5 minute read 18 Sep 2023


How a Converged SOC can bolster cyber defence

How a Converged Security Operations Centre can bolster cyber defence

Puneet Kukreja

EY UK & Ireland Cyber Security Leader

As the EY UK & Ireland Cyber Leader Puneet is passionate about building client centric, growth focused high-performing delivery organisations which are engineering led and powered by managed services.

Hugh Callaghan

EY Ireland Technology Consulting Partner

Experienced cybersecurity advisor. Twenty years in cyber and technology. Natural, engaging communicator. High-performance team builder. Diversity and inclusiveness advocate.

5 minute read 18 Sep 2023

A Converged Security Operations Centre offers greater coordination of multiple security offerings and enables a more rapid threat response.

In brief
  • Talent shortages are increasing organisations’ vulnerability to ever more sophisticated cyberattacks.
  • Reliance on multiple services from numerous third-party vendors and service providers presents a highly complex security environment for organisations to navigate.
  • A Converged Security Operations Centre provides oversight of all security services and contextualised response enablement.

In today's interconnected and digitised world, organisations face significant challenges in protecting their digital assets from cyber threats. The ever-increasing lack of cyber talent, coupled with the speed and complexity of cyberattacks, demands a transformative approach to security operations.

Enter the concept of a Converged Security Operations Centre (SOC), which combines organisational know-how with expert cyber skills to effectively monitor, detect, and respond to cyber breaches. A Converged SOC helps organisations manage the multiple speed to value-based complexities organisations face as well as leverage a strategic mix of managed services and internal talent to enhance their cybersecurity posture.

The growing threat environment

Cyberattacks are becoming increasingly sophisticated, fast-paced, and relentless. Threat actors are becoming more sophisticated all the time and are employing advanced techniques to breach defences, exploit vulnerabilities, and extract sensitive information. The threat they pose has become even more potent as a result of the rise and increased availability of large language AI models.

While these new AI tools undoubtedly have their benefits their employment by cyber criminals is creating new challenges for already overburdened cybersecurity teams. AI is now being used for everything from password cracking, enhanced hacking, deep fake creation, ransomware, payment gateway fraud, business email compromise and much more.

Acute talent shortage

Organisations are also facing difficulties when it comes to staffing their cybersecurity teams. The demand for skilled cybersecurity professionals far exceeds the available supply, making it challenging to hire and retain qualified individuals. According to the World Economic Forum Future of Jobs 2023 report, cybersecurity is among the most in demand skills at present and there is a shortage of 3.4 million cybersecurity experts to support the needs of the global economy¹.

That talent gap creates vulnerabilities and delays in incident response, leaving organisations exposed to potential breaches. It is also driving organisations to outsource more labour-intensive cybersecurity operations. Organisations need to ensure that scarce IT and cyber talent is not engaged in low level and demotivating mundane tasks and is focused instead on threat response and delivering value adding insights.

Vastly increased complexity

Adding to the challenge is the increasingly complex environments in which modern organisations operate. Modern enterprises rely on multiple third-party providers to deliver key services, and this creates its own security issues.

It would not be unusual to find a large organisation having its desktop estate managed by one vendor, its servers by another, while they are both maintained at an infrastructure layer by a third vendor. And then you might find that the incident response capabilities across that infrastructure is managed by yet another team which could be internal or external or a hybrid of both.

The complexity doesn’t end there. Large organisations will also have enterprise resource planning, payroll and HR, and finance systems which may be managed by multiple different vendors who also provide security capability.

And that is before you start to look at an organisation’s physical estate. It is highly likely that multiple vendors will also be responsible for building services such as energy management systems, fire and intruder alarms, heating and ventilation and so on. The software that runs these systems also represent points of vulnerability for organisations. Indeed, one of the most damaging breaches in the US retail sector had an air-conditioning system as the point of entry for the hackers.

The question for many organisations is who is looking after security on these systems. If it is the vendors’ responsibility how is that integrated into the organisation’s overall cyber security framework?

Rather than having a single cybersecurity vendor offering a Security Operations Centre (SOC) service, organisations might have eight or more vendors supporting technology infrastructure and applications and a variety of other assets and services.

So how does a vast, broad and complex organisation with a large number of existing security contracts created through organic growth or acquisitions ensure that if a cyber incident takes place, it can respond properly? How do they ensure that the multitudes of contracts and services procured from different functions can create a unified incident response capability? That is where the concept of the Converged SOC comes in.

Converged SOC: A 360-degree view

A Converged SOC does not seek to replace or replicate these disparate vendors and services. Instead, it provides an oversight layer which enables a proactive and comprehensive approach to cybersecurity. It empowers organisations to take greater control of their cyber defences and enables more rapid and coordinated responses to threats and breaches, thereby increasing cyber resilience.

In the classic SOC model, the vendor provides an all or nothing service with very limited options for customisation. Indeed, any attempt at true customisation tends to be financially prohibitive. Any attempt to get a single SOC provider to provide all of the threat monitoring and response services required by a complex organisation is doomed to failure.

What is required is a model that converges oversight of all the SOC and other security services provided internally and by external vendors into a single entity. To actualise the concept of a Converged SOC, a practical step involves evaluating your current operational procedures within the context of this unified Security Operations Center. The composition of this team, whether it is insourced, outsourced or co-sourced, should be tailored to align with the organisation's threat profile and exposure landscape.

It has one single purpose, “unified end-to-end cyber response, at speed.”

Its core function is to ensure that the organisation is prepared for any cyber incident which occurs in any area, be that in IT or OT, or indeed in a third or even fourth party where data is stored, or applications are run.

In the current model, incident response tends to be handled within separate siloed areas within an organisation. However, there is absolutely no guarantee that an incident is not going to have a rapid expansion or result in multiple attacks across the organisation. The perpetrators might be attempting to access the building management system, but there may also be attack vectors into desktops and network ports.

A converged view of exactly what is happening across all security operations addresses that issue and improves breach response readiness. It ensures that if and when an incident occurs, there is a cyber function that will be able to respond to it. That doesn't require integration across different teams within and outside the organisation, it means that knowledge is shared at the CSOC level and responses can be coordinated as necessary.

The different functions within the organisation will have their own incident response playbooks. What is important is that there will be a central understanding of the nature of the incident, whether it is a single incident or multiple incidents, and how the organisation as a whole needs to respond to it.

This will ensure that intelligence from multiple teams is appropriately managed and shared, such that the organisation can respond as one rather than running several separate incident responses and to find out many hours later that they were all doing the same thing. In every cyber incident, the first four hours are hypercritical, and that is where the CSOC with its unified response capability comes into its own.

When an incident takes place, the converged model ensures that there is rapid response and each of the individual teams or functions respond in the way they have been instructed or contracted to do.

That speed of response and its comprehensive nature will mean that organisations are less susceptible to large scale damage following an incident. It also means that organisations can make the best use of their cyber talent in engaging them in these high-level activities while continuing to outsource other elements of their cybersecurity capability.

The concept of a Converged Security Operations Centre presents a viable solution for organisations seeking to enhance their cybersecurity posture.

By combining organisational knowledge with expert cyber skills, organisations can establish a proactive and comprehensive security approach.

Key actions that organisations should consider for implementing a Converged SOC:

With these elements in place, organisations can better defend against cyber threats, protect sensitive data, and maintain a resilient and secure digital environment.


Multi-vendor IT systems and services are creating increasingly complex operating environments for organisations. Managing security and threat response is made all the more difficult by the severe shortage of IT and cyber talent. A Converged Security Operations Centre delivers full visibility of all security systems and services, and enables organisations to make the best use of existing talent while optimising threat response.

About this article

Puneet Kukreja

EY UK & Ireland Cyber Security Leader

As the EY UK & Ireland Cyber Leader Puneet is passionate about building client centric, growth focused high-performing delivery organisations which are engineering led and powered by managed services.

Hugh Callaghan

EY Ireland Technology Consulting Partner

Experienced cybersecurity advisor. Twenty years in cyber and technology. Natural, engaging communicator. High-performance team builder. Diversity and inclusiveness advocate.