relate to a delivery person trying to get into a building to drop off a package.


You’re there to monitor and then report. You’re also there to advise and be proactive in the sense that you’re giving information to people that have to make decisions. It’s a communication vehicle.


Supporting Function with Leadership

Leaders want teams that are focused and alert. While comfortable chairs, adequate lighting, and organized workflows can help, there are other opportunities for leaders to ensure staff remain in top form.

Part of creating an effective SOC team is determining which skills are required that will best meet the center’s demands.

“A lot of times, security operation centers are put together and the customer just allocates some employees to go and learn how to do this SOC work,” Adkins says. Just because a guard has a specific skill set that works for investigating incidents does not necessarily make him or her the best fit for a management position in a SOC. That mismatch of skills, personality, and job requirements can have notable negative effects on the individual.

“When employees are asked to perform many tasks that are not prioritized by risk and importance as far as importance to the customer business, that can absolutely lead to burnout,” Adkins says. A common challenge that he says often leads to burnout is a high level of activity, causing mental fatigue and increasing the probability of missing real events.

Adkins again recommends prioritizing tasks and doing so by level of risk. At the top of this list is risk to people’s safety or wellbeing, and risks to those factors would be triaged over all others. While a lot of SOCs wouldn’t disagree with this strategy, they may lack the practice of organizing and prioritizing tasks in this way, according to Adkins.

“If you don’t have those tasks prioritized by risk and importance, then what tends to happen is that there’s a higher liability,” Adkins says. “Not only that, but it can lead to burnout because it causes stress for the employees when they realize that they’ve been focused on a lower-priority task when something of life safety value is going on.”

While prioritizing tasks and ensuring sufficient variety and challenge for staff can help, Stewart emphasizes the need for sufficient staff.

“Usually with guard services, you’re always going on a rotation, a push, or anything like that but the one thing you always try to prevent is you have enough staff on hand so people do not get burned out,” Stewart notes. That rotation, even in a SOC setting, to coordinate breaks and down time can be of significant help, even in ways that may seem small but are still crucial. “Let’s just look at the simple things. People must go on bathroom breaks,” he says. 

Training staff—both as part of onboarding and regularly throughout their career—on how to handle certain scenarios, especially ones related to life safety and incidents they will most likely commonly encounter can help decrease performance anxiety and increase SOC staff’s confidence, mitigating the stress and fatigue that can lead to burnout.

Beyond training, there is also an element of disconnect that they try to encourage. Adkins encourages SOC staff to not only take the breaks they are legally entitled to, but also encourages employees who have encountered an especially difficult incident to take an additional break, or sit with their manager and talk about it.

Larkin also recommends allowing SOC staff to swap roles with any patrol guards (ones qualified and approved for working in SOC rooms) for about an hour. Although the SOC staffer may not be taking a break, the change of scenery and shift in responsibilities provides variety and another perspective of the larger organization. At Menkes, it helps with retention of security staff overall, and sometimes also results in patrol guards working towards a promotion when they realize that SOCs are not stagnant offices. 

Variety also helps SOC staff stay motivated and engaged. To achieve this, Adkins avoids having his staff repeat the same tasks over and over. Instead, he doles out different tasks to employees, ensuring that they remain engaged throughout his or her shift and career.

After a new hire is trained and becomes proficient with handling the basic tasks, he or she is introduced to more challenging tasks, preferably ones that complement an existing skill set.

“That really helps them, once again, in that idea of variety, whereas they become more technically capable, it’s actually satisfying to them, self-satisfying, because they can see that they’re making a difference in different areas,” Adkins says.

Other methods of encouraging engagement include an employee recognition system and bonus programs with financial bonuses, and monthly feedback or audits. “We’ve just found that that leads to retention, that leads to employee pride in working for the company, and it really provides that balance for the day-to-day job that they do,” Adkins says.

Much of this work to ensure stimulating variety and organization of tasks falls back on leadership, Stewart notes.

“To manage that properly, we need strong leaders who are in there and know how this operation works and can manage people in the same time in terms of their skill sets, and also knows when to pull people off certain things, put them on break, and when to put them back in,” Stewart says. “It’s as simple as that, quite frankly, but it’s a management of folks.”

 

Sara Mosqueda is associate editor for Security Management. You can send her an email, [email protected], or connect with her via LinkedIn.

 

arrow_upward