Should You Establish Your Own Security Operations Center or Use Someone Else’s?

Building and staffing a SOC is a tremendous undertaking — are you ready to make the investment or is outsourcing a better option for your business?

Decision Making

Your clients and prospects of all sizes are looking for cost-effective ways to reduce their cyberattack vulnerability. A security operations center (SOC) leveraging a range of technology solutions is a comprehensive way to monitor a business’s or organization’s security status and detect and respond to cybersecurity incidents. However, managing a SOC is often beyond a business’s in-house capabilities, so they’re looking for help.

Managed services providers (MSPs) ready to offer Security Operations Center as a Service have several options for expanding their businesses in this direction and, undoubtedly, some uncertainty about moving forward. Zina Hassel, President of ZLH Enterprises Technology Consulting in Manalapan, NJ, and ASCII Group member, answers questions MSPs commonly ask about establishing SOC as a Service offerings.  

What are the pros and cons of establishing your own SOC vs. using someone else’s?   

Hassel: The biggest pro is adding a potentially lucrative revenue stream to an existing MSP business and the increased opportunity for additional business expansion with new clients, industries, and markets. The good news is that you can deploy a SOC in multiple ways, depending on how much hands-on time and money you have to invest. The bad news is the expense and exposure. You have three options:

Complete Ownership:  Build it yourself from the ground up – infrastructure platform, resources, and policies.

      • Pro: Complete control
      • Con: Initial and ongoing financial investment, talent shortage, and slow to market

Hybrid Ownership: You can employ a SOCaaS effectively, outsourcing the platform, software and most of the infrastructure while using your employee resources.

      • Pro: Limited CAPEX and faster to market
      • Con: Talent shortage, significantly reduced selling, general and administrative (SG&A) and training expenses, shared control

Outsource Model:  You can completely outsource the SOC and white-label the product and resources.

      • Pro: Fastest to market, limited financial investment and risk
      • Con: Choosing the right partner, the potential need to migrate to another partner or owned platform, shared control

What technology and infrastructure are required to establish your own SOC? 

Hassel: The foundation of the SOC would be a SIEM platform supported by firewalls, IPS/IDS, endpoint monitoring technology, vulnerability scanners, and access to internal and external threat intelligence feeds. Depending on the defined need, you may require video monitors, cameras, access control systems, intrusion detection systems, mapping technology, work consoles and more.

How significant is the investment? 

Zina Hassel,
ZLH Enterprises Technology Consulting

Hassel: The capital investment is big. Projections from various sources show that a first-year investment for a small SOC (one SIEM appliance) could require CAPEX of $100K to $125K for the first year and more than $100K in OPEX versus an outsourced model, which is about 20 percent of the combined expense requirement.

Future estimates show CAPEX and OPEX doubling over three years. The outsourced model would also increase but doesn’t appear to exceed 30 percent of the combined expense of the ownership model. Every MSP business is unique and at different stages of growth and talent, but the first step should be a study of one or more operating models, along with the financial requirements and ROI.

What are staffing requirements, and what technical expertise does the team need? 

Hassel: The security environment requires a high level of expertise and employees with security certifications, including security analysts, security engineers, security managers, CISSPs and a CISO. According to an article in the Secure World Expo, the national average salary for a CISO is more than $175K. All other positions range from $100K to $150K annually.

Staffing one 24×7 shift for the monitoring and response center would likely require four to five employees, so the investment in resources alone could be staggering. An average SOC requires approximately 12 employees. Considering the current shortfall in technology talent, it may be challenging to find the necessary resources, and wages will continue to rise. The resource expense doesn’t stop with salaries and benefits – ongoing training and creating an environment that makes employees feel compelled to stay are more important than ever.

What else should a VAR or MSP consider?

Hassel: Every company needs to decide what role/brand they want to have as an MSP/MSSP and how to accomplish that goal best. From my perspective:

  • Start with that goal: Are you looking to change or permanently expand your core competencies?
  • Find a trusted peer/advisor: This is a tremendous undertaking, both financially and in terms of time and resources. Can you afford the distraction and the ongoing OPEX?
  • Build a plan based on multiple financial options: Should I leverage my investment or someone else’s?
  • Evaluate the need for speed to market: When do I need to be in the market – NOW?
  • Determine if the model you choose is scalable and profitable in the long term: Do I have access to enough money and people to keep pace with this fast-changing discipline?
  • Asses flexibility to change direction if required: If this plan doesn’t work, can I change my original strategy and secure my business?

About The ASCII Group, Inc.

The ASCII Group is the premier community of North American MSPs, VARs and solution providers. The group has over 1,300 members throughout the U.S. and Canada, and membership encompasses everyone from credentialed MSPs serving the SMB community to multi-location solution providers with a national reach. Founded in 1984, ASCII provides services to members, including leveraged purchasing programs, education and training, marketing assistance, extensive peer interaction and more. ASCII works with a vibrant ecosystem of major technology vendors that complement the ASCII community and support the mission of helping MSPs and VARs grow their businesses. For more information, please visit