Update

STAMFORD, Conn., October 12, 2017 View All Press Releases

Security Operations Centers and Their Role in Cybersecurity

Ahead of the Gartner Security and Risk management summit in Dubai, Siddharth Deshpande, principal research analyst at Gartner, answered questions on trends for security operations centers and recommendations for security service providers.

Q: What is a security operations center (SOC)?

A: A security operations center (SOC) can be defined both as a team, often operating in shifts around the clock, and a facility dedicated to and organized to prevent, detect, assess and respond to cybersecurity threats and incidents, and to fulfill and assess regulatory compliance.

Q: Is having an in house SOC the only viable way for companies to create a security monitoring capability?

A: Building a SOC — or generally creating some form of internal security operations capabilities — is a costly and time-consuming effort that requires ongoing attention in order to be effective. Indeed, a great number of organizations (including some large organizations) choose not to have a SOC. Instead, they choose other security monitoring options, such as engaging a managed security service provider (MSSP).

CISOs and technology leaders contemplating building their own SOC should be very cognizant of the cost and staffing implications involved in this approach. There are plenty of alternatives to building and staffing an in house SOC, and companies should explore them in addition to the various types of SOC models.

Q: What are the different types of SOC models?

A:

Virtual SOC

  • No dedicated facility 
  • Part-time team members
  • Reactive, activated when a critical alert or incident occurs

Dedicated SOC

  • Dedicated facility
  • Dedicated team
  • Fully in-house

Distributed/Co-managed SOC 

  • Dedicated and semi dedicated team members
  • Typically 5x8 operations
  • When used with an MSSP, it is co-managed

Command SOC

  • Coordinates other SOCs 
  • Provides threat intelligence, situational awareness and additional expertise
  • Rarely directly involved in day-to-day operations

Multifunction SOC / network operations center (NOC) 

Dedicated facility with a dedicated team performing not just security, but other critical 24/7 IT operations from the same facility to reduce costs

Fusion SOC

Traditional SOC functions and new ones, such as threat intelligence, computer incident response team (CIRT) and operational technology (OT) functions, are integrated into one SOC facility

In addition to the six models above, where the customer's internal security teams are involved in varying degrees, there is another "fully outsourced" model. In fully outsourced models, a service provider builds and operates the SOC with minimal (or at best, supervisory) involvement from the customer organization.

Q: Why are organizations opting for SOC’s?

A: Organizations are building internal security operations capabilities (even if in a limited sense) because they desire more control over their security monitoring and response process. They also want to have more informed conversations with regulators.

The strategic business impact of a SOC build project makes it a critical initiative for organizations. Organizations that decide to move ahead with an in house SOC allocate both initial and ongoing funds in a structured manner, and expect the project to move with a sense of urgency once approved.

Q: What are your key recommendations for security services providers (i.e. vendors) that are considering offering services that enable customers to build and operate SOCs?

A:

  • Focus sales enablement programs on the business value delivered to customers through progressively greater degrees of control. Help customers choose between the available options while reinforcing the message that taking a full, do-it-yourself approach is practically impossible for most organizations.
  • Enable buyers to plan budgets for SOC projects by aligning pricing and service catalogs to buyer maturity with the ultimate objective of growing SOC maturity for the buyer in a structured manner.
  • Gain a competitive edge by focusing on industry-specific use cases for SOCs and helping customers evolve SOC metrics that are unique to their organization.

Q: What are your key recommendations for CISOs planning to build a SOC capability?

A:

  • Perform a realistic cost-benefit analysis of various security operations models before committing to a completely in sourced SOC
  • Focus on aligning SOC deliverables with business objectives by developing tightly defined goals and metrics that the SOC needs to deliver against.
  • Identify high business value and critical security functions and keep them in-house.
  • Consider use of MSSP services to offset the cost of 24/7 SOC operations and to fill coverage gaps.
  • Develop a SOC staff retention strategy from the outset.

Gartner Security and Risk Management Summits

Gartner analysts will provide additional analysis on IT security trends at the Gartner Security & Risk Management Summits 2017 taking place in Dubai. Follow news and updates from the events on Twitter at #GartnerSEC.

Contacts
About Gartner

Gartner, Inc. (NYSE: IT), is the world's leading research and advisory company and a member of the S&P 500. We equip business leaders with indispensable insights, advice and tools to achieve their mission-critical priorities and build the successful organizations of tomorrow.

Our unmatched combination of expert-led, practitioner-sourced and data-driven research steers clients toward the right decisions on the issues that matter most. We're trusted as an objective resource and critical partner by more than 15,000 organizations in more than 100 countries—across all major functions, in every industry and enterprise size.

To learn more about how we help decision makers fuel the future of business, visit www.gartner.com.

Comments or opinions expressed on this blog are those of the individual contributors only, and do not necessarily represent the views of Gartner, Inc. or its management. Readers may copy and redistribute blog postings on other blogs, or otherwise for private, non-commercial or journalistic purposes. This content may not be used for any other purposes in any other formats or media. The content on this blog is provided on an "as-is" basis. Gartner shall not be liable for any damages whatsoever arising out of the content or use of this blog.