Build Your Security Operations Center (SOC)
A Security Operations Center (SOC) reduces expenses by reducing the costs of incidents by providing visibility to your organization of security events and incidents.

When working with our clients, my team at The Penn Group works around a philosophy that we believe enhances our client’s ability to make risk-based decisions. Translating academia to operationalization, the goal is to improve your organization’s ability to do security while reducing your risk. In today’s blog, we are going to explore how to build your security operations for your organization.
Key Takeaways:
- The creation, implementation, and management of a Security Operations Center (SOC) is an expensive but necessary operational security activity.
- A Security Operations Center (SOC) provides immediate value to your organization and proves the return on investment on security.
- If a Security Operations Center (SOC) is cost prohibitive, a Managed SOC via a Managed Security Service Provider (MSSP) is a compelling option, despite the drawbacks.
Maximize Visibility
Protecting your organization is a 24 hour a day, 7 day a week, 365 day a year responsibility. Every day, cybercriminals from around the world attempt to penetrate the information systems of companies big and small. Unfortunately, even for the most well-funded security programs, achieving broad visibility of systems on a network is a daunting challenge. Achieving visibility on your network is typically accomplished via a Security Operations Center (SOC).
20%: Percentage of practitioners who say their SecOps practices are mature
Only one in five respondents to a survey of over 250 security operations practitioners described their organizations as having a mature security operations capability. The remaining 80% reported that they are just getting started on their maturity journey or are only midway through it.
Building a Security Operations Center (SOC)
A Security Operations Center is a centralized collection of activities, focused on understanding the events that effect the confidentiality, integrity, and availability of data within an organization. Building a security operations center can take years, cost tens of millions of dollars, and requires consistent, expert leadership.
Select Your Technologies
In order to build a Security Operations Center (SOC), the security team must select a technology stack to build security operations on. With thousands of security vendors claiming to be the magic bullet of security, breaking through the noise can take months or even years. The selection process must balance cost, performance impacts, privacy implications, organizational policy, legacy systems, politics within the organization, and time to implement. For each technology, all of these criteria must be considered, and there are potentially hundreds of technologies that must be implemented.
Staff Your SOC
Once you have your technology selected, then you must staff your security operations center. A collection of Security Analysts, Security Engineers, and leaders will be required. Staffing is the most difficult aspect of standing up a SOC. Your staffing needs are based on the hours of coverage needed by your organization, which is defined by your risk appetite. Your risk appetite is your organization’s willingness to take on risk. For example: If you’re a bank, you will not be very tolerant to risk, as the financial losses would be dramatic. If you’re a small business, your risk appetite may be higher.
For organizations with a low risk appetite, and require the highest protection, a SOC with 24/7/365 coverage is needed. Just to achieve this basic level of coverage, you would need to hire at least 5 people, although the number is actually closer to 10. A large shortage of specialized security talent exists in the workforce. With a 0% unemployment rate, recruiting qualified security analysts and engineers is extremely difficult and comes with a high price tag. We have seen security engineers fetch a price tag north of $150k USD per year. Even with the most basic of coverage, the labor costs for a 24/7/365 SOC could extend north of $20 million USD per year.
Justifying Your SOC
The core goal of a Security Operations Center (SOC) is to improve the visibility of cyber activity to the security team. When the SOC team uncovers an event, the incident response process kicks in. The justification to the business for such a large expenditure is a story that must be told consistently and often to the C-Level. This is accomplished through the reporting of Key Performance Indicators (KPI). KPI measures for a SOC should be carefully considered, balancing risk, activity, and relevance. KPIs should tell the story of how effective your SOC is at reducing cyber threats. Remember, you won’t be able to stop everything. Your goal is to reduce, minimize, and mitigate cyber events.
Managed Security Operations
If your cybersecurity defenses fail to protect your organization, the consequences can and will undermine your mission, threaten your brand image, and invite litigation from the regulatory agencies. For most organizations, it is just too expensive to stand up a SOC from scratch.
To adequately protect your organization, you need a complex web of technical security, organizational security, and managerial security controls that defend against attacks. Installing security technology, managing it, and monitoring it can be an untenable cost overhead for even medium to large organizations. Not to mention the constricted labor market applying pressure on finding qualified security talent to staff such security teams. Beyond technical security, organizations must have effective security policy and processes in place to ensure that they are protected in the event of a breach scenario. While some might argue that the Cloud is a safe space to operate, without requiring security, this is a false notion. A significant number of data breaches have occurred due to inadequate or misconfigured security within the Cloud.
Protecting Your Organization with Managed Security
Because protecting your organization is a 24 hour a day, 7 day a week, 365 day a year responsibility, it is not enough to “lock down” your systems and call them “secure”. This is called checkbox security. Checkbox security is a false sense of security, under the illusion that your organization is protect because you “do” security.
With the tremendous costs of standing up a SOC from the ground up, a compelling alternative is to standup a Managed Security Operations Center (MSOC) with a third party. The Penn Group offers full managed services including security operations, patching, and management to ensure your organization is protected. Managed security providers offer the advantages of a fast time to implementation, reduction in costs, and a qualified team of security experts already recruited. The problem with a Managed Security Service Provider (MSSP) is that you become “locked in” to the technology of a Managed Security Service Provider. Typically, a provider will have a predefined tech stack that must be utilized. You should consider if utilizing a predefined set of technologies is the right solution for organization.
Summary:
- The creation, implementation, and management of a Security Operations Center (SOC) is an expensive but necessary operational security activity.
- A SOC provides immediate value to your organization and proves the return on investment on security.
- If a SOC is cost prohibitive, a Managed SOC via a Managed Security Service Provider (MSSP) is a compelling option, despite the drawbacks.
About The Author:
