You just got a quote from a managed SOC for the security coverage of your company. They promise 24/7 Monitored SIEM, Endpoint detection and response. All of this fully integrated into your environment with the ability to respond to threats both on workstations, servers, and your cloud environment. Your initial thought is “Wow, that’s expensive.” I agree, it can be expensive, but compared to what?
The first thing I must strongly caution, and it bears repeating over and over again – do not put your IT team in charge of security. I say this not because I don’t believe in their competency, or their ability to handle security, but to provide perspective on this. Would you have your finance department handle all legal issues? Should your CEO be handling human resource tasks? So why place the responsibility of cybersecurity on your IT team? You are asking your IT team to do 2-3 times more work, which can greatly degrade the quality of both your IT and Security. Since there are only two paths to walk, let’s break down the cost of building vs buying. A managed SOC or an MSSP (Managed Security Services Provider) will provide the following services – Licensing and configuration of the EDR (Endpoint Detection and Response) and deployment to all endpoints in the organization. Purchasing and configuring the SIEM tool, tuning said tool to remove unnecessary alerts, and various other security practices.
In order to build an internal SOC, you will have to staff it of course. When we discuss staffing let’s consider the appropriate resources; 24/7/365 coverage requires a minimum of 3 shifts a day. That is 168 covered hours a week, 3 employees only cover 120 hours, so we would need at least 4 employees. You will need multiple tiers of employees with varying technical abilities and of course a department lead. For a standard SOC, this is around 8-12 employees, and this is the low end (this covers all shifts, paid time off, multiple tiers of ability/skill and a department manager). Each employee is associated with a cost, for a tier one security analyst, let’s call the salary plus benefits around $65,000 a year, at a count of 4. A tier 2 escalation at a cost of $110,000 a year, at a count of 4 and a director level at $175,000. These numbers are relatively average nationwide and possibly low averages, but your annual labor is just over $1.5 million dollars. Next, we will add licensing and software costs, these are extremely variable based on the size of your organization. If we call it a low-end cost of $50k a year for licensing and software. The industry average for building out a SOC in a company is around $2.5 million dollars. If we agree that this estimate is accurate – the question remains, do you build or buy?
What Would You Do
I am not trying to convince anyone to do either, but most SMB’s do not have the budget for an additional 8 highly technical employees, in this case the most financially responsible decision is to pay for SOC services. Many large enterprise environments that have thousands of employees, handle large financial accounts or are data heavy, have multiple locations or specific security needs, build a SOC internally as it is more cost effective and provides better control for their specific use case and environment.
Each business has unique needs/resources, but the reality is most small businesses do not have the budget for an additional 8 highly technical employees. The most financially responsible decision is to pay for SOC services. As we step into the Enterprise level environments, size, revenue, type of data and technology as well as tax implications and growth model are all factors that need to be considered. Enterprises that have an internal SOC usually have thousands of employees, handle large financial accounts, are data heavy, have multiple locations, and have specific security needs. For enterprises like this will build a SOC as it is more cost effective and provides better control for their specific use case and environment.
Whether you build or buy, make sure you have 24/7 monitoring and highly technical security focused resources intent on securing your business and data. Your organization’s wellbeing is highly dependent upon its security hygiene. It is important to ask potential vendors to supply you with information on their business continuity and disaster recovery plans. Inquire about their staffing, knowledge, services, and how it can be tailored to your environment. So, either way, I recommend you do it correctly as the cost of doing it incorrectly is high. What would you do? Build or Buy?
Follow Max on LinkedIn
Follow Max on Twitter