Today, a Security Operations Center (SOC) is the heart of many industry-leading organizations’ security infrastructures. While many organizations seek to stay ahead of the curve and take ownership of building a SOC from the ground up, it just isn’t cost effective.

Earlier this year the Ponemon Institute released a report entitled “The Economics of Security Operations Centers: What Is the True Cost for Effective Results?" which studied the ROI of in-house SOCs.

On average, it found organizations spent $2.86 million per year on their in-house SOC. Depending on technology, the cost can be even higher.

To build a functioning security operation center you must account for many things: You need to hire employees, implement technology, build policies, processes, procedures, runbooks and track and audit everything to ensure they are implemented correctly and being followed.

Reality #1: Define Your Goals

The first step is to define your mission statement and goal for building a SOC. It is essential to be able to articulate why your organization needs to build and house a security operations center, both for the security team as well as the rest of the company.

If you are unable to justify building a SOC to management and ownership, then it will be an uphill battle from the start. Being able to define exactly what your SOC will accomplish in measurable goals and what new capabilities it will bring will help members at every level of your organization.

You should be able to answer questions like:

• Will you have enough staff for 24x7x365?
• Will you have people on call?
• How transparent will you be and how will the SOC feel part of the organization as a whole?
• What benefits will you provide new hires?
• How will you train and retain employees?

Reality #2: Hiring the Right People

Next, you have to staff your SOC. This is no easy task, even for an organization with incredible compensation and benefits.

The Ponemon Institute’s report found that organizations spent about $1.6 million of their budget on direct labor costs. The average salary of an analyst was around $100K according to the study, with salaries expected to rise 29 percent in 2020.

The job market today is very competitive, and many analyst jobs sitting unfilled. Depending on the experience and knowledge level you need to build a competent team, your budget could balloon in salaries.

And these costs don’t factor in the exorbitant cost of headhunters and recruiters.

At Datashield, we have experience hiring analysts and security operations team members. We have a skilled group of experts guided by veteran talent and leadership, which is rare in many SOC environments. Our team has taken years to grow and cultivate into a cohesive operation.

Learn more about the power of Datashield’s team here.

Reality #3: Building from the Ground Up

Next, you’ll need to architect the SOC and create policies and procedures. This requires engineers and analysts to complete and be able to investigate and respond to incidents.

At Datashield, we have a fully staffed SOC including analysts, engineers, threat intel and content teams, and and an entire research and development arm. This allows us to help our clients develop a resilient cybersecurity strategy.

Many organizations struggle to not only build their SOC but create protocols and procedures that allow for an evolving process and holistic approach to threat detection and response.

Reality #4: Choosing the Right Tools

After constructing and hiring, your team will need to buy and implement tools and software. This takes IT process, change management, implementation, and testing. Choosing the right tool is key, focus on needs and features instead of flashy names and presentations.

At Datashield, we work with clients from all industries. Our deep knowledge allows us to help clients vet tools that fit within their needs, offer discounted licensing, and support implementation and management.

Reality #5: Employee Retention

Now that you have a great team, it’s time to keep them. Unfortunately, the competitive job market makes retention difficult.

The average SOC analyst leaves the organization after a little more than two years, and employers can't keep up with the turnover. As an example an average of four analysts is expected to be hired in 2020; however, three analysts will be fired or resign in one year.

Additionally, many great team members will require spending time and money on training and mentorship. Not only will you need to retain your all-star team, but make sure they stay up-to-date. Training environments can be costly, especially for activities like SANS Courses.

The Ponemon Institute study found more than two-thirds (67%) of respondents say training SOC analysts is one of the most critical SOC activities.

Datashield went through a transformation and reorganization in late 2018. Our SOC dropped from a 95% retention rate to an 89% retention rate in 2019. This number is still considered a very high retention rate for our industry.

Even after all these items you still have typical employee concerns like culture, performance and schedules you must contend with.

A good SOC will constantly evaluate itself and ask its team members:

• Do you enjoy coming to work?
• Do you have realistic but challenging goals?
• Do you feel appreciated?

Reality #6: Building a SOC is Only the First Step

Finally, you must continually mature your SOC. Both in its staff and its software.

Responding to alerts that fire from your tools is only the first phase and this is just the basics. You need some form of threat intelligence plan (which isn’t to just buy someone’s threat intel feed). You will also need reporting and metrics to adjust the SOC itself as well as the tools. Last, you need to practice. Do mock incident response drills and test the processes and staff.

Conclusion

Outsourcing doesn’t mean sacrificing control. In many ways, it means focusing on what is truly important.

Instead of building a house from the ground up, many of our clients find it easier to move into a home that is already built. Rather than waiting on construction, we’ve already built the foundation.

This means finding a managed security services provider that will take time to truly understand your organization and security environment, help you improve and become more efficient, and be transparent and follow best practices.

This happens to be the mission and drive here at Datashield.

For more information on Datashield’s advanced security operations center, click here.

If you have questions about outsourcing your SOC, contact us today.