By Chris Fountain on Sep 19, 2024
Upleveling your detection and response capabilities to combat threats and manage risk is a nobrainer. Whether to build an in-house SOC or outsource it, is not as clear cut. Designing a security operations center depends greatly on factors like budget, risk profile, organizational goals. When speaking with security leaders about SOC services, and whether to build in-house, a common theme consistently emerges: “We need to do more with less.”
One of the biggest challenges security departments faces is being understaffed, making it difficult to address the 24/7 needs of a full SOC. Finding and onboarding talent proficient in multiple security domains is tough, and retaining this talent after significant time and financial investment becomes a business risk.
The costs of technology are steadily growing, while technical debt is not being maintained or reduced year-to-year. Additionally, the overlap of disparate tools creates waste in budgets, creating financial strain on security departments.
Security budgets are not growing at the same pace as other enterprise priorities. Obtaining approval for technology procurement, licensing, and headcount requires navigating internal politics and providing justifications, which can be a time consuming and frustrating process. These problems are seen across organizations no matter the size. Often, the conversation leads to whether building or buying SOC operations is the right strategy.
To determine whether to build or buy SOC services, business leaders need to weigh the pros and cons of each approach.
An approach that has proven to be most effective is the shared responsibilities approach. The shared model can provide organizations with maximum ROI while aligning with business objectives. With a shared model, commodity technologies and capabilities are outsourced while those capabilities and technologies that require significant organizational knowledge are retained.
This approach can provide efficiencies in workflows by leveraging managed service providers in those Tier1-2 SOC services. Managed Service Providers have the expertise, the staffing, security platforms, threat intelligence insights and automations to provide coverage in areas that would normally require “eyes on glass” 24/7 coverage.
Managed Service Providers can leverage automations across their customer base to help with detections, tuning, and reduction of noise from false positives thus reducing overall analyst fatigue.
This allows your in-house staff to focus on escalations and organizational specific responsibilities.
Finally, an MSP (Managed Service Provider) can bring immediate value by bringing security platforms and licensing that offset the costs of procuring them independently. They do this by leveraging partnerships with vendors that can garner cost savings. Additionally, deployment services can be accelerated to increase time to value versus deploying using in-house resources.
For a Shared Model SOC Before moving to a shared model SOC as part of your cybersecurity strategy, certain considerations should be made to ensure that your organization is prepared.
Inhouse vs. Outsource: Assess which capabilities or technologies should be kept in–house versus outsourced. For example, staffing a Tier 1-2 SOC versus outsourcing to an MDR (Managed Detection and Response). Or maybe retaining specialists in the vulnerability management space have been difficult due to the high demand in the market. An MSP can be leveraged to fill these gaps. Evaluate from both financial and operational points of view when making the determination.
CapEx vs. OpEx: Understand how your accounting organization sees licensing and services expenditures. Depending on how your organization sees service contracts and depending upon payment structures, costs can possibly be amortized. Your accounting and finance teams can be leveraged here.
Compliance Requirements: Review any organizational compliance requirements that may be affected by data retention, data residency, and data security. Understand the business risks that are associated with offloading data and licensing. An MSP can aid in helping you understand your regulatory requirements and/or gaps in compliance.
Processes, Policies, and Procedures: Evaluate if your organization has the adequate process, policies, and procedures in place to onboard a managed service provider. Establish SLAs, SOPs, KPIs, and KRIs to set standards and expectations for the provider’s service delivery.
Transparency: For outsourced services, ensure that transparency is provided. If possible, co-management of the technology solutions is the best option for visibility and attestations.
The shared responsibility model can help organizations do more with less, addressing the critical challenges of talent acquisition, technology costs, and budget constraints. By carefully considering what to keep in-house versus outsourcing, and ensuring robust processes and transparency, organizations can achieve a balanced and effective SOC strategy.