Where you go from there, however, prompts questions. Should you build your own SOC or outsource to a specialist? Is a white-label offering right for you? If so, how do you choose? And if you want to build, is there a relevant operational maturity model that can guide the project?
During a panel discussion titled “Build vs. Buy: Security Operations Center Decision Time,” part of the security track sponsored by Nextiva at Channel Partners Evolution, Sept. 9-12, in Washington, D.C., Alex Ryals, Tech Data’s vice president of security solution, and Michael Jenks, Mosiac451’s lead cybersec analyst, will help guide you to the right choice for your company.
In a Q&A with Channel Partners, Ryals and Jenks give a sneak peek of the information they plan to share during this discussion.
Channel Partners: What are some of the issues to consider when deciding whether to build your own SOC or outsource?
Alex Ryals: Cost – building a SOC could cost $1-3 million depending on the size and scope. With your particular customer base, determine how long it will take to recoup your cost. Timing – some
partners may find that it’s better to outsource the SOC to ensure your sales team is capable of selling the solution before you invest in building it yourself.
Skills – finding qualified people to work as SOC analysts is very difficult, so make sure that you have a pipeline of these rare resources before you invest. Scope – you need to decide early if you will staff for 24×7 or 9×5. Maybe you should partner for the after-hours work.
Michael Jenks: I think the most important issue when deciding about dealing with SOC operations for a specific business is to have an understanding of the risk appetite of an organization. Every other issue, potential or real, and decision relating to security operations will be affected by a specific risk appetite and without this understanding there will be frustrations along the entire road of operations.
CP: What are some common mistakes to avoid when building your own SOC?
AR: Automation needs to be top of mind from the start. A security information and event management (SIEM) solution alone with SOC analysis to sift through the data will not be effective unless you can automate some of the incident response to help you scale.
Don’t underestimate the difficulty in finding qualified legitimate cyber-skilled people. Determining pricing for your solution is very tricky, and there are many ways to do it. I would suggest not charging for every endpoint device, but focus on the servers, network and security devices.
MJ: It has been my experience that mistakes are unique to each business with one exception: management not understanding how an efficient SOC operates and not trusting the people that do understand.
CP: What’s the best criteria for choosing a specialist to handle your SOC?
AR: Many people immediately look for former IT resources to work in…