SOC Maturity Assessment in Australia: Our Approach

Chris Horsley
Chris Horsley
Chief Technology Officer
SOC Maturity Assessment in Australia: Our Approach
February 10, 2025

Day-to-day firefighting in SOCs (Security Operations Centres) can make it hard to see the bigger picture. A steady drum-beat of alerts and incidents can blur your focus. That’s why it’s so important to step back, breathe, and look at the current state of your SOC with a fresh set of eyes.

Whether it's via an internal SOC maturity assessment with a popular model like SIM3, or an external consultant with deep SOC expertise, a new perspective can help uncover blind spots you might have missed in the rush to keep on top of the day-to-day demands of security operations.

The benefits of an outside perspective

When I talk to security operations teams during SOC maturity assessments, one thing I hear often is, “This is the only SOC I’ve ever worked in. I think it might be OK, but I don’t have a frame of reference.”

It’s a common sentiment. After all, for many SOC analysts, their entire career might be spent in just one country, one industry, or one organisation.

They know what works for them, but they don’t always have the visibility to compare their operations to the broader landscape of other Australian-based SOC teams in their industry.

This is where bringing in an outside perspective becomes invaluable.

A fresh set of eyes, someone who’s seen a wide variety of SOCs and understands the common patterns (and anti-patterns) that emerge in these environments, can offer insights that you might not even realise you’re missing.

An external assessor like Cosive can help you develop a baseline for your SOC's current maturity level and give you a comprehensive roadmap for where it needs to go.

The value here isn’t just in pointing out the obvious gaps (although those certainly matter). It’s in offering a framework to prioritise and tackle those issues over time.

You can always add your own insights, of course—most SOCs already have a laundry list of pain points they want to address. But the right maturity assessment will help you craft a realistic, achievable roadmap for improvement over the year.

That’s the real takeaway: a plan, tailored to your unique environment, that gives you the direction and clarity you need to make meaningful progress.

Fast-forward to next year and you’ll have run a series of projects designed to address your key challenges, improve your processes, and boost your overall SOC maturity.

Then in January or February, you’ll want to run another assessment, track your progress, and assess:

Did the investment of time and resources pay off?

Are we in a better position than we were a year ago?

Q1 is the perfect time to initiate this process, because it aligns with both the natural cadence of the calendar year and the project cycles many teams follow.

You get a full 12 months to implement your changes and have concrete metrics by year-end to judge whether your improvements have paid off.

Knowing what good looks like

No two SOCs are the same. Every team has its own unique structure, division of responsibilities, culture, its own set of tools, and its own staffing challenges.

Some teams seem more mature from the outside, but even they could have key gaps—often in areas that seem deceptively basic, like ticketing systems, on-call rosters, playbooks, and alerting.

These are the bedrock elements that make any SOC functional, yet I've met plenty of teams that are missing one or more of them. And that’s a real problem.

For some teams, they just don’t know what “good” looks like because they’ve never been exposed to other ways of doing things.

They don’t know how they compare to other organisations in their field.

An external maturity assessment can quickly highlight these blind spots.

Maybe your team is actually performing well for its size and maturity level. Or maybe you're missing something fundamental that every SOC should have in place.

I've come across teams that don't even have a ticketing system in place, and they try to get by using email and chat messages. That’s not sustainable, and a third-party assessor can help you recognise when you're cutting corners and why it’s holding you back.

The big takeaway here is that when you assess your SOC, you’re not just looking for problems. You’re creating a roadmap that will guide you toward solutions that work for your team’s unique structure and goals.

Whether you’re knocking out "quick wins" or planning for larger, more complex overhauls, an assessment helps you pinpoint exactly what to prioritise and build on a solid foundation that will support you as you scale and mature.

After completing the SIM3 assessment, you’ll get a spider chart showing how your team scored across the four domains: organisations, human, tools, and processes. 

Why we like the SIM3 framework for SOC maturity assessments

When we kick off our assessments, we like to anchor everything in the SIM3 framework published by the Open CSIRT Foundation, because it gets to the heart of the big question:

What exactly is your SOC defending?

It might sound obvious, but in a lot of organisations, this is a conversation that never actually happens.

Are you defending customer data? Workstations? Your suppliers?

The truth is, many teams have never clearly defined the scope of their responsibility. That’s where SIM3 really shines. It forces those fundamental questions to the forefront. Take, for example, the issue of authority: What can your SOC actually do when an incident pops up?

Can you storm into the office and rip laptops off desks for forensic analysis? Or are you in more of an advisory role, where your team has to give recommendations but lacks the authority to take direct action?

Maybe your team is constrained by budget, remote working challenges, or the company's franchisee model.

Whatever the case, answering these questions is essential. Yet, many SOC teams, even the technically mature ones, have never had that conversation.

Understanding your team charter

When we dig into these foundational questions, we’re not just talking about tactics or technologies. We’re talking about charter—why does your SOC exist, and what’s its true mission? What lines are you responsible for drawing, and where does your authority stop?

A lot of teams jump straight into managing alerts, improving detection coverage, or rolling out playbooks without having these basic conversations first.

But SIM3 forces that clarity from the start, ensuring that everything you do has a solid foundation. It asks the hard questions about authority and organisational alignment before diving into the tactical. It gets you thinking about the broader picture:

Is your SOC truly supported by the organisation?

Do other teams understand your responsibilities and the important role you play in protecting the business?

Do you have the financial backing and mandate you need to be effective?

Once you’ve sorted that out, then it’s time to focus on the tactical details:

How are alerts managed?

Do you have proper detection coverage?

And that’s where other maturity models sometimes come in. But SIM3, by addressing these core foundational questions first, gives you the context you need to prioritise everything else in a meaningful, strategic way.

That’s why we use it as the starting point for any assessment. It’s the first step toward building a SOC that truly knows what it’s defending and why.

A spirit of improvement

At the start of every engagement, I always lay it out like this:

The best attitude we can have is one of openness to improvement.

We’re here to help you get better, not to point fingers.

When we provide advice, it’s not about assigning blame.

It’s about taking a look at where you are now, and where you could be if you optimise with the people, budget, and tools you already have.

You may accept or reject our recommendations, but the key is to be open to them. After all, the goal is to evolve and improve.

We take great care to make sure that our assessments are never about individuals. We don’t name names or finger-point.

It’s not a personal audit, it’s a team-wide evaluation.

Some teams get defensive when they hear the word assessment. They see it as a judgment of their leadership or capability. But that’s not the case. Our reports are always constructive, focused on where you are and where you could go, not on passing judgment.

Working with what you’ve already got

One thing we really emphasise is working with what you’ve already got. The last thing we want is to come in and say, "You need to spend a ton of money on this shiny new software to be a real SOC."

Instead, we’ll look at your existing processes. Maybe you're still managing alerts with Excel spreadsheets, which isn’t ideal, but it’s what you have. We’ll figure out how to make that work better for you.

If your SOC only has three people, it’s unrealistic to expect the same operations or capabilities as a team of 100.

We're not here to sell you a whole new program or an expensive new tool. We’re here to help you make the most of what you’ve already got.

It’s something that comes up time and again when we ask people for feedback on our approach. They say: You didn’t try to sell us a big, expensive overhaul—you just showed us how to do more with what we already have. That’s exactly what we aim for.

We don’t push our services as the solution to everything. In fact, the assessment itself is standalone. If we suggest a solution or a change, it’s not because we’re trying to upsell. We genuinely believe it’s in your best interest, and it’s the right way to make your team better, regardless of whether you engage us again.

That’s the kind of mindset we take into every assessment: improvement, not indictment. We’re there to help you make your team stronger and more effective with the resources you have today.

Running assessments internally vs. getting external help

When it comes to assessing the maturity of a SOC, teams can absolutely self-assess using the SIM3 framework and its online self-assessment tool.

However, the real value of bringing in an independent party is that we don’t have the same blind spots that internal teams might. We’re not ingrained in the culture or the “way things are done.”

We come in with fresh eyes, and that perspective can be incredibly valuable. We’re not afraid to ask the "dumb" questions. For example, “So, what exactly does the business do?” It might seem basic, but you’d be surprised how many teams have never really asked themselves that.

Often, internal staff might feel awkward asking such questions, especially if they’re worried about overstepping or challenging the status quo.

For historical reasons, the team may have only ever focused on endpoint security. We may come in and ask "What about cloud?" and you may find there's not a good answer other than "Endpoint security is what we've always done."

By asking these questions, we can compare the answers against other organisations that are more similar to yours.

For example, we’re not going to rate your SOC against the likes of Google’s, but we can compare you to a similar-sized SOC in the energy sector, or in education, with a comparable budget and headcount.

We also come at the assessment from multiple angles. We don’t just talk to the SOC manager—we’ll often speak to the person above them, the most senior and the most junior technical staff, and even people outside the team.

Each person offers a unique perspective on how the team is performing, what the pain points are, and where they think things are going wrong. Sometimes these opinions can be wildly different, and that’s exactly why getting a full spectrum of views is invaluable.

More conversations, less ticking boxes

We also don’t approach the SIM3 framework in a dry, tick-box fashion.

Going through the questions one by one might be useful for some, but it’s not the most effective way to get the team to open up. Instead, we make it conversational. The goal is to get people to speak freely, share their concerns, and offer insights without feeling like they’re under a microscope.

Every model has its strengths and gaps, and SIM3 is no different. We’ll take it as a starting point but always supplement it with our own observations and recommendations, often things that don’t neatly fit into the categories.

Sometimes, people are just desperate to be heard.

They’ve been talking about the same problems to higher-ups for months or years without getting anywhere. When they get the chance to speak freely, they often just pour it out. Others need a bit more nudging, but it’s all part of the process of truly understanding what’s going on inside the team.

The key is to ask these questions in an open-ended way. You can’t guide people too much, or you risk closing down the conversation and not getting to the real issues.

As for who organises the assessment? It can vary. It's often someone higher up the chain, like the manager or even senior leadership, who wants to learn how other teams are doing things and bring in fresh perspectives. Sometimes it’s a bottom-up initiative, with analysts wanting to get external input.

The right mindset

Ultimately, the right mindset for a successful assessment is one of openness. Openness to change, openness to new ways of doing things, and openness to hearing feedback: good, bad, or otherwise.

Every time I conduct an assessment, I always come across something new, something clever the team is doing that I’ve never seen before. And more often than not, I think: “That’s a phenomenal idea. Why hasn’t anyone thought of that before?”

Our suggestions are always tailored to where you’re at. If you’ve got a three-person team, we’re not going to suggest a multi-million-dollar overhaul that’ll take two years to implement. That’s not realistic.

Instead, we’ll look for ways to help you improve incrementally, with small, achievable changes that will make your life easier right now.

It’s about finding the low-hanging fruit and giving you a clear path forward, step by step, so you’re in a better position in the short term, and can continue building towards long-term maturity.

***

If you're ready to take a strategic look at your SOC and tackle your biggest challenges with fresh insights, Cosive is an expert provider of SOC Maturity Assessments in Australia and New Zealand.

Our team has assessed a wide range of APAC SOCs and can provide actionable recommendations tailored to your unique needs.

Reach out to us to discuss a SOC maturity assessment and gain a clear, actionable roadmap for improvement.

Cover image by Nigel Tadyanehondo.

Related posts

Browse all articles
February 21, 2024

Episode #003: Securing REST API Endpoints (or How to Avoid Another Optus) with James Cooper

Unless you have been living in a cave on Mars with your eyes shut and your fingers in your ears for the past few weeks, you have probably heard something about a data breach at Australian telecommunications giant Optus.As security mistakes go, the vulnerability reported to have enabled the attack leans toward the more embarrassing side of the scale. If reports are true, Optus has effectively exposed customer data on an endpoint available to the entire internet.While it is plausible that a developer will forget to (re)secure an endpoint once they finish their development work, there are multiple practical steps you can take to catch or mitigate the problem.

February 21, 2024

7 MISP Best Practices: Lessons from Effective Threat Intel Teams

MISP is a powerful open source threat intelligence and sharing platform used by countless SOC teams around the world. Getting a barebones MISP instance up and running is well within the skill-set of most SOC teams. Download MISP, run it on a VM, and log in to the MISP admin console using default credentials… all within about 10 minutes. That part is easy. Now for the hard part: how do you get from a barebones MISP install to actually using MISP to solve real-world cybersecurity problems? Making that leap can be much more complex and challenging than it may seem on the surface.