Understanding the Pros and Cons of In-House Security Operations Centers (SOC)

Business Journal Ask the Expert Column – February 2020

Our Board of Directors asked me to determine the feasibility of bringing all cybersecurity functions in-house, including the creation of an in-house Security Operations Center (SOC). The entire proposition seems cost-prohibitive to me, but I’d like an expert opinion before starting my research. Is an in-house SOC a feasible option?

I certainly hope your Board has deep pockets, an even deeper understanding of what cybersecurity truly entails, as well as staffing insights on how to build high-functioning elite teams filled with highly intelligent people. Creating and operating an in-house security operations center as an in-house department is not for the faint of heart. In addition, don’t invest if you are not ready to run 24/7/365 operations. A SOC is NOT synonymous with a help desk.

We work with several Enterprise/Fortune accounts that we act as an “overlay” to their in-house SOC. Internally sourced and funded SOCs need proper investment and a deep understanding of the cyber landscape. If you’re creating a SWOT analysis for building an in-house Security Operations Center, here are the two most crucial areas to consider when comparing an internal SOC to an outside provider:

Pros and Cons of In-House Security Operations Centers

SOC Personnel

Attracting, hiring, and keeping the best and brightest cybersecurity engineers and professionals stands alone as the greatest single drawback for any company choosing in-house management of cybersecurity versus outsourced SOC.

According to a 2019 study conducted by the Center for Strategic and International Studies, the cybersecurity workforce gap (the number of unfilled jobs) has grown by 50% since 2015. In just two years, the Center expects there to be a global shortage of 1.8 million cybersecurity professionals.

SOC-as–a-Service offers a distinct advantage over internal monitoring efforts when it comes to attracting and maintaining a top cyber workforce and providing a robust protection service. The diversity of clients, company focus on cybersecurity, learning and training opportunities, career advancement possibilities, higher pay and better benefits, and the chance to work alongside the industry’s elite are just a few of the reasons why cybersecurity firms are more attractive to candidates than in-house SOCs.

There’s also an esprit de corps that cybersecurity providers create that simply doesn’t exist anywhere else. It’s something we cultivate, as do other security providers. Our team sees themselves as an elite fighting force united to help rid the business world of cyberattacks. It’s a mentality that’s hard to maintain working for a single entity that’s not focused solely on security.

Plus, with the shortage of cybersecurity professionals, turnover is a massive issue. Because of the competitive landscape, most companies can expect cybersecurity employee turnover every two years, despite the fact that many new hires take up to a year to effectively contribute at a consistent level.

Companies, such as mine, pay premium salaries and offer over-the-top benefits and working conditions to keep the best and brightest talent on staff. Finally, for organizations such as yours, talent poaching is a massive issue that often turns most HR departments inside out.

Capital Investment

As a CEO who leveraged over 20 years of cybersecurity experience conducting incident response and digital forensic matters that help create our 24/7/365 SOC, I can tell you firsthand that the intellectual property, capital expenditure, and implementation of our cyber counterintelligence tradecraft within our security operations center “playbooks” is insurmountable to mimic. And that’s before you get to hardware, software, and personnel costs.

Your Board can expect a solid seven to eight-figure expenditure if they intend to do the job right and provide a cybersecurity function that equals a third-party provider. Just like any other technology, the moment you buy equipment and software, it becomes obsolete and requires constant updating. Cybersecurity isn’t a department, it’s a way of life unlike anything else in the building.

For an organization that’s not singularly focused on cybersecurity, cost will become an issue sooner rather than later. When you weigh the cost of paying an outside firm versus trying to handle the function internally, it won’t take long for your Board to recognize that the cost of “farming out the work” is far more efficient economically, when considering long-term investment, effectiveness, and overall stress on your organization.

Final Thoughts

A recent Ponemon Study identified three critical findings you should share with your Board:

-51% of organizations are not satisfied with their SOC’s effectiveness

-44% of respondents claimed their SOC’s ROI is worsening

-74% of respondents stated that SOCs are “highly complex” environments that make management more difficult

Look at the facts and the costs objectively. Your findings could be different than what we’ve found traditionally. But for most companies, the expense, time, constant attention, and emotional drain required by a 24/7/365 security operations center simply don’t make sense as an internal function.