Security Operations / By Jason Mical During the past decade, security operations centers (SOC) have become an integral part of the cybersecurity programs of many organizations. When you think of a defined team spending all of its time managing security events and using consistent processes for remediation, you may envision a group of company employees who report to a CIO or CISO. While that description fits the majority of organizations that use a SOC, others opt to outsource some or all of their SOC responsibilities to specialized outside organizations, typically managed security service providers (MSSP). A Ponemon Institute survey—sponsored by Devo—of more than 500 IT and IT security professionals shows that the vast majority of respondents (78 percent) currently have a SOC or plan to deploy one. However, of the hundreds of respondents who currently have a SOC, more than half are outsourcing some or all of their security operations center work. 3 reasons organizations outsource their SOC There are several reasons organizations choose to outsource their SOC responsibilities. The most common motivations are resource limitations (mostly people related), budget constraints, and lacking the urgency that typically occurs when an organization is hit by a significant cybersecurity incident. Let’s take a look at each of these reasons and the impact they have on SOC deployment decisions. 1) Inability to recruit and retain in-house expertise We live in an era of ubiquitous technology. Most organizations—businesses, governments, schools, etc.—have a growing appetite for new technologies designed to enhance their operations, which requires skilled professionals to maximize those significant technology investments. Not surprisingly, the more technologies organizations deploy, the harder—and almost always more expensive—it is to recruit and retain talented experts to operate all of that hardware and software. Nowhere is this more evident than in the world of cybersecurity. Information is more valuable than ever and keeping it safe from internal and external threats is an ongoing battle. One of the most challenging areas for organizations to attract and keep talent is in the SOC. Make no mistake, working in a SOC is a difficult job, especially for entry-level Tier-1 analysts, the first line of defense, who have a high burnout rate. The pressures of the job, and the demand for people who have the skills to do the work are why there are more SOC jobs than qualified candidates. This inability to bring together an expert in-house team along with the technologies they need to do their work, is the reason 70 percent of respondents said their organization decided to outsource the SOC. Closely tied to the challenging hiring environment and the difficulty of retaining experienced analysts is the immaturity of in-house SOC teams, cited by 63 percent of respondents as a reason for outsourcing their SOC. 2) Search for greater efficiencies and cost effectiveness In the chart above, 60 percent of respondents said outsourcing their security operations center represented a significant cost savings. Other areas of ineffectiveness cited most often as reasons for choosing the outsourcing route include the speed of deploying services (54 percent), an improved security posture (42 percent), and improved compliance (39 percent). For organizations without the resources required to establish and maintain an in-house SOC, selecting an MSSP could provide the needed security expertise without blowing the overall IT budget. The goal is to strike the right balance of improved security and financial responsibility. Outsourcing all of part of a SOC is also a great way for resource-constrained businesses to focus their in-house team and budget on other areas of effective IT operations, while also addressing challenges such as lack of visibility and slow remediation. 3) The powerful motivation of a compelling event A bigger budget might be the top reason organizations would deploy an in-house or outsourced SOC, but the next two incentives for establishing a SOC involve the ramifications of a security-related event. Sixty percent of respondents said their organization would likely deploy a SOC if it suffered significant data loss from a cybersecurity incident. And following close behind, 57 percent cited a significant financial loss due to a security event as the compelling event that would drive them to deploy a SOC. Recommendations The cost of establishing an in-house SOC or outsourcing to a vendor requires a sufficient budget. If you are in the position of having to justify the budget request for a SOC (particularly now, when many businesses have to tighten their belts due to the pandemic) be sure to estimate what the cost of not having a SOC could be in terms of an incident that could cost your business greatly in terms of data or financial losses. A SOC—in-house or outsourced—isn’t a one-size-fits-all endeavor. Consider what type of SOC you need based on the size of your organization and the nature of your business. You don’t have to start with a huge SOC team and budget more commonly found in a large multinational organization. You can get started with a small team of employees and a few key tools. Your SOC can then grow with your business, when you’ll likely have a larger budget at your disposal. The same goes for choosing an outsourcing vendor with proven experience managing a SOC for organizations similar in scope to yours. Regardless of the approach, make sure to reference common SOC best practices to achieve success. Working with an outsourced SOC service doesn’t have to be an all-or-nothing proposition. Like 36 percent of survey respondents, you could choose to outsource only the work of Tier-1 and/or Tier-2 analysts. If you outsource the less highly skilled Tier-1 work to a managed security service provider (MSSP), you could opt to have the Tier-2 and especially the Tier-3 analysts—the more experienced professionals who specialize in identifying and responding to the threats that matter most to your business—as employees on your in-house team. This would control your in-house costs, ease recruiting pressures, and provide great flexibility to your security organization. For additional research and survey data, download the full Ponemon Institute report, Improving the Effectiveness of the SOC.