Recent Posts

Recent Blog Posts

The PhishLabs Blog

How To Build a Powerful Security Operations Center, Part 3: Financial Investment & Reporting

Posted by Johnny Calhoun, VP Client Operations on Apr 26, '17

Money.jpgIf you’ve made it this far through the series, you’re no doubt starting to realize (if you hadn’t already) that building a functional SOC requires a great deal of time, thought, and investment.

If you haven’t been following the series so far, now would be a good time to go back and read the first two articles:

So now that we've covered the most important components of a powerful SOC, it’s time to bring things into the real world, and talk about financial investment.


If your organization takes security seriously, you'll already know that phishing poses a huge threat to organizations in every industry. Find out how the phishing landscape changed over the past year.

Download the 2017 Phishing Trends & Intelligence Report

Don’t Forget the Pens…

If you’ve ever been involved with a large project, you know it’s rarely big ticket items that cause the budget to skyrocket.

Sure, your hardware is going to be expensive. Development costs will likely exceed what you expected. People will prove to be your single greatest expense.

But if you’ve already done some research, you likely have an idea of what you’d expect to spend on these areas. They’ll stretch a little, naturally, but that won’t surprise any experienced project manager.

What you might not have calculated, though, is how much you’ll need to spend on everything else.

For instance, in the first article we looked at some of the physical requirements of a new SOC, such as location, privacy, and physical security. Depending on where you decide to locate your SOC, you’ll either need to identify and calculate the cost of building these facilities into an existing company site, or factor in the cost of leasing a suitable location elsewhere.

Similarly, as we mentioned earlier in the series, you’ll need to factor in the cost of 24/7/365 coverage. This could mean paying extra to have your analysts work unsociable hours, but it could just as easily be something far more mundane. Heating, lighting, and other utilities are a substantial cost for every organization, so when you start having certain sites open for 24 hours each day you can expect to see a corresponding change in these variable costs.

And speaking of out-of-hours coverage, there’s another thing to consider: emergency cover. Your SOC will be designed to provide constant coverage, so what happens if there’s a power failure, or an essential utility drops out, or your on-site backups are corrupted? Backup generators, enhanced support contracts, and off-site backup facilities are a strong option, of course, but they don’t come cheap, so make sure you factor this into your budget.

What Gets Monitored Gets Managed

One of the most important things you can do to ensure your SOC provides a consistently high quality service is to set intelligence metrics, and use them to inform a continual loop of feedback and improvement.

But before you put a hundred different metrics in place, it’s important to remember a simple adage: What gets measured, gets managed.

Quite simply, if you put poorly thought out metrics in place, they might have precisely the opposite effect to what you’d hoped for.

For instance, let’s imagine you want to ensure the majority of cases are resolved within a set period of time. You could, of course, simply decide to measure case resolution times, and reward or investigate based purely on that metric.

But here’s the problem. This metric incentivizes resolving cases quickly, but not necessarily to a high standard. In extreme instances, it could even lead to cases being closed early even where full resolution hasn’t been achieved.

What you really need to do, if you want your SOC to thrive, is to come up with a set of metrics which work together to incentivize the team to perform to the best of their abilities. A combination of measuring case resolution times and customer satisfaction levels, for instance, would be far more likely to bring about the behavioral and process improvements you’re hoping for.

But of course, a reporting cycle can't work in isolation. In order to truly bring about continual improvement, you’ll also need regular input from your managers on the ground.

Earlier in the series we covered the importance of having managers on site at all times, to guide less experienced team members and help deal with exceptional circumstances. Another vital role of these managers, however, is to oversee and provide feedback on individuals, systems, and processes within the SOC. By comparing these personal insights with your objective metric data, you’ll be able to build a complete picture of operations as they currently stand.

From there, naturally, it’s a case of making the tweaks and changes necessary to keep your SOC trending upwards.

Eating the Elephant: One Bite at a Time

After three full blog posts, we’ve pretty much covered the basics of setting up a powerful SOC from scratch. Of course, once you get into the process of building a SOC there will be far more to consider than what we’ve outlined, but you should at least now have an idea of what’s involved.

But when faced with a project of this magnitude, it’s easy to become discouraged. After all, there are so many steps, so many considerations… for a mid-sized organization it can seem almost impossible.

And yes, it’s a huge undertaking. But if you’re sure it’s right for your organization, there’s only one thing you can do: Take it one step at a time until the job is done, and your SOC is operational.

But since it is such a huge undertaking, you may well be wondering whether it’s really the correct choice for your organization. The answer is simple, if frustrating: It depends.

If your organization’s assets are sufficiently critical that there’s a need for 24/7/365 security operations coverage, then yes, most likely should have a powerful SOC. But in the real world, not every organization has the resources required to complete a project like the one we’ve described.

If you fall into the latter category, all hope isn’t lost. Even with a modest budget, a security conscious organization can always improve its cyber security profile. Assuming you’ve already started taking positive steps in this direction, like implementing powerful security awareness training and investing in sensible technical controls, there’s one more resource that can help improve every aspect of your organization’s security: Intelligence.

With a constant source of accurate, analyst-approved threat intelligence, your security operations staff will have everything they need to initiate a cycle of constant improvement in both human and technical security controls. From firewall and spam filter tweaks to better security training for users, threat intelligence is a hugely powerful asset for any organization, whether they have a functional SOC or not.

To find out how your organization could benefit from threat intelligence, click here.

Topics: Security Operations

What's this all about?

The PhishLabs Blog is where we share our insights and thoughts on cybercrime and online fraud.

Recent Posts

Subscribe to Email Updates

Posts by Topic

see all