Skip to content
Security Operations

4 Questions to Ask in Building a Security Operations Center

March 24, 2020

Building an in-house SOC represents a significant commitment, both financially and strategically, to securing your enterprise. In a report from the Ponemon Institute—based on a survey sponsored by Devo of more than 500 IT and security practitioners—67 percent of respondents said their SOC was “very important” or “essential” to their organization’s overall cybersecurity strategy. Developing a complete and clear understanding of the key security operations center roles, responsibilities and disciplines is an essential foundation for building an effective SOC that will be an asset to the security of your business.

#1: How to structure your security operations team?

Let’s start by answering the question “what is a SOC?” According to the Ponemon report, a SOC is “a team of expert individuals and the facility in which they work to prevent, detect, analyze and respond to cybersecurity incidents.” For a SOC to be successful requires “support from the organization’s senior leaders, investment in the right technologies, and the ability to hire and retain a highly skilled and motivated team.”

Most survey respondents said their CISO or CIO typically leads SOC operations. However, 19 percent say no single function has clear authority and accountability for the SOC. In these organizations, it can be much more difficult to make important decisions about SOC operations and how to improve performance.


When determining the reporting structure for your SOC, it is critical to select a leader who can:

  • Can create opportunities for each business unit to identify and prioritize strategic imperatives
  • Will ensure the SOC team has full visibility into the organization’s IT environments
  • Has sufficient clout within the business to ensure the SOC has sufficient budget to perform its vital work

#2: What are security operations teams responsible for?

What are the primary tasks performed by SOC team members? The top three activities, according to the survey results, are implementing technologies, patching vulnerabilities, and investigating threats. SOC team members are typically less involved in setting priorities or determining strategy. The following table shows nine of the most common SOC tasks.

Most respondents say their SOCs (52 percent) provide 24/7/365 monitoring and management support, despite the stress this workload places on employees. Only 23 percent of respondents take a more flexible approach with their SOCs.


Take the time to clearly lay out roles and responsibilities for the SOC team. Working in a SOC is a tough job, especially for the analysts who do the heavy lifting of identifying, hunting and investigating threats. Be sure team members know who is responsible for key activities and establish an open communication channel for feedback, questions and suggestions for improvements.

#3: What technologies and services does a SOC have?

There is no shortage of technologies, tools, and services at the disposal of the modern SOC. Selecting the ones that are the best fit for your maturity and objectives are critical. Using the insights provided by respondents to the Ponemon survey, below are the key recommendations to consider when your organization is ready to establish a SOC:

  • Get your head in the cloud: More and more technologies are available as cloud solutions. Take advantage of this trend and maximize the flexibility and capabilities of your SOC by leveraging cloud-based SaaS offerings whenever possible. According to the Ponemon report, 53 percent of respondents said the IT infrastructure that houses their SOC is mostly cloud (29 percent) or a combination of cloud and on-premises (24 percent). Just 47 percent of respondents said their infrastructure is totally on-premises. It’s likely this gap will continue to widen.
  • Take advantage of threat intelligence: The majority of survey respondents (51 percent) said their companies are investing in threat intelligence feeds. Of these organizations, 54 percent use a combination of open-source and paid feeds. But most organizations don’t rely solely on external feeds. Sixty percent of organizations that invest in threat intelligence feeds said they develop internal custom feeds based on a technology profile.
  • Don’t overlook protection: The security solutions most often used by SOCs include firewalls (monitored or managed), intrusion-prevention systems (IPS), and intrusion-detection systems (IDS). Other frequently deployed solutions range from managed vulnerability scanning of everything from networks to applications, firewalls, and unified threat management (UTM) technologies.
  • Be analytical: To accomplish the core SOC functions of detecting, hunting and responding to enterprise threats, most SOCs rely on a full stack of cybersecurity analytics capabilities. These typically range from log management and SIEM to security orchestration and automation technologies.

#4: How much does a security operations center cost?

The average annual cybersecurity budget for organizations surveyed is $26 million. As shown in the following chart, only four percent of respondents say more than 50 percent of the cybersecurity budget will be allocated to their SOC. The average allocation is 30 percent of the total cybersecurity budget.


It’s not realistic to spend most of your cybersecurity budget on establishing and operating a SOC, but it’s not the place to pinch pennies, either. To be effective, SOCs require people, technology and other assets, all of which cost money. Building a SOC is a major commitment—financially and in terms of time and effort—for any business. That’s why business alignment on SOC objectives, budget usage, and performance measurement are so critical for ensuring strong business alignment moving forward. Make a plan and get buy-in from all involved groups and executive leaders. The goal is to achieve overall cybersecurity effectiveness. Make sure the SOC has the resources it needs to do its part.

For additional resources on developing an effective security operations center, read our post on SOC best practices and the full research report from The Ponemon Institute.

The next post in this series will examine options for outsourcing SOC operations for organizations considering that approach.

More Data. More Clarity. More Confidence.