Metrics for Success: Security Operations Control Center Metrics

Here are some key performance indicators that can measure the effectiveness of your SOCC


There are few functions performed by a corporate security organization that are more critical than the operation of the security operations control center (SOCC). It is here that customer service, first response and risk management combine to provide the most visible and essential corporate security services.

Three major buckets of activity may be found in well-established operations:

  1. Maintenance and delivery of situational risk awareness, including monitoring and communicating critical incident status, and facilitating event escalation and crisis plan implementation.
  2. Provide 24/7 support to critical business operations and processes and sustain the provision of safe and secure workspaces to employees and visitors.
  3. Provide for integrated monitoring of critical systems, apply intelligence, aggregate, prioritize, target, communicate and escalate risk-related data reporting and assessment of security posture and anomalies.

Globalization and shared service business models have prompted many security organizations to build their SOCC capabilities to accommodate enterprise support for facilities management, global travel, IT call center and security event management, supply chain event monitoring, and other 24-hour business operations.

The chart displays a variety of factors that may be measured, but there are many others that may be appropriate to individual business dependencies. In this example, multiple proprietary operator/dispatchers are posted on three shifts and receive heavy call volumes from North America and Europe. Call management — timeliness, accuracy and quality — is emphasized.

  • Transfer rates are calls that cannot be effectively handled by the initial call taker and must be transferred or escalated to another individual, such as a supervisor or specifically designated desk. The performance issue here may be a training gap in the call-taker, inadequate customer direction for service, or the delay that accrues to the transfer.
  • Staff retention (or turnover) rates are critical performance indicators in these operations. Where SOCCs are outsourced, turnover has imposed degraded operator competence and service level performance.
  • First call resolution rates are transactions that are successfully completed within the initial call without a transfer to another individual.
  • Call service level compliance relates to the overall SOCC goal for customer responsiveness.
  • Operations audit is a scheduled or no-notice deep dive by a team into organizational performance. Its focus may be specific or general.
  • Failover testing is the essential resilience assessment and confirmation that is assigned to all critical business processes.
  • Vendor Service Level Agreement (SLA) compliance relates to quarterly rating of vendors who provide core services to the organization that directly impact SOCC efficiency, quality and service level. Examples are vendor-provided dispatchers/operators and equipment or infrastructure maintenance personnel.
  • System availability and accessibility is a measure of critical system and sub-system or process up-time reliability. While specific security head-end equipment is performing at 99.9%, other interdependent components or human factors may perform less well, resulting in service level degradation. This is a key performance contributor to call service level compliance.
  • Call taking accuracy is measured by shift supervisors using direct observation, log review and periodic incident post mortem review. Communication skills and operator knowledge for customer responsiveness are key elements in this assessment.
  • Percent dispatch time at goal: Risk assessment and analysis has resulted in a two-minute goal for all critical calls and a three-minute goal for non-critical calls. The performance objective is a running 90 percent average per reporting period. Using a more established call center performance measure, we would categorize this as average handle time.
This content continues onto the next page...