Benchmarking: The Key to Creating an Efficient Security Operations Center (SOC)


In recent years, security has become a top priority for businesses as they face an increase in frequency and severity of cyberattacks. Today, it’s nearly impossible to go without a Security Operations Center (SOC). Because a SOC is one of the major components of a global security policy, organizations must conduct regular benchmarks to ensure it is performing up to technical and financial expectations.

Some CIOs have built their SOCs over time with a mix of internal and external resources. But, given the ongoing evolution of cybersecurity techniques and the need to constantly adopt new skills and tools, managing this mix is becoming increasingly complicated. To add to this, national regulatory agencies – for example, the National Agency for the Safety of Information Systems (ANSSI) in France – are regularly publishing and updating legal security standards.

Consequently, some CIOs are now opting to outsource the SOC function – and, for many firms, this appears to be the ideal solution. It gives an enterprise an expert operational team at its disposal 24x7, without having to spend time and money training its own staff. Outsourcing an SOC also gives enterprises the benefit of a flexible solution that can be adapted to the countries where they operate, by sharing best practices to counter new risks such as advanced persistent threats to supervisory control and data acquisition (SCADA) networks. It also allows an enterprise to take advantage of a provider’s professional infrastructure and expertise helping it reduce costs, increase security and optimize its budget through a bidding process. 

Whether managed internally or entrusted to a third-party security provider, an SOC is a significant cost that companies must closely control and regularly benchmark. SOC providers are continually offering new services, usually by associating the national computer emergency response team (CERT) with the search for vulnerabilities and the resolution of cyber incidents. New services include, for example, dark web analysis, anti-phishing, forensics and management of mobile devices. 

Why Benchmark Your SOC?

Managing a SOC effectively requires highly specialized skills in security information and event management (SIEM), including log analysis, network flow and identity and access management. These services are continually evolving, making them increasingly difficult to evaluate in terms of quality and cost. Many firms feel their SOC is expensive without fully understanding the value it provides. A benchmark will identify, analyze and compare all costs associated with an SOC to help a company assess the costs in relation to the value.

Experience and many real-world examples show a direct relationship between the sophistication of a company’s IT equipment, the degree of complexity of computing platforms and the cost of security. The cost of an SOC, therefore, must remain within a certain percentage range of the overall cost of the IT infrastructure. In this way, the cost of security is like the cost of a service desk in a standard European IT budget (although it could be twice as much in the U.S.). However, the cost of cybersecurity is growing fast – at 10 to 15 percent a year – as many firms have been slow to adopt cyber protection to date.

How Is a Benchmark Carried Out?

The first step in a benchmark is to conduct an audit based on a set of questions and a model that details the activities of the security services provided by the SOC. The audit is used to analyze the services and associated costs. 

The second step is to create a measurement that makes sense to the business. SOC providers typically invoice based on either a flat rate or work units (WU). It is always in the client’s interest to select a contract with WU, because it’s easier to benchmark and search for potential improvements. When an enterprise measures the performance of an SOC by tracking the number of events per second (EPS) it handles, it can then tie its SOC spend to the EPS to create a valuable metric that helps determine the efficacy of the SOC.

The third step is to measure the ITIL maturity of the security process, including analysis of all problem management, incident management and change management activities.

Outsourcing an SOC is still a somewhat-new practice for enterprises in the market today, and SOC providers are still working to optimize their offerings. Many SOC providers have room to grow when it comes to standardizing and automating their services. Buyers can ask for tailor-made services – which may be appealing in a world with increasing security risks – but most providers prefer to sell a streamlined offering. Either way, a benchmark assessment is an invaluable step for ensuring an effective SOC and a safe IT environment. 

ISG helps companies think through their security needs, both strategically and tactically, to find the best-fit solutions. Contact us to discuss how we can help.

About the author

Pierre Puyraveau brings more than 25 years expertise in senior business management and IT outsourcing (infrastructure and applications) to ISG clients as a Director. Pierre’s in-depth IT management experience includes expertise in large, complex and demanding IT environments for engagements such as worldwide networks & telco operations benchmarking and datacenter consolidations; advisory services for the negotiation of large contracts; and management of client challenges requiring rapid assessment, planning and successful execution.