Security Operations Center (SOC): better outsourced
by Rene Funke
IT security between cost and expertise: the example of Security Operations Centres (SOC) shows that outsourcing is a viable option. Good planning and proper preparation of the sourcing project are essential.
According to the internet, the first cyber attack took place in France some 190 years ago - two brothers compromised the telegraph system to gain access to financial market information. Today, cyber security is one of the most important issues on CIOs' IT agendas, as hackers and vulnerabilities have proliferated. With consequences: According to our IT Agenda survey, security budgets have seen double-digit growth since 2020. Although the increase has slowed during the economic crisis, growth rates of overall IT budgets have shrunk even more.
Few organisations can win the race against attackers on their own: Tighter regulations and the growing number of cyber-attacks by the increasingly industrialised black hat sector are driving the need for qualified security experts. Demand for this rare breed is pushing prices up and availability down. According to ISC2's Cybersecurity Workforce Study, two-thirds of respondents believe they do not have enough cybersecurity professionals in their organisation. Many positions remain unfilled.
The SOC and its roles
Meanwhile, regulatory requirements have to be met: More than 40,000 German companies alone will fall under NIS2 regulation. The EU's Network and Infrastructure Security Directive 2 (NIS2) requires organisations to not only detect attacks, but also to create or improve measures to respond to attacks and recover affected data, applications and infrastructure. In many cases, this boils down to a Security Operation Centre (SOC), which is responsible for detecting, analysing and responding to security incidents.
A SOC is permanently staffed - with at least three differently qualified roles:
- Tier 1 SOC analysts: Initial monitoring and triage of security alerts;
- Tier 2 SOC analysts: Detailed analysis and handling of escalated security incidents;
- Tier 3 SOC analysts: Proactive threat hunting and post-incident forensics.
An example: For a company with around 1,000 PC workstations, 6 to 12 FTE may be required to run the SOC 24/7, depending on individual details and not including management and specialist roles.
SOC - sourcing instead of running your own
Given the financial and staffing challenges, it is no wonder that outsourcing SOCs is on the rise. Researchers at Mordor Intelligence estimate that the SOC-as-a-Service market will be worth $3.14 billion by 2024, with this figure set to double by 2029. And according to a study conducted by Techconsult on behalf of Sophos, more than 40 per cent of organisations rely on outsourced SOC services.
The benefits are clear: SOC sourcing provides access to a pool of specialist skills without the need for lengthy recruitment processes. This accelerates the ability to scale resources to meet changing threat levels. Customers also gain access to expertise, best practices and the latest technologies. Purchasing and maintaining security tools, particularly SIEM (Security Information and Event Management), SOAR (Security Orchestration, Automation and Response) and XDR (Extended Detection and Response), can also be costly, requiring ongoing investment in updates, processes and experts.
Managed SOCs
There are also different types of „SOC as a service“ to meet customer requirements:
- Managed Security Services (MSS): The provider handles all aspects of SOC operations, from monitoring to incident response.
- Co-managed Security Services: A combination of internal and external resources. The organisation retains control over certain areas, while the MSS provider takes over others.
- Cloud-based SOCs: The SOC is operated in the cloud and offers a high degree of flexibility.
Security sourcing starts with strategy
However, organisations looking to outsource security services or SOCs would be well advised not to jump straight into provider selection and the actual transaction process. A sound security sourcing strategy should always be developed first. This includes how the organisation assesses its own security situation and how it positions itself in relation to possible sourcing options:
- Should only parts of security be outsourced or 'the whole thing'?
- Do you want a single security service provider or multiple providers that dock onto areas of IT operations?
- Is there clarity on the advantages and disadvantages of having service providers in Europe and offshore?
- Is it about the targeted development of skills and resources or (also) about savings?
Of course, choosing the right partner is critical to the success of an outsourced SOC. But it is also important that the customer optimises the sourcing process in line with the strategy. This includes a proactive approach before outsourcing, the definition of detailed SLAs (including response times, availability, reporting and continuous improvement) and a long-term perspective with controls and adjustments. It also includes a proactive and concrete needs analysis of the tool landscape.
Security sourcing is not a quick fix
By saying a categorical no to security sourcing, organisations are missing out on many opportunities. The same can be said for organisations that approach the task with a shirt-sleeved or delayed approach. Sustainable SOC sourcing requires experts and experience in both disciplines. The good news is that outsourced security is well received. In our IT Agenda 2024 survey, it received the highest rating of all the managed services surveyed.
