Building a SOC: What Does It Actually Take?

It’s time for a reality check: building a modest infosec (information security) program — much less a 24/7 SOC — is a challenging feat. 

Before you go full steam ahead in an attempt to build out a full SOC, evaluate the problems that you might face. 

Staffing

Labor shortages are rampant in this global economy, and the security industry is no exception. Cybersecurity is a notoriously difficult field for talent acquisition. Staffing a 24/7 SOC requires a lot of personnel — usually around 10-12 full-time employees — considering that people get sick, go on vacation, and generally have lives to live. 

Now, let’s assume you get applicants. The typical interview process — call screening, technical phone screening, management phone screening, and team interview — takes weeks, and more likely months, to complete end-to-end. Multiply that by the number of quality applicants that will all go through that process, and you’ll realize recruitment carries an enormous cost in human hours across a range of employees. 

Hiring outside staffing firms can be helpful. They can shrink that time to complete that process somewhat, but they too carry a cost that’s often a poor fit for an SMB. And, even an outside recruiting firm can’t alleviate the need to onboard the newly hired resource.

People in security analyst roles are usually highly intelligent, but are responsible for the mind-numbing task of staring at a screen and triaging thousands of security alerts — oh, and being on call 24/7. It’s no surprise that burnout is a major problem for SOC analysts; security professionals are more than twice as likely to report poor work-life balance. That burnout leads to high turnover. 

Alerts 

A full SOC contains a lot of different products, sometimes for no good reason other than shiny object syndrome. Our inner consumer craves the hottest new security technology: “With this shiny new security tool, we’ll be unstoppable!” An Enterprise Strategy Group (ESG) study found that 40% of IT and security professionals use between 10 and 25 security tools; 30% use between 26 to 50. 

A Demisto study revealed that SOC teams receive an average of 174,000 per week. Traditional SOCs generate an unsustainable amount of alerts for smaller teams, and it’s only human nature to eventually tune them out. And speaking of burnout, any sane person will burn out within a matter of weeks with constant alerts that tell you the sky is falling.

False positives also worsen the situation by creating unnecessary noise for events that aren’t security threats, like a series of failed login attempts. False alarms account for about 40% of all alerts that security teams receive and further encourage the bad habit of ignoring alerts.

Let’s not forget that time equals money. When an alert comes in, an analyst must contextualize it, determine if it’s a priority, and then triage it for response. On average, analysts spend 24-30 minutes investigating each incident that comes through, according to an Enterprise Management Associates (EMA) study. Considering that the average salary of a SOC analyst is $109,156 per year (around $30 per incident investigation), false positives and alert fatigue can result in a major cost to business.

Cost

The staffing component alone adds up to an enormous cost. For a 24/7 SOC, expect to hire a minimum of 5 security analysts to cover 3 shifts of 8 hours, each with 1 staff per shift. Even if you can manage to hire junior security analysts to monitor your SOC, be prepared to budget a minimum of $500,000 in salary for security analysts alone.

However, some enterprises choose to do more with less personnel by hiring senior experienced engineers and building automated alerting tools. In that scenario, you are likely to spend around $150,000 per experienced security analyst.

That brings us to an often overlooked component of SOC cost: training. Cybersecurity is a rapidly changing industry, and it’s important that security analysts’ skillsets are continuously updated. Certification programs can be costly, so be prepared to spend at least $2,500 per employee per year to keep their skills updated.

This is all without factoring in the cost of hardware and software – the actual technology needed to support a SOC. All things considered, the average organization spends $2.86 million per year to run an in-house SOC, according to a Ponemon Institute study.

Building a SOC: Options for SMBs

These costs are often justifiable for large enterprises such as science and technology, defense contractors, larger financial industry firms, and government agencies — especially given the SOC’s critical role in the organization’s risk mitigation strategy. 

But where does that leave small-to-medium sized businesses (SMBs)?

After evaluating all of the challenges associated with a full SOC, you may be considering paring down the project to a smaller scale. Fortunately, it’s possible to achieve visibility without sinking massive resources into building a SOC. 

Download our eBook to learn how to build an alternative SOC — using the resources and team you have today.