In May, e2e-assure held the first of two ‘virtual private events’ (VPEs), hosted by Amar Singh of the Cyber Management Alliance with 15 CISOs to discuss the pros and cons of hybrid SOC.
In June, we hosted the second of these events with another group of 15 CISOs. Both events saw insightful conversation with the broad range of attendees bringing different experiences and thoughtful discussion. Attendees varied from those who had plenty of experience running hybrid SOCs to those that had traditionally only kept them in-house and everyone in between.
This serves as an update to the original blog to take into account the discussions at the second VPE.
What is a hybrid SOC?
Fundamentally a hybrid SOC is a part-outsourced service, with an organisation keeping some element of their security operations in-house, whilst leaning on an expert provider for other elements of the service. What is kept in-house and what is outsourced is subject to a much wider debate than we’ll go into here, but should come down to the capabilities and requirements of the customer, in particular any skill or resourcing gaps they’re looking to cover.
What are the pros and cons of a hybrid SOC?
This was discussed in four breakout sessions and in those we saw a number of interesting real-life examples brought to the table. To our surprise, there were more pros than cons drawn up, but this, perhaps, is down to the flexible nature of the hybrid model, meaning organisations can tailor elements of the service to suit them, rather than be completely reliant on in-house or outsourced resource.
Pros:
- Extending team capability, capacity and size
- The ability to ‘Bring your own Licence’ – retaining and maximising previous investments (with the right partner)
- External validation of the in-house security function to take to the board
- Faster detection and response
- An uninterrupted, 24/7/365 service, without buring out in-house staff
- The ability to outsource the mundane, keeping in-house analysts interested
- Offers greater visibility and business context over fully outsourced
- The ability to cut through the noise of alerts and provide the in-house analysts with more meaningful information to act on
- Getting around the huge costs of creating and maintaining an in-house SOC
- Greater flexibility as your organisation changes (add to or remove from the service more easily)
- Wider access to threat intelligence
- Reduced TCO throughout a contract through improving ‘cyber maturity’
Cons:
- May have to give up elements of control
- The requirement for privacy and/or clearance checks with the chosen partner (not all will have this)
- Potential loss of business context (atleast initially) over fully in-house
- Insight stored externally
- With the wrong pricing model (e.g. per alert), costs can soar as the business grows
- A potential lack of service customisation (depending on the partner)
- Having multiple 3rd party suppliers in a similar space can make it much harder to get them working together
- As with any outsourcing model, governance can be a real challenge; getting the right focus on SLA’s and business impact (as well as flexibility to change SLA’s as other priorities come up)
Is there anything on this list (or not on this list) that surprises you, or anything you don’t agree with? Let us know!
The Differentiators
Of course, some of the benefits and challenges will be more or less pronounced depending on the organisation and the SOC partner chosen. The benefits will also be more significant at different times in an organisation’s growth and so whilst a hybrid model will be right for a number of organisations right now, over time it may become less beneficial. This is where having a partner that you can have open and honest conversations about is critical – where possible choose a partner that looks to support your cyber improvement, not solely protect their own revenue. For advice on questions to ask potential providers, why not ask for our guide: ’10 questions a CISO should ask service providers’, by emailing info@e2e-assure.com or visiting e2e-assure.com/contact.
If you’d like to attend the in-depth workshop on the 7th of July, then message us using the details above.
The original version of this blog was published in May.