Richard Holland writes about the shortcomings of national Security Operations Centres (SOCs) from his perspective as Quorum Cyber’s Field Chief Information Security Officer (Field CISO). This article is intended to support policy discussions, board-level assurance, and sustainable public-sector cyber resilience strategies.

National SOCs

National and shared Security Operations Centres (SOCs) are repeatedly proposed as a solution to public-sector cyber challenges. The logic appears compelling: shared capability, lower cost, pooled scarce skills, and consistent protection at scale. These arguments have underpinned several high-profile UK initiatives, most notably the Scottish National SOC, alongside frequently cited sector examples such as the NHS cyber model and Jisc’s role in higher education.

Yet, when examined closely, these initiatives tell a more nuanced story. The Scottish National SOC struggled to scale as a fully centralised operational service, while the NHS and Jisc are often mischaracterised as national SOCs when, in reality, they operate very different, federated models.

This paper sets out the background to these initiatives and challenges the most common myths used to justify national SOCs, contrasting them with what has demonstrably worked in practice.

Background: National SOCs in the UK context

The Scottish National SOC

The Scottish National SOC emerged from Scotland’s Cyber Resilience Strategy in the late 2010s, with the ambition of providing shared detection and response capability across the Scottish public sector. It was intended to improve resilience, reduce duplication, and address cyber skills shortages, particularly for smaller and less mature organisations.

In practice, the initiative operated primarily as a pilot between 2018 and 2020. Adoption was uneven, and by 2021 the emphasis had shifted away from a single national SOC towards coordination, guidance, threat intelligence sharing, and sector-led resilience. The concept was not formally closed; rather, it evolved as the practical limitations of full centralisation became apparent.

The NHS cyber security model

The NHS is frequently cited as evidence that national SOCs can operate effectively at scale. However, the NHS does not run a single, universal SOC providing end-to-end detection and response for all trusts and health boards.

Instead, it operates a sector-led model in which central bodies provide national coordination, intelligence, assurance, and incident support, while individual trusts retain operational responsibility, incident command, and local SOC or MDR capability. This distinction is critical to understanding why the NHS model scales.

Jisc and higher education

Similarly, Jisc is often described as a national SOC for higher education. In reality, Jisc focuses on protecting shared infrastructure such as the Janet network, providing threat intelligence, distributed denial-of-service (DDoS) mitigation, and coordination services. Universities and colleges remain autonomous, retaining responsibility for cyber risk, detection, and response.

These three examples form the backdrop for the myths that continue to shape national SOC debates.

Myth 1: “A national SOC automatically improves cyber resilience”

Why the myth persists
Cyber resilience is frequently conflated with scale. It feels intuitive that a larger, central SOC will detect more threats, correlate more signals, and respond faster than fragmented local teams. This assumption underpinned the original ambition of the Scottish National SOC, where shared monitoring was expected to translate directly into improved resilience across a diverse public sector.

Why it breaks down in practice
The Scottish National SOC demonstrated that detection quality is driven less by volume or centralisation than by relevance. The most valuable security signals are shaped by the culture, processes, and technical complexity of individual organisations. Behaviour that is anomalous in one council, university, or health body may be entirely normal in another.

Central SOCs struggle to tune detection logic effectively across such diversity because they lack day-to-day proximity to how systems are actually used and how people work. The result is often generic or noisy alerts, requiring local teams to reinterpret centrally generated signals. This erodes confidence, slows response, and ultimately weakens resilience.

Reality
Resilience improves when detection is tightly tuned to local context and coupled with local operational decision-making.

The Truth: Resilience is an organisational property, not a monitoring function.

Myth 2: “Centralisation solves the cyber skills shortage”

Why the myth persists
Public-sector organisations face persistent challenges in recruiting and retaining cyber talent. Pooling scarce skills centrally appears, on the surface, to be more efficient than competing individually.

Why it breaks down in practice
Central SOCs face the same labour market pressures as individual organisations, often compounded by constraints around pay, career progression, and shift patterns. In practice, they compete directly with commercial managed detection and response (MDR) providers and cloud vendors without comparable incentives.

Reality
Centralisation shifts the skills problem; it does not remove it. Buying outcomes through MDR and incident response partnerships consistently proves more sustainable than attempting to build permanent in-house SOC teams.

The Truth: You can centralise teams, but you cannot centralise a broken skills market.

Myth 3: “The NHS proves that national SOCs work at scale”

Why the myth persists
The NHS is often cited as evidence that a national SOC model can operate successfully across thousands of organisations delivering critical services.

Why it breaks down in practice
The NHS does not operate a single, fully centralised SOC. Instead, it uses a deliberately federated model reflecting clinical risk, patient safety, and statutory accountability. Central bodies provide coordination, intelligence, assurance, and incident support, while trusts retain incident command and response authority.

Reality
The NHS model works at scale precisely because it avoids universal centralisation.

The Truth: What scales in the NHS is coordination, not control.

Myth 4: “Jisc is a national SOC for higher education”

Why the myth persists
Jisc’s national remit and visibility lead many to assume it functions as a central SOC for higher education.

Why it breaks down in practice
Jisc does not take ownership of institutional cyber incidents. Its role is focused on enablement: protecting shared infrastructure, providing intelligence, and supporting coordination when needed. Universities retain autonomy over cyber risk and response decisions.

Reality
Jisc succeeds because it strengthens the ecosystem rather than replacing institutional responsibility.

The Truth: Enablement scales across higher education; enforced control does not.

Myth 5: “Cost savings justify centralised SOCs”

Why the myth persists
Shared services are often promoted as a way to reduce duplication and achieve economies of scale.

Why it breaks down in practice
Centralised SOCs introduce significant integration complexity that is routinely underestimated. Diverse technology estates, legacy systems, and existing contracts require extensive re-engineering, creating cost, delay, and additional risk. Partial adoption further erodes the expected economic benefits.

Reality
Cost efficiency comes from simplification and outcome-based services, not from central ownership of platforms.

The Truth: Complexity is the hidden cost that erodes promised SOC savings.

What actually works: The counter-model

Experience across Scotland, the NHS, and higher education shows that resilience improves when cyber operating models align with how accountability and risk actually function.

Federated detection and response allows capability to scale while keeping response close to operational reality. Local accountability ensures cyber risk remains a board-level responsibility. Centralised intelligence and coordination strengthen the ecosystem without displacing ownership. Commercial MDR provides a pragmatic option where in-house capability is unsustainable.

Crucially, cyber security extends beyond the SOC. Identity, data protection, architecture, supplier risk, resilience planning, user behaviour, and recovery all shape outcomes. Strengthening cyber security is therefore always a holistic exercise, rooted in local context. SOC capability must support this wider strategy, not substitute for it.

Conclusion

National SOCs remain attractive because they promise simplicity in a complex problem space. Experience from Scotland, the NHS, and higher education shows that this promise is often illusory.

Cyber resilience does not scale through consolidation alone.

It scales through federation, trust, clear accountability, and outcome-focused partnerships. The most successful national and sector cyber initiatives work precisely because they understand this distinction.

Protect your data 24 hours a day 

Centralisation is not the only alternative to building everything in-house. Quorum Cyber helps organisations achieve 24/7 detection and response through outcome-based MDR and incident response partnerships that preserve local accountability while improving operational efficiency. If your SOC strategy is limited, start a conversation with our specialists today to learn how MDR can efficiently boost your cyber security posture

Explore and compare our managed security services and contact us if you would like to talk to an expert.