Security operations teams are under pressure from both sides. On one hand, threats are increasing in volume and sophistication. On the other, hiring experienced security talent is expensive, slow, and increasingly competitive. CISOs are left with a recurring question that has no simple answer. When should you hire more people, and when should you automate?
This question sits at the heart of security operations staffing today. The traditional approach of scaling by adding headcount is breaking down. Budgets are finite. Burnout is real. At the same time, automation and managed models are maturing quickly. The challenge for decision-makers is not choosing people or technology, but designing security operations staffing that balances resilience, cost, and sustainability.
More Alerts, Fewer People
Most security operations centres today face the same structural problem. Alert volumes are rising faster than teams can absorb them. Research and industry commentary consistently show that analysts spend a disproportionate amount of time on repetitive triage and investigation tasks, rather than high-value analysis and response.
At the same time, SOC models are diversifying. Organisations are no longer choosing between building everything in-house or outsourcing entirely. Hybrid models are becoming the norm, combining internal teams, automation, and selective use of a SOC staffing model that blends multiple operating approaches. Guidance from sources such as ClearNetwork and D3 Security outlines several SOC models, ranging from fully internal teams to co-managed and virtual SOCs, each with different staffing implications.
Another major shift is the rise of the modern SOC. As described by Radiant Security and Teknowledge, modern SOCs emphasise detection quality, response speed, and workflow efficiency over raw alert handling capacity.
In this environment, hiring more analysts without changing how work is done often leads to diminishing returns.
What Zentara Sees in the Field
At Zentara, we see organisations repeatedly fall into two traps when it comes to security operations staffing.
The first is over-hiring too early. Faced with an alert backlog, leaders add headcount quickly. Initially, this helps. Over time, the team becomes overwhelmed by manual processes, inconsistent playbooks, and context switching. Costs rise, but risk reduction plateaus.
The second trap is over-automating without ownership. Some organisations invest heavily in tooling as part of a broader security automation strategy, assuming technology will replace people. In practice, poorly designed automation can amplify noise, create blind spots, and leave teams unsure who is accountable when something goes wrong.
More effective organisations take a deliberate, phased approach. They hire for judgement and decision-making, not volume handling. Junior analysts are supported by automation that removes repetitive work, while senior analysts focus on threat investigation, response coordination, and continuous improvement.
We also see a growing use of dedicated or embedded staffing models. Rather than building large central teams, organisations place skilled security personnel closer to critical business units or environments. This model, discussed in operational continuity literature, improves context and response quality without inflating headcount.
The common theme is clarity. Teams that succeed are clear about what requires human judgement and what does not.
Decide Based on Decision-Making, not Workload
A useful way to decide when to hire and when to automate is to start with the nature of the work.
Automate tasks that are repetitive, predictable, and rules-based.
Examples include alert enrichment, log correlation, initial triage, and standard containment actions. These tasks benefit most from automation because consistency matters more than creativity. Automation here reduces fatigue and frees analysts to focus on higher-value work.
Hire for tasks that require judgement, context, and accountability.
Incident command, threat hunting, investigation of novel attacks, and communication with executives cannot be fully automated. These activities define the value of experienced analysts and shape effective security operations staffing decisions.
Use hybrid and managed models strategically.
Co-managed SOCs and managed security services can provide scale and coverage without permanent headcount increases. As highlighted by Teknowledge and D3 Security, these models work best when internal teams retain ownership of priorities and outcomes, rather than outsourcing responsibility entirely.
Continuously rebalance.
Staffing models should evolve as the threat landscape and business change. Work that requires human judgement today may become automatable tomorrow. Regularly reassessing this balance is a leadership responsibility, not a tooling exercise.
This framework shifts the conversation from “How many analysts do we need?” to “Where does human decision-making add the most value?”
Staffing is a Strategic Security Decision
Security operations staffing is no longer an operational afterthought. It is a strategic decision that directly affects resilience, cost, and risk.
The most effective organisations stop treating hiring and automation as opposing choices. Instead, they design security operations staffing models that use automation to remove friction and people to provide judgement and accountability.
The goal is not to build the largest SOC, or the most automated one. It is to build a team that can make the right decisions, at the right time, under pressure.
If you want to assess your current SOC staffing model and design a structure that scales without burning out your team, Zentara can help.
Start the conversation now.
