SOC: To outsource or not to outsource?

Posted on by RSAC Contributor

This post comes from Greg Boison, director of homeland and cybersecurity at Lockheed Martin, who was part of the Transforming SOCs roundtable discussion at the recent Gartner Security & Risk Management Summit. The following is his summary of the discussion.

While walking the floor and listening to the sessions at the Gartner Risk and Security Summit, a key issue crystallized for me around Security Operations Center (SOC) transformation.  Why is everyone building their own SOC?

For certain large-scale critical enterprises, a SOC is a must. But for the majority of enterprises, there is a need to determine one’s comparative advantage and understand where security should fall. Companies have two macro options when it comes to a SOC: build your own or fully outsource.

While no one wants to be reliant on an external party for what is a critical function, many businesses outsource critical functions such as payment processing, payroll, advertising, accounting, and legal.  When these functions are managed by an external entity, the other party is committing to staff the roles and can leverage economies of scale to ensure effective staffing or be terminated. 

But when a function is fully outsourced, an organization still requires an effective manager of that relationship. This manager needs to be a liaison with the sophistication and skillset to effectively supervise that relationship or else there will be tremendous waste or security risks.

In between these two extremes, one might band together with like organizations to create a shared SOC; such as several universities working together or several not-for-profit organizations of scale.  Akin to an ISAC with teeth, arms and legs, this organization would benefit from economies of scale while leveraging focused attention and an understanding of unique threats or capability needs.

An additional advantage to some outsourcing is the information sharing that will occur in an MSSP or system integrator with significant cyber responsibilities.  In our own activities at Lockheed Martin, we see our employees rotate into various roles supporting customers in civil federal agencies, defense, the intelligence community, and commercial critical infrastructure organizations. These “phone a friend” informal networks often precede more formal exchanges of threat intelligence and networking that can significantly elevate the maturity of one’s network defenses. 

If an enterprise does all of the analysis, and still requires a dedicated internal SOC, they need to analyze:

  • What percentage of their SOC resources, such as personnel, tools, training, processes, should be homegrown or leveraged by industry standards or contractor workforces;
  • Whether tools should be commodity or bespoke; and
  • How training can best occur, or should a training program be leveraged from an external provider or developed specific to their enterprise or mission. 

For the auditors, risk managers, network subject matter experts, and help desk technicians in small to medium enterprises to be expected to defend on par with CISSPs with years of experience who moonlight as ethical hackers is an unrealistic ideal.  Let us look to analogies throughout industry of defining comparative advantages and core competencies to determine the right mix of cyber focused enterprises and in the process improve the defenses of the economy and federal missions.

A focus on an intelligence-driven response can provide the resiliency to bounce back from a successful intrusion and continue gathering new levels of actionable intelligence.  But when an enterprise lacks the size or maturity to embrace true intelligence-driven defense, outsourcing can provide the expertise to transform a security operations center to an improve security intelligence posture. This continuum of security operations and security intelligence may provide a useful construct to plotting an enterprise’s transformation to defend against adversaries and effectively spend scarce budget resources.  

RSAC Contributor

, RSA Conference

Business Perspectives

professional development & workforce security operations

Blogs posted to the website are intended for educational purposes only and do not replace independent professional judgment. Statements of fact and opinions expressed are those of the blog author individually and, unless expressly stated to the contrary, are not the opinion or position of RSA Conference™, or any other co-sponsors. RSA Conference does not endorse or approve, and assumes no responsibility for, the content, accuracy or completeness of the information presented in this blog.

Share With Your Community

Related Blogs