Looking ahead in this uncertain economic climate, is a sobering time to examine any organization’s security spend with an eye towards maximizing value. The tight security labor market, combined with the critical nature of an organization’s security capability, creates a unique challenge for business leaders as they prepare for the future. Evaluating the possibility of outsourcing a Security Operations Center (SOC) may provide opportunities for cost savings, improving security team morale, and stability.
One core requirement for security maturity is the ability to monitor and respond to events around the clock. A robust SOC is typically responsible for managing a Security Information and Event Management (SIEM) system which aggregates and correlates logs from several sources to create a comprehensive picture of an organization’s security landscape. This often includes Endpoint Detection and Response (EDR) tools, firewall logs, authentication logs, and other security and IT data. A SIEM solution can provide rapid detection of security alerts and anomalies that might occur in any of the systems that provide data to the SIEM.
Of course, a good SIEM, properly engineered and tuned, is an excellent early warning system. However, if an alert is generated in the console, there must also be a skilled SOC analyst who can respond. It is the responsibility of a SOC analyst to monitor the SIEM for alerts and investigate each in turn. Due to the training, expertise, and a certain amount of artistry required for the role, it is unlikely that the position will be fully automated in the near future.
Challenges of the SOC
The SOC fills a vital role in an organization's security posture but managing and maintaining a SOC requires overcoming several challenges including recruiting talent, scheduling, professional development, retention and more. By some estimates, [1] the cost of hiring a new employee can be up to $5000 and take more than a month. This also includes a time cost on the cybersecurity team if they’re involved in the recruiting, candidate screening or the hiring process. Average SOC analyst salaries can also run into six figures [2], making the investment in hiring a SOC analyst quite expensive to an organization.
Scheduling and maintaining a 24/7 staffing model are the next challenge for organizations attempting to staff a mature SOC. Many successful SOCs implement a “follow-the-sun” model to accomplish round the clock monitoring and response. For organizations that don’t have a global footprint, it can be expensive and time consuming to set up offshore entities across geographies to support local employees. Legal, financial, and employment variations across countries further complicate this effort. Some organizations opt for a schedule that requires domestic employees to work overnight. While this can solve the problem of 24/7 coverage, studies have shown that in the medical field for example, working overnight dramatically increases chances for error [3]. Employees who work the swing, or graveyard shift can also suffer mental and physical health problems [4]. In addition to being error prone, this shift often sees the highest turnover as employees seek other positions that offer more reasonable hours.
Turnover in SOC work is a perennial problem for most organizations. SOC analysts are typically perceived as entry level in cybersecurity, and it is not uncommon for analysts to seek to advance to security engineer roles after gaining some experience. SOC analyst roles can be extremely stressful when facing serious incidents any time of day or night and when the evidence of these incidents can be buried in benign looking alerts. The volume of alerts and repetitiveness of certain types of investigations can be fatiguing, creating a volatile combination that can turn a SOC into a revolving door of talent. Studies report as much as a 25 percent annual attrition rate for SOC [5], meaning that the costs of recruiting and hiring talent are realized multiple times each year as the SOC struggles to manage staff.
SOC Team Staffing, Hiring and Growth
In addition to ensuring that a SOC has the necessary talent, it is also difficult to schedule workers to operate every day of the year, including holidays and weekends. The challenge of addressing coverage, especially with PTO requests and sick time, means that SOCs must have additional headcount to cover each day. This creates an added cost as organizations struggle to maintain the necessary headcount to address attrition and outages. While the SOC manager is typically responsible for scheduling, it is a complex task, and some organizations opt to hire a dedicated SOC scheduler, further increasing staffing costs.
Of course, simply hiring a new SOC analyst doesn’t always fill the gaps in capability that a vacancy may have created as well. New employees must be trained and oriented to the company and cybersecurity team. The process for onboarding an effective SOC analyst can take over a month. If you combine the entire process time needed to publish a job posting, screen candidates, finalize an offer and onboard a new SOC analyst, it might be upwards of 90-days before a new person is operating as a contributing security team member.
Once you do have a competent team in place, the SOC manager must navigate and satisfy demands for learning and professional development. This normally requires a training and development plan along with funding for classes, study material, professional certifications and more. Most of the industry recognized SOC certifications can cost almost $10,000, with travel and lodging costs on top of that for in-person training [6].
Advice for Selecting an MSSP
Given the challenges of talent attraction, retention, development, and scheduling, it may make more sense for organizations to outsource, or co-source, their SOC to a Managed Security Services Provider (MSSP). MSSPs can leverage their economies of scale to specifically address the previously discussed challenges, as their core competency is security monitoring and response. MSSPs have large rosters of analysts and can use that scale to provide flexibility and meet scheduling and attrition challenges.
When considering an MSSP, it’s important that organizations ask how they manage all the challenges of maintaining a SOC. They will want to inquire how the MSSP hires talent to determine if they are identifying quality candidates or simply hiring low-cost workers to boost profit margins. Attrition can be a particular problem with MSSPs, especially if their SOC analysts are required to work long hours or cover multiple clients, as this can contribute to burnout, low morale, and high stress.
Additionally, identifying how an MSSP manages “follow-the-sun” staffing is important to consider. Many MSSPs simply hire in economies where labor is inexpensive, resulting in communications issues or retention problems. The last thing an organization wants to do is outsource their SOC to a revolving door of nameless SOC analysts who can’t be reached, or when they are available struggle to communicate with clients.
When selecting an MSSP, it’s important to learn how they address the challenges of an in-house SOC and for understanding your business. The one major advantage of an in-house SOC over an MSSP is familiarity and a sense of ownership of the company. Finding an MSSP that can bring analysts to your organization to partner with your security team can be a challenge, but well worth the investment if you can identify such a provider.
Benefits of Outsourcing Security
Outsourcing a SOC allows an organization to refocus its existing security staff to create opportunities for growth, leadership, and specialization. This will increase morale, retention and loyalty from the existing cybersecurity team which will lower costs over time. Instead of struggling to manage a barrage of SIEM alerts, the cybersecurity team can focus on more difficult or intensive security challenges such as engineering, architecture, or complex incident response. Outsourcing to a SOC can also create opportunities for an internal manager to serve as the primary point of contact for the MSSP SOC. This position can focus on activities that bring more value to the organization such as metrics and reporting, instead of hassling with personnel or scheduling.
Ultimately, outsourcing a SOC allows organizations to gain the security they need while creating a predictable budget line. Instead of facing the variable costs associated with maintaining an in-house SOC, a cybersecurity team can negotiate a multi-year deal with an MSSP. Implementing security outsourcing in the current face of uncertain economic headwinds can establish budget stability, contribute to cyber resilience and employee retention, and provide peace of mind to business leaders.
About the author: Justin Klein Keane, Director of the Security Operations Center at MorganFranklin Consulting. He works on the strategic leadership of monitoring and response for clients. Justin has more than 20 years of experience in cybersecurity from both offensive and defensive perspectives and holds a master’s degree in computing and IT along with several professional certifications. He has deep experience in leading complex, large-scale, security breach responses including those involving nation-state actors and advanced persistent threats. Justin spent much of his career in higher education, health care, and software development, before moving to consulting where he brings a diversity of experience in complex business and regulatory environments to security monitoring, detection, and incident response.
Citations:
- https://www.businessnewsdaily.com/16562-cost-of-hiring-an-employee.html, https://www.adp.com/spark/articles/2019/07/calculating-the-true-cost-to-hire-employees.aspx
- https://www.salary.com/research/salary/listing/soc-analyst-salary
- https://www.ncbi.nlm.nih.gov/pmc/articles/PMC8232963/
- https://www.apa.org/monitor/2011/01/night-work
- https://www.criticalstart.com/resources/new-research-from-criticalstart-finds-8-10-security-analysts-report-annual-soc-turnover-is-reaching-10-to-more-than-50/
- https://www.sans.org/cyber-security-courses/blue-team-fundamentals-security-operations-analysis/
