To be successful as an MSSP or security-centric MSP, security operations center (SOC) is a must.

Where you go from there, however, prompts questions. Should you build your own SOC or outsource to a specialist? Is a white-label offering right for you? If so, how do you choose? And if you want to build, is there a relevant operational maturity model that can guide the project?

Mosaic 451’s Michael Jenks

Tech Data’s Alex Ryals

During a panel discussion titled “Build vs. Buy: Security Operations Center Decision Time,” part of the security track sponsored by Nextiva at Channel Partners Evolution, Sept. 9-12, in Washington, D.C., Alex Ryals, Tech Data’s vice president of security solution, and Michael Jenks, Mosiac451’s lead cybersec analyst, will help guide you to the right choice for your company.

In a Q&A with Channel Partners, Ryals and Jenks give a sneak peek of the information they plan to share during this discussion.

Channel Partners: What are some of the issues to consider when deciding whether to build your own SOC or outsource?

Alex Ryals: Cost – building a SOC could cost $1-3 million depending on the size and scope. With your particular customer base, determine how long it will take to recoup your cost. Timing – some

partners may find that it’s better to outsource the SOC to ensure your sales team is capable of selling the solution before you invest in building it yourself.

Skills – finding qualified people to work as SOC analysts is very difficult, so make sure that you have a pipeline of these rare resources before you invest. Scope – you need to decide early if you will staff for 24×7 or 9×5. Maybe you should partner for the after-hours work.

Michael Jenks: I think the most important issue when deciding about dealing with SOC operations for a specific business is to have an understanding of the risk appetite of an organization. Every other issue, potential or real, and decision relating to security operations will be affected by a specific risk appetite and without this understanding there will be frustrations along the entire road of operations.

CP: What are some common mistakes to avoid when building your own SOC?

AR: Automation needs to be top of mind from the start. A security information and event management (SIEM) solution alone with SOC analysis to sift through the data will not be effective unless you can automate some of the incident response to help you scale.

Don’t underestimate the difficulty in finding qualified legitimate cyber-skilled people. Determining pricing for your solution is very tricky, and there are many ways to do it. I would suggest not charging for every endpoint device, but focus on the servers, network and security devices.

MJ: It has been my experience that mistakes are unique to each business with one exception: management not understanding how an efficient SOC operates and not trusting the people that do understand.

CP: What’s the best criteria for choosing a specialist to handle your SOC?

AR: Many people immediately look for former IT resources to work in…

…the SOC, but the truth is that IT people think in a structured way with rules, policies and procedures – but hackers are very unstructured and creative. To catch a hacker, you need to think like them, so hire a former programmer with problem-solving skills.

MJ: My personal stance is that when it comes to security operations, because of how involved and effective (it) has to be with the rest of the business, that outsourcing this piece of a business poses too much risk to be viable. I have yet to personally experience any business that has processes, clear communication and reporting lines, and enough integration to allow an outsourced SOC for an MSSP to do anything other than cause frustration.

CP: What do you hope attendees learn and can make use of from your session?

AR: My goal is for attendees to think carefully before deciding to spend the dollars to build their own SOC and make sure that they evaluate whether a borrow vs. build strategy is better for the short term until they determine if they are capable of selling SOC services.

MJ: I hope they learn that people cannot completely rely upon any silver bullet around security operations. There is no tool, no person or set of people that will make it magically work. With how much technology is embedded within every business in the world we live in these days, it takes a lot of understanding, knowledge and adaptability to make a SOC be effective. This involves an investment into the people managing and utilizing the tools and processes for SOC operations.