Public safety agencies like 911 centers, ECCs, and PSAPs face unique cybersecurity challenges—ones that can’t be solved with automation alone. While SOAR (Security Orchestration, Automation, and Response) has gained popularity in the enterprise space, its one-size-fits-all approach introduces significant risks for public safety operations. In environments where real-time decisions impact lives, removing human oversight in favor of automated threat response can lead to devastating consequences. This article breaks down why SOAR is not a practical—or safe—cybersecurity solution for public safety and what agencies should consider instead.

SOAR is the acronym for Security Orchestration, Automation and Response.

A SOAR system offers an end-to-end security solution that provides for the integration of various security tools for automated threat responses thus requiring little to no human intervention. The intent behind this is to streamline IT operations, save time, reduce staff and drive down costs. A SOAR system solution can be customized to fit organizational needs and IT infrastructure. 

An ever-expanding attack surface due to new technologies, devices (managed and unmanaged), applications and software programs, not to mention third-party vendors is an IT nightmare. Many enterprises have looked to implement SOAR as a means for managing and responding to cyber threats, identifying system vulnerabilities and setting up rules and procedures for automated security operation responses. 

• Expense – initial programming and customizations can drive up the cost of implementation 

• Continual Updates Required – keeping database up to date with evolving cyber threat information and response scenarios contributes to the cost to maintain it 

• IT Coding Expertise and Skilled Analysts Required  

• Dependent on Data Accuracy – poor data can negatively impact effective incident response 

• Security Tool Integration Issues – not all security tools are compatible 

• Regulation, Legal and Compliance Frameworks – SOAR may not be compatible or align with framework requirements 

• Security Gaps – SOAR does not and cannot close all the gaps in security stack or account for new and evolving threat TTPs 

• Ignores Security Culture – SOAR does not integrate/communicate with other departments beyond IT and does not take into account employee cybersecurity awareness or training 

Given the challenges associated with SOAR is this type of system solution the over-arching question is SOAR is practical for public safety?   

Day to day public safety operations dynamically change in real-time and human expertise is an integral part of the public safety ecosystem. The introduction of automated security processes without human oversight has the potential to introduce additional network vulnerabilities, create blind spots, and unintended situations impacting life-saving response and services.

One wrong automated response could create a devastating DDoS situation contributing to the erosion of public trust.  

SOAR systems come with built-in APIs introducing another end point providing a gateway for potential unauthorized access, data breaches and exploitation.  

The introduction of automated incident response also has the potential for disrupting CAD, radio communications and databases containing sensitive information.  

Implementation of SOAR becomes challenging and resource intensive because of complex interoperability issues and the lack of standardization within the public safety sector. Budget limitations, and the strain imposed on resource-strapped IT teams are also contributing factors.  

Public safety operates under specific strict regulatory guidelines for radio communications, the protection of CJIS data and the protection of the communities they serve.     

The combined power of artificial intelligence and machine learning facilitates rapid speed and efficiency of a continuous cybersecurity monitoring solution reducing the mean time to detect (MTTD) and respond (MTTR). Skilled human expertise and intuition cut through the noise distinguishing real threats from false positives.   

• Cybersecurity solutions should be customized to a public safety organization’s network architecture, infrastructure and security needs.  

• Cybersecurity solutions should be compatible with compliance and regulatory requirements.  

• Cybersecurity solutions should use AI and ML tools efficiently for data capture and prioritization of threats but allow for human oversight rather than replacing it with automated responses that may not be appropriate for evolving threat situations within a public safety network. 

• Cybersecurity solutions should provide transparent network visualization with context documented results.   

• Cybersecurity solutions should be field proven.  

• Cybersecurity solution methodologies should be continually updated with the latest threat information.  

Advanced threat detection demands a hands–on skilled cybersecurity team that partners with IT teams for efficient and effective incident response coupled with a scalable solution that can be dialed up when necessary. Not all responses are textbook in nature, and in unforeseen scenarios automated responses can potentially create unintentional collateral damage that could disrupt life-saving public safety services. From detection and analysis to containment, eradication and recovery, human oversight and immediate on-call assistance is critical every step of the way for guiding an organization through a crisis and providing peace of mind.   

References 

https://www.ibm.com/topics/security-orchestration-automation-response 

https://www.techtarget.com/searchsecurity/feature/Top-benefits-of-SOAR-tools-plus-potential-pitfalls-to-consider 

https://www.blinkops.com/blog/gartner-says-goodbye-to-soar-whats-next-for-security-operations 

https://www.splunk.com/en_us/blog/industries/splunk-soar-has-attained-fedramp-moderate-authorization.html