SOC Contracts

egrizzlyegrizzly Member Posts: 533 ■■■■■□□□□□
in Off-Topic
An SOC is a Security Operation Center. They are an organization that sells their third party expertise in administering the security for a companies IT infrastructure.

For those of y'all in management what have some SOC contracts been like? I mean as far as the cost, the minimum contract length, and all of that. At which point does the contract have to get before you prefer hiring a Network Security engineer? Also, how cheap does it have to get before you started considering using the SOC instead of a fulltime Network Security Engineer.
B.Sc (Info. Systems), CISSP, CCNA, CCNP, Security+
· Share on FacebookShare on Twitter

Comments

  • UnixGuyUnixGuy Mod Posts: 4,570 Mod
    My experience with outsourcing to a SOC has been (very) negative...but that's in Australia..
    Certs: GSTRT, GPEN, GCFA, CISM, CRISC, RHCE

    Learn GRC! GRC Mastery : https://grcmastery.com 

    · Share on FacebookShare on Twitter
  • paul78paul78 Member Posts: 3,016 ■■■■■■■■■■
    egrizzly wrote: »
    For those of y'all in management what have some SOC contracts been like? I mean as far as the cost, the minimum contract length, and all of that.
    It's generally have been fairly run-of-the-mill contracts. I've only had experience dealing with the larger service providers so I imagine the contracts can vary depending on your locale and size of the service provider. And of the 3 that I've done business with - the expenses were quite reasonable imo. Minimum contract lengths are one-year. I tend to favor a multi-year contract after the first year so that I can lock in rate increases and get better discount. Usually no more than 3 years is what I would do. Also - a no assignment clause is a deal breaker for me.

    Also - assuming you are in a US-based company.
    egrizzly wrote: »
    At which point does the contract have to get before you prefer hiring a Network Security engineer? Also, how cheap does it have to get before you started considering using the SOC instead of a fulltime Network Security Engineer.
    I would never build a SOC unless there is economies of scale. And hiring a full-time engineer would never replace using a third-party SOC. I would never start building a SOC unless I had plans to hire at least 4 full-time security engineers. It's too risky to rely on an in-house SOC with 1 engineer. Also - having an in-house SOC - usually doesn't make sense unless it's a core competency or a critical business function.
    · Share on FacebookShare on Twitter
  • egrizzlyegrizzly Member Posts: 533 ■■■■■□□□□□
    Hi Paul78,

    I actually meant the whole thread as doing business with an outside SOC versus starting one inside your company. Recently, our CIO got rid of our Chief Security Officer and rented the services of an SOC. However, word from the grapevine is that it was costing the company much more than the salary paid to the CISO. Hence the inspiration of this posting here.
    paul78 wrote: »
    It's generally have been fairly run
    B.Sc (Info. Systems), CISSP, CCNA, CCNP, Security+
    · Share on FacebookShare on Twitter
  • paul78paul78 Member Posts: 3,016 ■■■■■■■■■■
    egrizzly wrote: »
    However, word from the grapevine is that it was costing the company much more than the salary paid to the CISO. Hence the inspiration of this posting here.
    I would hope that it cost more - I would expect the value from an outsourced SOC vs a single CISO would be a lot higher. However - that said - a SOC typically doesn't provide the type of functions that a CISO would provide. There are lots of non-SOC business operations that a SOC would not provide such as third-party risk management, regulatory compliance, internal appsec oversight, customer assessments, etc. etc. - Although that also largely depends on your business - not all businesses have those needs.
    · Share on FacebookShare on Twitter
  • jcundiffjcundiff Member Posts: 486 ■■■■□□□□□□
    We have our SOC internal staffed with about 15-20 analysts... InfoSec is critical to us and we won't outsource it. We outsource a lot of IT functions. Never seen a CISO provide those things @paul78... Seen them have oversight over the teams providing them to the company, but not actually rolling sleeves up and doing the grunt work ( that was me :) )
    "Hard Work Beats Talent When Talent Doesn't Work Hard" - Tim Notke
    · Share on FacebookShare on Twitter
  • paul78paul78 Member Posts: 3,016 ■■■■■■■■■■
    jcundiff wrote: »
    We have our SOC internal staffed with about 15-20 analysts... InfoSec is critical to us and we won't outsource it. We outsource a lot of IT functions. Never seen a CISO provide those things @paul78... Seen them have oversight over the teams providing them to the company, but not actually rolling sleeves up and doing the grunt work ( that was me :) )
    Agreed - that is not what a CISO is paid to do. So my point is that replacing a CISO with an outsourced SOC doesn't make any sense unless the role of CISO is not needed.

    In your example - that goes to my point about scale - until a business can afford an in-house SOC and can staff and manage it well - a business is better off out-sourcing it. Security Ops is critical to many businesses - it doesn't mean that it should always be done in-house.
    · Share on FacebookShare on Twitter
  • jcundiffjcundiff Member Posts: 486 ■■■■□□□□□□
    @egrizzly: some other things to consider... a large number of the headline making breaches in recent years have been caused by third party vendors... whether HVAC (Target) or outsourced IT (PIP) so anytime you are outsourcing, this is another risk you must be prepared to deal with in the worst case. With outsourcing SOC functions, with the access required, you may be handing over the keys to the kingdom ... just some food for thought
    "Hard Work Beats Talent When Talent Doesn't Work Hard" - Tim Notke
    · Share on FacebookShare on Twitter
Sign In or Register to comment.