Ask These Questions When Considering In-House Versus Third-Party Security Operations Centers

Welcome to the latest installment in our blog series detailing the case for change and best practices for creating and maintaining Security Operations Centers (SOCs). Catch up by reading last week’s post on the five requirements to roadmap when building a SOC.  


A new report from ISACA (also known as the Information Systems Audit and Control Association), Current Trends in Workforce Development, highlights what we’ve talked about for the last several months: the lack of qualified cybersecurity professionals in the job market today and what we can do to minimize the effect of this skills shortage.

According to the report, more than 25% of enterprises are taking more than six months to fill a security vacancy. Only 59 percent of the organizations say they receive at least five applications for each cyber security opening, and only 13 percent receive 20 or more. This compares to the 60 to 250 applications for the majority of non-security job openings.

ISACA offers several recommendations to help employers find, assess and retain qualified cyber security talent. In locating talent, it suggests mining your existing employees for hidden cybersecurity talent but to also seriously consider technology automation and employing third-party managed security service providers (MSSPs) wherever possible.  

Easier said than done. Some organizations may have employees ready to step in and fill the roles of incident responders and SOC analysts, or – as we’ve already seen – they do not since cybersecurity expertise is becoming even harder to find and hire. So outsourcing, whether through MSSPs or contractors, could be a viable option. For some security teams, a hybrid mix of in-house and third-party resources could also work well.

In short, the answer of build versus buy is: It depends. Here are the right questions to ask when looking at whether you should keep the creation and management of a SOC in-house or outsource it to a MSSP.  

Internal (In-House) SOC

Security is, by its very nature, an insular business. Companies understandably want to keep as much of its security profile within the four walls of their organizations as possible. When looking internally, ask yourself these six questions. If you can’t come up with a viable answer for even one of them, we strongly advise that a third-party SOC should be considered:

  1. Assessing your current strengths: Does your company’s staff have the skills and knowledge to manage a SOC?
  2. Benchmarking cybersecurity skills: How will your company determine if your employees actually have those skills?
  3. Taking time to create documentation: Is your company willing to take the time to codify all of the SOC processes and procedures?
  4. Ability to teach employees how to use the SOC: Who will develop a SOC training program?
  5. Architecting the space necessary for a SOC: Who will design the physical SOC site?
  6. Maintaining a solid roster of key SOC players: Can your company hire and maintain adequate staff levels for the SOC?

Outsourced (Third-Party) SOC

Another option is to completely outsource SOC operations to trusted third parties. It’s no secret that there’s a tremendous shortage in cybersecurity professionals in the job market today, and that it will only get worse before it gets better. Instead of taking months to potentially hire a world-class crew, why not partner with companies who already employ experienced cybersecurity professionals?

When you’re interviewing potential third-party MSSPs, make sure you ask them these five questions:

  1. Having a security utopia in mind: Can you help us achieve our vision and goals for cybersecurity?
  2. Documenting requirements: What are your service level agreements, liabilities, and terms of engagement – does it align to what we must deliver to our key stakeholders?
  3. Understanding with whom MSSPs partner: Who are your top vendors, partners, and sub-contractors – and how do you select them?  
  4. Digging deep on MSSP’s hiring and employee retention policies: Who do you employ, what is their background in cybersecurity, how do you train them, and what is your employee retention rate?  
  5. Trust, but verify: Can I speak to your existing customers and vendors as well as some third-party industry analysts to validate your claims and value proposition?

Come back next week as we look at how to create a successful process for identification, triage, and investigation within your SOC. Can’t wait until then? Visit our website to learn how US Cyber Vault’s managed security services deliver security operations center, analyst, intelligence and incident response capabilities rapidly, enabling companies to save up to 90 percent on traditional cybersecurity costs.