Your clients and prospects of all sizes are looking for cost-effective ways to reduce their vulnerability to cyberattack. A security operations center (SOC) leveraging a range of technology solutions is a comprehensive way to monitor a business’ or organization’s security status and detect and respond to cybersecurity incidents. Managing a SOC, however, is often beyond a business’ in-house capabilities — so, they’re looking for help.
Managed services providers (MSPs) ready to offer Security Operations Center as a Service have several options for expanding their businesses in this direction and, undoubtedly, some uncertainty about how to move forward. Zina Hassel, President of ZLH Enterprises Technology Consulting in Manalapan, NJ, and ASCII Group member, provides answers to some questions MSPs commonly ask about establishing and SOC as a Service offering.
What are the pros and cons of establishing your own SOC vs. using someone else’s?
Hassel: The biggest pro is adding a potentially lucrative revenue stream to an existing MSP business and the increased opportunity for additional business expansion with new clients, new industries, and new markets. The good news is that you can deploy a SOC in multiple ways, depending on how much hands-on time and money you have to invest. The bad news is the expense and exposure. You have three options:
Complete Ownership: Build it yourself from the ground up — infrastructure platform, resources, and policies.
-
-
- Pro: Complete control
- Con: Initial and ongoing financial investment, talent shortage, and slow to market
-
Hybrid Ownership: You can employ a SOCaaS effectively outsourcing the platform, software and most of the infrastructure while using your own employee resources.
-
-
- Pro: Limited CAPEX and faster to market
- Con: Talent shortage, significantly reduced selling, general and administrative (SG&A) and training expenses, shared control
-
Outsource Model: You can completely outsource the SOC and even white-label the product and resources.
-
-
- Pro: Fastest to market, limited financial investment and risk
- Con: Choosing the right partner, potential need to migrate to another partner or owned platform, shared control
-
What technology and infrastructure are required to establish your own SOC?
Hassel: The foundation of the SOC would be a SIEM platform supported by firewalls, IPS/IDS, endpoint monitoring technology, vulnerability scanners, and access to internal and external threat intelligence feeds. Depending on the defined need, you may require video monitors, cameras, access control systems, intrusion detection systems, mapping technology, work consoles and a lot more!
How significant is the investment?
President,
ZLH Enterprises Technology Consulting
Hassel: The capital investment is big! Projections from various sources show a first-year investment for a small SOC (one SIEM appliance) could require CAPEX of $100K to $125K for the first year and more than $100K in OPEX versus an outsourced model that’s about 20 percent of the combined expense requirement.
Future estimates show CAPEX and OPEX doubling over three years. The outsourced model would also increase but doesn’t appear to exceed 30 percent of the combined expense of the ownership model. Every MSP business is unique and at different stages of growth and talent, but a study of one or more operating models along with the financial requirements and ROI should be the first step.
What are staffing requirements, and what technical expertise does the team need?
Hassel: The security environment requires a high level of expertise and employees with security certifications, including security analysts, security engineers, security managers, CISSPs and a CISO. According to a recent article in Secure World Expo, the national average salary for a CISO is more than $175K up to $273K. All of the other positions range from $100K to $150K annually.
Staffing one, 24×7 shift for the monitoring and response center would likely require four to five employees, so the investment in resources alone could be staggering. An average SOC requires approximately 12 employees. Considering the current shortfall in technology talent, it may be difficult to find the required resources, and the wages will continue to rise. The resource expense doesn’t stop with wages and benefits, ongoing training and creating an environment that makes employees feel compelled to stay are more important than ever.
What else should a VAR or MSP consider?
Hassel: Every company needs to decide what role/brand they want to have as an MSP/MSSP and how to best accomplish that goal. From my perspective:
- Start with that goal: Are you looking to change or permanently expand your core competencies?
- Find a trusted peer/advisor: This is a tremendous undertaking both in terms of financial and time resources. Can you afford the distraction and the ongoing OPEX needed?
- Build a plan based on multiple financial options: Should I leverage my investment or someone else’s?
- Evaluate the need for speed to market: When do I need to be in the market — NOW?
- Determine if the model you choose is scalable and profitable in the long term: Do I have access to enough money and people to keep pace with this fast-changing discipline?
- Asses flexibility to change direction if required: If this plan doesn’t work, can I change my original strategy and secure my business?
About The ASCII Group, Inc.
The ASCII Group is the premier community of North American MSPs, VARs and solution providers. The group has over 1,300 members located throughout the U.S. and Canada, and membership encompasses everyone from credentialed MSPs serving the SMB community to multi-location solution providers with a national reach. Founded in 1984, ASCII provides services to members including leveraged purchasing programs, education and training, marketing assistance, extensive peer interaction and more. ASCII works with a vibrant ecosystem of major technology vendors that complement the ASCII community and support the mission of helping MSPs and VARs to grow their businesses. For more information, please visit www.ascii.com.
