If you work in a large organization with an extensive attack surface, you might have considered establishing a security operations center (SOC) for more dedicated monitoring and response.
Establishing a SOC makes sense for enterprise organizations that face constant threats, handle sensitive and high-value data, and/or have large and complex infrastructures. Such organizations include financial institutions, healthcare organizations, government agencies, high-profile companies, large entertainment companies with A-list celebrities on their rosters, and massive e-commerce companies.
For these organizations, a SOC is a must, but the real question is whether they need to establish that SOC in-house or to opt for an outsourced SOC through a vendor. There are pros and cons for both options so let’s dive right in.
SOCs are a hyper-focused, dedicated team of security experts and analysts continuously monitoring, analyzing, and responding to cybersecurity incidents. These are highly qualified professionals who work 24/7 to protect your organization’s environment and minimize the impact of a potential security incident. Given today’s work culture, SOC teams can be on-premise, remote, or a hybrid.
A SOC is made up of a team of experts with various roles. This includes:
Each role has its specific functions and, with the use of various sophisticated tools and solutions, ensures that threat research is up to date, vulnerabilities are identified and remediated, and compromises or incidents are addressed immediately.
Which brings us to the question of in-house and outsourced SOCs. The above is what you can expect from both options but there are major differences between the two approaches so it’s important to consider what is best for your organization when thinking about building an in-house SOC.
When you work with an in-house SOC, you can customize it to your exact criteria. This includes:
Customizability is key here. Rather than trying to work with a SOC that may not have experience with a specific tool or is unfamiliar with the infrastructure of your organization, you can adapt an in-house SOC to your specific needs.
The nature of an in-house team is that it’s much more efficient. Onboarding, communication, policy adherence, and even adopting company culture is faster and more effective with an internal unit. Also, when it comes to cybersecurity incidents, having access to an in-house SOC limits communication with third parties to a bare minimum, making response much swifter.
This is especially important depending on the severity of the incident, as other entities and departments are likely to get involved, such as legal and regulatory bodies.
In other words, a breach is complex enough on its own. Bringing in multiple third-party vendors only adds to that complexity. Running it all in-house can drastically reduce the overall confusion.
It can be challenging to change providers, or even just change the scope of existing providers. So any major shift in your organization can impact an external SOC’s operations or performance. However, an internal SOC can adapt as your organization changes.
An in-house SOC is hyper-focused on proactive detection and response. When it’s an in-house department, it will naturally accumulate insight into the threat vectors and overall security landscape particular to your organization, allowing it to adapt its operations to specifically suit your company. This means your SOC can easily shift and react in response to changes in headcount, infrastructure, added locations, or new systems, assets, and vendors.
This can be a major benefit if an organization is moving extremely quickly and is struggling to find a SOC that effectively serves all the specifics of the organization.
Assuming you have the tech knowledge to perfectly design the SOC, can afford it, and have the right tech people—it’s still going to take time to set up.
A lot of time.
From our experience, the setup, hiring, approval, and onboarding of tools and tech can take anywhere from 12 to 36 months which means your company is exposed to risk during that time. With the cybersecurity landscape moving so quickly, no company can afford to be without 100% security for that long. Plus, there’s no guarantee that your initial plans for a SOC won’t be outdated during implementation. This can be because of changes in your organization’s infrastructure or because of new threat types or vulnerabilities as we’re seeing with AI.
This is another reason only large organizations should consider an in-house SOC—they cost a staggering amount of money, both to set up and to run.
Some of the costs involved include:
According to Security Magazine, the average annual cost of running an in-house SOC in 2022 was $2.86 million. A team of five junior analysts—the minimum complement, according to the article—costs $500,000 on its own. However, you’ll likely need more experienced analysts and pay upwards of $150,000 per hire.
Note that this figure is from two years ago—before 2023’s record levels of data breaches. As cybersecurity demands grow stronger, so do its costs. This is often the biggest strike against having an in-house SOC; and appropriately so, as few organizations can dedicate such a large budget to cybersecurity.
We touched on the talent gap previously, but it merits a section of its own.
Even the most perfectly designed SOC can’t run without the right people. And that’s an issue for many organizations.
The cybersecurity labor shortage that has been ongoing for years, shows no signs of abating. In a study conducted in late 2023, the ISC2 reported that the cybersecurity workforce gap had reached a record high with 4 million professionals still needed, resulting in approximately $8.5 trillion in unrealized annual revenue.
Despite a workforce growth of 12.6% between 2022 and 2023—an impressive number for any industry— only 52% of cybersecurity professionals believe their organizations are adequately equipped to face the challenges anticipated in the next 3-5 years.
The talent gap causes several problems:
Finding top talent is challenging enough in an ecosystem where people are desperately seeking higher-paying jobs—or even second jobs—to combat the last three years’ inflation. For many organizations, this makes finding talent at an affordable cost, in a sector that has a massive labor shortage, virtually impossible.
In reality, only companies with large budgets and typically more complex environments can afford to build an in-house SOC. For most other organizations, an outsourced option is a preferable choice. Not only is it vastly less expensive, but it can also be set up in a fraction of the time without compromising coverage or response capabilities.
The right outsourced SOC will be composed of top-tier analysts and threat intelligence experts who are at your service 24/7. They’ll be able to observe the security landscape across your sector, recognize developing threats in your broader industry before they impact your business, and streamline actions when incidents do occur.
In-house SOCs made sense when reliable managed providers didn’t exist but, given the shift in the cybersecurity vendor landscape, the in-house SOC is becoming a relic of the past and organizations have better, less expensive, and more reliable options.
To learn more about how SolCyber’s managed 24/7 SOC offering can help you reach out to us for a chat.
Join Paul Ducklin and SolCyber CTO David Emerson as they talk about the human element in cybersecurity in the first episode of our new podcast TALES FROM THE SOC.
Get insights into the opportunity cost of managing your own SOC, the importance of intent focus in security, and more.
Don’t miss this wisdom-filled podcast from the cybersecurity experts at SolCyber:
Find Tales from the SOC on Audible, Spotify, Podbean, or via our RSS feed if you run your own podcatcher app.
You can also download this episode as an MP3 file and listen offline in any audio or video player.