How much does an in-house security operations team cost?

You’re likely here because you’ve heard about Security Operations Centres (SOCs). You might know of some businesses that have opted to build their own in-house. And you’ll likely know of some businesses that have outsourced that service to a cyber security provider.

But the cyber security market is noisy. There are currently 1,4831 UK cyber security organisations. All claiming to be the best, most robust, most expert cyber security business on the market.

So we’re not going to do that. With this article, we want to help you sift through all of the noise, jargon, and acronyms to give you the information you need to take back to your business. Because in reality, there are different options when it comes to your cyber defence strategy and strengthening your security posture. For some, fully outsourcing their cyber security response is right for them. For others, building a SOC in-house is both within their gift, budget and experience. And for some, the right blend of in-house and outsourcing is the way to go.

Also, many businesses aren’t aware that there are a range of different security operations services, (with different levels of cost) to choose from. So you don’t always need to go for the most expensive option. And it’s good to shop around (as different providers offer varying levels of experience, capability and threat response).

Whatever your budget, along with your compliance and board requirements, we’ll give you a quick rundown of the costs involved when it comes to in-house vs outsourcing.

What does a SOC team do?

In a nutshell, a good SOC team delivers full cyber incident detection and response services. They’re monitoring your network 24/7 365 days a year. And when they discover a breach or compromise you’re fully supported from detection, to response and resolution, right through to lessons learned.

A SOC team will monitor your network by continuously gathering data feeds from multiple tools to look for patterns and anomalies. As you can imagine, that’s a lot of data. This is where threat intelligence and experienced security analysts come in. They have the skills and knowledge to sift through all of your data to remove any false positive alerts2, so they can find the real indicators of attack or compromise.

Once a potential attack or compromise has been discovered, your organisation will enter incident response mode. You’ll then follow pre-agreed processes with the full support of your SOC team to resolve the threat. Once resolved, your SOC team may continue to support you with forensics to help you identify how the bad actor infiltrated your network, patch any weaknesses and mitigate against future incidents.

What makes a good security team?

In short, a good security operations team involves the right balance of:

  • Technology
  • People
  • Process.

Without trained analysts technology serves as a noisy alarm

Yes, technology is important. It should continuously gather system data to flag anything it thinks is a threat. But without heavy tuning by a trained analyst, your technology won’t understand what your organisation’s baseline behaviour is, making it difficult to know what’s a false positive and what’s a legitimate threat. Nor can most technology take any action to resolve the threat. It just tells you that there might be something in your network to worry about. So whether you hire a team in-house, or outsource, it’s best to not rely on technology alone.

A good SOC team can effectively analyse all data gathered

Security tools aren’t able to sift through all data inputs to discover real indicators of attack or compromise. Whereas security analysts and SOC team operatives have the knowledge and experience to understand:

  • how to monitor endpoints, any vulnerability information from scanners, along with security intelligence feeds, intrusion prevention and detection systems
  • all of your network information, like IP addresses, logs and connection details
  • the ins and outs of your operating systems
  • any topology information (how your hardware devices are arranged to fulfil security requirements and public access)

  • your externally facing firewalls and any antivirus software you use
  • the wider business context to know what’s important to the organisation they’re protecting.

An experienced SOC team should conduct threat hunting

As well as gathering and monitoring data for indicators of attack or compromise. An experienced SOC team should conduct regular threat hunting. This involves analysing all of your data at a deeper level to proactively search for patterns that indicate suspicious activity. It’s much more proactive than waiting for alerts to come through on their own. And can stop an attack before it’s anywhere near your business.

Fully supporting your business in the event of an attack

A SOC team’s work doesn’t stop there though. Once an indicator of attack or compromise is discovered, you should be immediately alerted so you can begin to follow the security processes (aka playbooks) previously laid out for you by your SOC team. Having proper processes in place means there’s a plan when something goes wrong. This leads to a pragmatic and level-headed response from your in-house team at a time that could feel incredibly stressful for your business. Your SOC team will guide you through the full process from detection right through to response, resolution and forensics.

Forensics to continuously strengthen your security posture

Forensics is an important part of the process, which involves a deep dive into how the threat infiltrated your network, so your SOC can patch any weaknesses and recommend actions to mitigate against similar attacks in future. This is an important part of continuously improving your security posture (which should in turn reassure your board, your users and your cyber insurers). With the added bonus of deterring bad actors from trying to compromise your business in future.

How many people does it take to run a SOC?

Different organisations might have different setups. ‘But if we’re looking at security operations best practise you should generally hire (or outsource) 4 key roles:

  1. Security analysts – They report on indicators of attack or compromise, to either follow pre-agreed processes or alert the appropriate teams to analyse and resolve the alert. They’re often the last line of defence against threats, working alongside security managers and cybersecurity engineers. They usually report to the SOC manager.

  1. Security engineers– They’re the software or hardware specialists that are in charge of maintaining and updating security tools and systems. They also take care of the documentation that the rest of the SOC team might need (like playbooks and digital security processes).

  1. The SOC manager – They manage the whole SOC team. They direct SOC operations and ensure communication and collaboration between analysts and engineers. They also hire and train all operatives in the team. And are responsible for implementing and maintaining your cyber security strategy. On top of all that, they direct your company’s internal response to major security threats.

  1. The Chief Information Security Officer (CISO) This is a leadership position. The CISO builds security strategies, policies, and operations. They work closely with the CEO, and report to management on security issues.

How much does it cost to set up a SOC?

So here are the costs (based on averages for small to medium businesses):

  • It costs on average £2,600 to successfully mitigate an attack.3

  • It costs on average £8,170 – £13,400 when dealing with an attack with an outcome.4 (an example of an attack with an outcome would be an incident that causes a loss of business operations)

Based on the (very conservative) figures above, you might expect to pay:

  • £15,288/year5 in costs to mitigate attacks.
  • £48,040/year6 if you can’t mitigate attacks.

Outsource vs in-house? Here are the costs for each:

  • An entry-level Security Analyst could cost £40,000/year in salary alone. If you’re looking for 24/7 365 days a year monitoring remember to hire extra analysts to cover holidays, sickness and night shifts.
  • A 24/7 team (if that’s what you’re looking for) requires a mathematical minimum of 5 staff, not including holidays or sickness. With a range of experience levels, this could cost around £300,000/year7 if done fully in-house.
  • As we’ve mentioned there are different levels of SOC teams with tiered pricing. We’ve analysed entry-level prices from only the best providers. These costs start at £15,000/year for 24/7 detection and response of all common cyberthreats facing businesses today.

How do you build a security operations centre on a budget?

So while we wouldn’t recommend building your own SOC on a budget, you can look at different options that suit different budgets:

Pros and cons of fully in-house:

  • Pros: You can keep full control of your team and your cyber response. You’ll have full business context for your SOC (to continually enhance your security processes). You can also provide development opportunities for non-cyber IT people within your business who want to learn more about cyber security. Along with offering cyber security staff the opportunity to try other roles.
  • Cons: If you build a SOC in-house staff can get bored working on security for the same customer. So there’s more potential that they’ll move on over time if there’s not enough variety in their role. Alert fatigue is also important to consider. Many of the alerts first-line defence will receive will be false positives. These can be very high volume. So sifting through large quantities of these each day can lead to lower levels of productivity and motivation. There’s also the general cost and time it takes to build and maintain a SOC in-house. And it can be difficult and expensive to make a 24/7 365 SOC (especially finding experienced staff to do these late-night shifts).

Pros and cons of fully outsourced:

  • Pros: Peace of mind is the ultimate benefit. When you completely outsource your SOC to an expert cyber security partner, you don’t need to worry about any of the resourcing. You’ll have a fully staffed 24/7 SOC with cyber security analysts experienced in dealing with all kinds of threats and attacks. This varied experience of looking after lots of different businesses will give them a full view of the threat landscape and how best to respond to each incident. With the right managed security service provider, you’re looking for full visibility of all SOC activities so you can easily report back to your senior leadership team. The right partner will also have the knowledge and experience to test your security processes to continually enhance your security posture. And in the event of a breach, they’ll support your response, resolution and lessons learned.
  • Cons: With the wrong managed service provider, you could lose some visibility of your cyber security activities. And if there is an incident, ultimately the cyber buck stops with you. So if you don’t know what your outsourced team are doing it can be hard to communicate your response to a breach or incident to your customers, employees and suppliers. Similarly, without a provider that offers visibility, it will be hard to articulate your approach to cyber security to your senior leadership team. Transparency when it comes to the billing model could be an issue too. If your outsourced team charge per alert, your costs could soar as your business scales. So make sure you choose a trusted provider that’s straightforward, responsive, and communicative.

Pros and cons of a hybrid model:

  • Pros: So this could be the best of both worlds. With some security services in-house, you’ll be able to keep some business context, while also tapping into the expertise you need. This could allow you to run a 24/7 SOC without having to worry about staffing and capacity yourself. It’ll likely reduce alert fatigue for your in-house team too. By using some automation, or by simply letting the 3rd party do 1st/2nd line alerts, you can choose to only give your in-house team the ‘interesting’ alerts and incidents. And with a hybrid model, you’d still have the additional support your in-house team needs during incidents. This flexibility might suit you, as you can decide on the level of control you want to keep in-house and what functions you’d like to out-source.
  • Cons: You’d have to give up some elements of control. And you’ll potentially lose some business context (at least initially) if you go with hybrid over fully in-house. With the wrong partner visibility can be an issue, as your insight may be stored externally. And with the wrong pricing model (e.g. per alert) costs can soar as your business grows. So it’s important you find a partner you trust and can work well alongside. Full visibility of all incidents and activities is an important factor when choosing your hybrid model partner too. And you should also consider if they can accommodate any service customisation you might need. As with any outsourcing model, governance can be a real challenge –getting the right focus on Service Level Agreements (SLAs) and business impact (as well as the flexibility to change SLAs as other priorities come up).

Should you in-house or outsource your Security Operations Centre?

Ultimately, it’s up to you. What’s right for one business might not be right for the next. As well as deciding on in-house-vs-hybrid-vs-outsource, you’ll also notice different security packages from managed serviced providers with various levels of pricing. So there’s something to suit every budget.

If you do decide to outsource some or all of your security operations. Our main advice would be to shop around to find a provider you trust. Someone that offers good visibility, full peace of mind and can work well alongside your business.

If you’d like to chat to us about Managed Security, get in touch. We’d be happy to answer any questions you might have.


 

Footnotes

  1. UK Cyber Security Sectoral Analysis 2021, Research report for the Department for Digital, Culture, Media and Sport.
  2. A common example of a false positive would be one of your users logging on from abroad (when you have no office locations there). This could simply be a legitimate user checking a few emails while on leave. So your SOC team would investigate and deem it to be a false positive alert.
  3. The DCMS Cyber Security Breaches Survey, 2021
  4. The DCMS Cyber Security Breaches Survey, 2021
  5. £2,600 and £8,170 x 49% (for an average # of attacks/month) x 12. Costs to mitigate are on top of any costs of a service (based on worker-hours to respond).
  6. £2,600 and £8,170 x 49% (for an average # of attacks/month) x 12. Costs to mitigate are on top of any costs of a service (based on worker-hours to respond).
  7. Based on 2 entry-level at 40k/year, 2 mid-level at 60k/year and 1 senior at 100k/year – in reality 7 is more of a practical minimum which could cost in excess of 400k/year.

If you’d like to find out more about how we can help, get in touch.