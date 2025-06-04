The security operations centre (SOC) has served public sector cyber teams well over the years but is fundamentally a reactive tool and now needs to be superseded by something else in order to address not just alerts about in-progress security events but the underlying risks that lead to them, all in the service of ‘doing’ cyber more efficiently and, crucially, cheaper.

This is the view of Qualys CEO Sumedh Thakar, who, speaking at an event for federal government IT leaders hosted in the Washington DC suburbs at the end of May, defined the new-generation SOC as a ROC, where the letter R stands for risk.

Thakar said that things needed to change in the cyber security world. “Continuing in the way that we have where we would scan every week or two and those scans were dumped somewhere on a hard drive somewhere and then someone goes and triages those manually and then you try to fix everything that comes your way – that approach is not really a success,” he said. “Continuing that approach is just not in the future.”

He urged CISOs to stop putting so much effort into attack surface management and refocus on risk surface management, where risk management is defined as the mitigation of risk – or transfer of it to someone else – for the most plausible losses that could affect the organisation.

It is not possible to get risk down to zero, so it is important to figure out how to address the most plausible factors and address those instead.

For a company the most plausible loss will likely be a dollar revenue or profit figure. However, public sector organisations have it tough because they have a very different perspective on what ‘loss’ looks like beyond the financial cost.

For example, they could and should be more worried about the safety of the general public or frontline personnel, national security, critical infrastructure security, economic stability, or public health, said Thakar, referencing attacks such as the infamous Colonial Pipeline incident, which paralysed petrol stations across a swathe of the US in 2022.

“For most agencies it is really about aligning factors to what is the potential disruption to the mission, to the programme, that currently is important,” he said.