Insights

There is no doubt that cybersecurity is growing market. Gartner estimates that by next year 60% of organisations will be using a Managed Detection & Response (MDR) service. As cyber attacks are increasing their frequency and sophistication, organisation are looking to better protect themselves in two ways – through preventative steps (‘left of bang’) and ongoing management and detection (‘right of bang’).

For organisations, building their own Cyber Security Operations Centre (CSOC) – or SOC is a huge undertaking, and something that only enterprises tend to consider. For SMBs and Midmarket organisations it is uneconomical and impractical to build an internal CSOC.

As a result, companies are often turning to their IT providers for a cybersecurity service alongside their existing IT services. However, MSPs face the same challenges for building an effective CSOC to deliver MDR and Managed Extended Detection & Response (MXDR) services.

What is a CSOC?

A CSOC (also known as a SOC) is a centralised business function that combines people, processes and technologies in order to deliver cyber threat monitoring, detection, prevention and response, as well as cyber security incident management and continuous improvement. Essentially, a CSOC is responsible for managing cyber threats and attacks to minimise the potential damage through rapid and effective response.
In order to have an effective CSOC, you will need the three key areas mentioned earlier:

• People – skilled and experienced staff specialising in cybersecurity to run the CSOC and respond to incidents.
• Processes – the right automations, playbooks and processes to monitor, identify and investigate threats, as well as then being able to effectively respond, contain and manage incidents.
• Technologies – the technologies and platforms in place to monitor, detect and respond to threats, such as SIEM, SOAR and XDR technologies.

Many confuse having a SIEM with having a CSOC. Whilst a SIEM is necessary, the people and the processes provide the critical difference that provides a proactive, preventative and effective CSOC.

What are the challenges when building an internal CSOC?

Building an effective CSOC comes with several challenges, which we have distilled into four main areas: costs, people, credibility and time to market.

The main overall challenge that MSPs need to consider is the sheer operational challenge of moving from a 9-5 MSP into a 24×7 MSSP. As cyber threats most likely occur out of working hours, you need 24×7 shift patterns in place – especially over holidays, which is a brand new challenge for many. The transition is no simple undertaking. For some, the challenges to build internally are worthwhile and a necessity, but for most the investment and commitment requires careful consideration.

Costs

There is no denying that building a CSOC requires large upfront investment. For many, the heavy upfront costs are enough to stop MSPs considering building as its simply uneconomic. An effective CSOC needs to be running 24x7x365, unlike Service Desks that can happily manage 9-5. This means shift pattern considerations and higher staff costs.

To run a 24x7x365 CSOC, the minimum staffing required is:

• 8 x Security Analysts (average salary £45,000)
• 1 x CSOC Manager (average salary £52,000)
• 2 x Security Engineer (£55,000 average salary)
• Head of Cyber Security (£72,000 average salary)

This has an annual wage bill of £594,000. And these really are the minimums, ignoring resource resilience and other CSOC functions, such as Incident Response. (Note: average salaries taken from https://uk.talent.com/en/)

People

People are the critical component of an effective CSOC and having the right people comes with its challenges:

• Recruitment – finding and hiring skilled cybersecurity staff is challenging as there is a substantial cyber skills gap.
• People Management – ensuring the right team management is in place for a 24×7 operations, such as out of hours management, and managing holidays and sickness to balance operational resilience.
• Retention – as the cyber market is very active there is a strong risk of poaching, so having a strong culture and benefits is vital to retain staff and ensure strong employee engagement.
• Training – you also need to consider continual training and development to ensure that knowledge remains current – especially critical within the fast-paced industry of cybersecurity.

Credibility

It can take a long time to build credibility and a market presence within the cybersecurity market. You also need to ensure that you have the relevant supporting sales and marketing collateral, internal teams are trained on how to sell and support customers and ensure that clients receive an excellent service.

Also ensuring that you have the right accreditations can be challenging, especially for smaller organisations. Attaining the relevant cybersecurity badges, such as ISO 27001 and Cyber Essentials Plus are a necessity, and if you specialise in particular security technologies then the right accreditations here can be challenging. For example, attaining Microsoft Security designations and Advanced Specialisations.

Time to Market

Finally, it takes a significant amount of time to build and effective CSOC. The average is three years, which many organisations cannot afford to wait that long, as their customers or opportunities will have gone elsewhere due to the urgency of the need.
It takes significant time to consider and organise:

• Processes – ensuring the right processes are in place and with time to finetune these for an effective and streamlined service.
• Technologies – having the right technologies and technical architecture and foundations in place.
• Legals & Commercials – you need time to build out the legals, service descriptions, ensure the right insurance levels and make sure you are commercially appropriate.

What are the options to MSPs?

MSPs today need to consider how they can provide managed security services. Recent research from ConnectWise found that most SMBs (94%) would consider using or moving to a new managed service provider (MSP) if they offered the “right” cybersecurity solution. Not providing these services lead to the risk that customers will look elsewhere and as cybersecurity increasing is importance, IT and cybersecurity are going to be intrinsically linked.

There are essentially three options available to MSPs:

• Build – invest in the people, processes, and technologies to build an effective CSOC and deliver the services yourselves.
• Buy – acquire a cybersecurity practice through acquisition to extend your capabilities.
• Partner – partner with an MSSP to start delivering MDR & MXDR services immediately without the investment, challenges and risk.

Partner with Chorus

We offer a channel partner model that helps MSPs quickly deliver MDR and MXDR services. By partnering, you take away the challenges and risks of building or buying. The key benefits are:

• Rapid time to market – you can very quickly get ready to go to market with managed security services, whereas building a CSOC takes an average of three years.
• Open new market opportunities – customers are looking for these services today. By partnering you can quickly meet client requirements and reduce their risk, as well as open new opportunities in a growing market.
• Cost-effective and new revenue – with no upfront investment and ongoing costs to yourselves, partnering is cost effective and also brings new annuity revenue streams and great profit margins.
• Reduced risk – taking away the investment and time to build a CSOC yourself greatly reduces initial risk of getting a return on investment. And by partnering with a specialist, you remove the risk of being responsible for cybersecurity management and ensuring you have the right contracts, legals and insurance in place.