Cybersecurity Operations Center: To Build or Not to Build?

You’ve probably thought about building a cybersecurity operations center (SOC) for your business at some point, but once most companies do, they realize they can’t handle it. The annual cost and resources required to maintain DIY cybersecurity is almost always more than what companies expect, and because there’s a dearth of security experts, there aren’t enough qualified people to operate it.

A SOC is its own business, and like any business, it depends on three things: people, processes and systems/technology.


No matter how great the technology, a SOC works only as well as the people who manage it. Finding and keeping those people is most difficult.

A 2017 Global Information Security Workforce Study found the cybersecurity workforce gap is on pace to hit 1.8 million by 2022, and 62 percent of information security workers reported having too few workers to address the threats they encountered. ISACA’s survey of enterprises, State of Cyber Security 2017, found one-third of respondents said they receive 10 or more applications for an open position, but 64 percent of that one-third reported that fewer than half of the applicants are qualified.

It’s tough enough for enterprises and professional cybersecurity companies to find and continually train the right people but even tougher for SMBs, which typically have smaller budgets and fewer highly qualified experts. Even when cyber experts receive high salaries compared to their peers, they often leave after a few years to work with government organizations or cybersecurity companies where they have much larger visibility into the threat environment and have opportunities to learn from the most talented professionals in their field.

An outsourced SOC at a large cybersecurity company has far more visibility into the threat environment than any in-house SOC could ever see, as it constantly gathers data from the Dark Web and the thousands of clients they monitor. When an outsourced SOC sees a threat in any client’s environment, it creates countermeasures that are then shared in real-time across its diverse range of clients to deliver around-the-clock protection. These professional SOCs also typically provide ongoing internal and external training to prevent, detect and remediate threats. They also have much larger teams, so when an employee gets sick or leaves unexpectedly, there’s always someone to fill the void.


Documented security processes inform people of their roles and responsibilities for detecting and responding to threats. On the portal or on a shared drive, procedures should be documented for the following responsibilities:

  • Monitoring the environment on-premises and in the cloud
  • Scanning for vulnerabilities
  • Conducting penetration tests
  • Notifying analysts of alerts
  • Escalating incidents
  • Logging incidents
  • Creating compliance reports
  • Investigating threats
  • Reporting incidents
  • Handling new technologies

Each process should tie into the next, so everyone knows their responsibilities and the way they fit in with an end-to-end repeatable process.

To create the processes, the security manager needs to determine the majority of issues that can arise within their environment, their levels of priority, and the best ways to address them. These should adapt to the changing threat landscape and new technologies.

An outsourced SOC has many processes automated and capitalizes on machine-learning technologies and advanced analytics to handle threats and incidents that could take hours or days to do manually. Security professionals continually tweak the rules for devices and analytics platforms to ensure up-to-the-minute protection for all clients. The best outsourced SOCs remediate threats automatically so their clients don’t have to.


To be effective, a SOC needs a Security Information and Event Management (SIEM) or similar platform to collect, aggregate, normalize, detect and analyze suspicious incidents. Other tools are also needed to discover vulnerabilities in hardware, software, applications and services running on premises or in cloud environments. If you have compliance requirements, you’ll need tools to pull those reports. Customizing them can take a long time, but some outsourced SOCs offer compliance reports tailored to the standards for each organization (PCI DSS, HIPAA/HITRUST and GDPR).

The newest tools use artificial intelligence and machine learning to detect suspicious activities and to act on them. As threats change so do the tools, requiring companies to buy more tools and pay training costs, allowing SOC employees to optimize their use. It takes time for the SOC to learn how to use new tools. If your network isn’t getting breached regularly, when it’s time to use the incident response tools, expertise in how to use that tool isn’t there. But a SOC that is overseeing the environments of thousands of clients is constantly being trained and is using the most effective tools.

The most expensive technology system is the SIEM. Its initial expense is just the start of a large outgoing capital, as annually there are training and licensing costs of thousands of dollars. Companies that implement a SIEM rarely get the value they pay for it. Typically, only a few of its features are used, as it’s too difficult and time consuming for most companies to fully manage and operate. The annual SIEM licenses and training often end up costing more than anticipated. If only one person is trained in its operation, which is often the case with SMBs, when that operator is away or leaves, the company is at risk when an incident occurs.

Security Automation and Orchestration

An outsourced SOC has its own purpose-built platform that is constantly fed new information from environments around the world. It uses the latest tools and security devices, so customers don’t have to buy them. They automate tasks in machine-based security applications, which otherwise would have to be done manually, saving a significant amount of time. Security automation and orchestration streamlines security teams, tools and processes for quick detection and remediation. Ideally, an outsourced SOC should be using these tools to remediate any threats immediately. If a threat sneaks in undetected, your SOC should respond to it without any extra charge. Incident response teams generally cost hundreds of dollars an hour; you shouldn’t have to pay for them when you’re already paying for a SOC.

However, you may still want to build rather than buy a SOC. Know your costs up front. In addition to purchasing tools, you’ll need to pay for your cybersecurity experts to continually take classes to learn new skills and meet demands. You’ll need at least five security analysts at approximately $80,000 a year for each. Incident responders cost about $100,000, threat hunters earn about $120,000, and SOC managers earn about $140,000. Then add in the cost of a SIEM, licensing and tools, and the cost is about $1 million a year.

SMBs can pay pennies on the dollar and costs will be predictable compared to building their own center. An outsourced SOC is classified as an operating expense rather than a capital expense, so it’s fully tax deductible each year. Still, the cost and the technology problems are nothing compared to the problems you’ll have trying to fully man each needed position. You may build it, but your experts may not come.

For more information, read our SOC – Built It or Buy It whitepaper.

Resource Center

More security resources at your fingertips.

Practical Content for Security, DevOps, & IT Professionals