Update

STAMFORD, Conn., October 12, 2017 View All Press Releases

Security Operations Centers and Their Role in Cybersecurity

Ahead of the Gartner Security and Risk management summit in Dubai, Siddharth Deshpande, principal research analyst at Gartner, answered questions on trends for security operations centers and recommendations for security service providers.

Q: What is a security operations center (SOC)?

A: A security operations center (SOC) can be defined both as a team, often operating in shifts around the clock, and a facility dedicated to and organized to prevent, detect, assess and respond to cybersecurity threats and incidents, and to fulfill and assess regulatory compliance.

Q: Is having an in house SOC the only viable way for companies to create a security monitoring capability?

A: Building a SOC — or generally creating some form of internal security operations capabilities — is a costly and time-consuming effort that requires ongoing attention in order to be effective. Indeed, a great number of organizations (including some large organizations) choose not to have a SOC. Instead, they choose other security monitoring options, such as engaging a managed security service provider (MSSP).

CISOs and technology leaders contemplating building their own SOC should be very cognizant of the cost and staffing implications involved in this approach. There are plenty of alternatives to building and staffing an in house SOC, and companies should explore them in addition to the various types of SOC models.

Q: What are the different types of SOC models?

A:

Virtual SOC

  • No dedicated facility 
  • Part-time team members
  • Reactive, activated when a critical alert or incident occurs

Dedicated SOC

  • Dedicated facility
  • Dedicated team
  • Fully in-house

Distributed/Co-managed SOC 

  • Dedicated and semi dedicated team members
  • Typically 5x8 operations
  • When used with an MSSP, it is co-managed

Command SOC

  • Coordinates other SOCs 
  • Provides threat intelligence, situational awareness and additional expertise
  • Rarely directly involved in day-to-day operations

Multifunction SOC / network operations center (NOC) 

Dedicated facility with a dedicated team performing not just security, but other critical 24/7 IT operations from the same facility to reduce costs

Fusion SOC

Traditional SOC functions and new ones, such as threat intelligence, computer incident response team (CIRT) and operational technology (OT) functions, are integrated into one SOC facility

In addition to the six models above, where the customer's internal security teams are involved in varying degrees, there is another "fully outsourced" model. In fully outsourced models, a service provider builds and operates the SOC with minimal (or at best, supervisory) involvement from the customer organization.

Q: Why are organizations opting for SOC’s?

A: Organizations are building internal security operations capabilities (even if in a limited sense) because they desire more control over their security monitoring and response process. They also want to have more informed conversations with regulators.

The strategic business impact of a SOC build project makes it a critical initiative for organizations. Organizations that decide to move ahead with an in house SOC allocate both initial and ongoing funds in a structured manner, and expect the project to move with a sense of urgency once approved.

Q: What are your key recommendations for security services providers (i.e. vendors) that are considering offering services that enable customers to build and operate SOCs?

A:

  • Focus sales enablement programs on the business value delivered to customers through progressively greater degrees of control. Help customers choose between the available options while reinforcing the message that taking a full, do-it-yourself approach is practically impossible for most organizations.
  • Enable buyers to plan budgets for SOC projects by aligning pricing and service catalogs to buyer maturity with the ultimate objective of growing SOC maturity for the buyer in a structured manner.
  • Gain a competitive edge by focusing on industry-specific use cases for SOCs and helping customers evolve SOC metrics that are unique to their organization.

Q: What are your key recommendations for CISOs planning to build a SOC capability?

A:

  • Perform a realistic cost-benefit analysis of various security operations models before committing to a completely in sourced SOC
  • Focus on aligning SOC deliverables with business objectives by developing tightly defined goals and metrics that the SOC needs to deliver against.
  • Identify high business value and critical security functions and keep them in-house.
  • Consider use of MSSP services to offset the cost of 24/7 SOC operations and to fill coverage gaps.
  • Develop a SOC staff retention strategy from the outset.

Gartner Security and Risk Management Summits

Gartner analysts will provide additional analysis on IT security trends at the Gartner Security & Risk Management Summits 2017 taking place in Dubai. Follow news and updates from the events on Twitter at #GartnerSEC.

Contacts
About Gartner

Gartner, Inc. (NYSE: IT) is the world's leading research and advisory company. The company helps business leaders across all major functions in every industry and enterprise size with the objective insights they need to make the right decisions. Gartner's comprehensive suite of services delivers strategic advice and proven best practices to help clients succeed in their mission-critical priorities. Gartner is headquartered in Stamford, Connecticut, U.S.A., and has more than 13,000 associates serving clients in 11,000 enterprises in 100 countries. For more information, visit www.gartner.com.

Comments or opinions expressed on this blog are those of the individual contributors only, and do not necessarily represent the views of Gartner, Inc. or its management. Readers may copy and redistribute blog postings on other blogs, or otherwise for private, non-commercial or journalistic purposes. This content may not be used for any other purposes in any other formats or media. The content on this blog is provided on an "as-is" basis. Gartner shall not be liable for any damages whatsoever arising out of the content or use of this blog.