Most MSPs Can’t Afford to Build Security Operations Centers (SOCs)

Credit: Pixabay

You know the story. Thousands of VARs and MSPs are looking to augment their basic endpoint management capabilities with true managed security services. But as TruMethods CEO Gary Pica will tell you: Success in any managed services market requires you to solve a math problem. And frankly, the financial math is particularly challenging for MSPs that want to build dedicated security operations centers (SOCs).

Let’s say, for instance, you want to be the only MSP in your neighborhood with a full-blown SOC. You want it staffed 24×7 to monitor and remediate cybersecurity issues before they have a chance to run wild. It’s a heck of a vision — until you start crunching the numbers.

Let’s start with staffing your SOC for a single day.

  • You’ll have three shifts of employees, and each shift will work eight ours.
  • You’ll have three analysts on the first shift (say, the prime support hours).
  • Plus two analysts on the second shift and two analysts on the third shift.

Security Operations Center: Basic Year-Round Staff Costs

So far, that’s seven analysts for your SOC during a 24-hour window. But here’s where the math gets painful.

  • Those seven analysts are working 8 hours each, and that equals 56 hrs. of daily labor.
  • But a full year of coverage (365 days x 56 hrs) = 20,440 hours (let’s round to 20,000 for the sake of simplicity)
  • The typical person works 2,000 hours annually
  • The bottom Line? You’ll need at least 10 analysts to run a 20,000 hour SOC on an annual basis.

The source for all that information, by the way, is Rafeeq Rehman, a consultant, author and researcher in the cybersecurity market.

Let’s not forget: You’ll also need somebody to lead the SOC team. A chief information security officer (CISO), perhaps? Sounds awesome — especially if you’re seeking MSSP credibility with customers. But be careful of the titles you throw around. The typical CISO makes at least $200,000 in many of the major U.S. metropolitan markets, with some areas averaging up to $240,000, according to SilverBull.

Solving the Cybersecurity Talent Shortage

Even if you can afford to recruit, hire and train all that talent — can you really find that talent? After all, the cybersecurity talent shortage will grow to 3.5 million professionals in 2021, according to Cybersecurity Ventures. And by the way, we haven’t even mention the cost for all the cybersecurity technology your home-grown SOC will require.

With all those variables in mind, I suspect most traditional MSPs will embark on a multi-partner MSSP and/or SOC strategy. Most MSPs will:

  • Offer basic managed security services such as patch management and next-generation anti-virus services.
  • Those MSPs will seek out full-blown MSSPs as partners that sprung from the traditional IT services market. Here, names like Carvir (acquired by Continuum in 2018) and Infogressive come to mind.
  • Some of the MSPs will seek out vertical vertical market partners. MSSPs like N-Dimension Solutions, for instance, safeguard the U.S. electric grid.
  • In their quest to find third-party SOCs, those MSPs will reach out to IT distributors and NOC providers that have extended into the SOC sector.

The MSSP, Security Operations Center Inflection Point

Today’s MSSP market reminds me of the cloud services market around 2010. At the time, many VARs and MSPs weighed a build-vs.-partner strategy for public cloud services. Some of those companies wasted hundreds of thousands of dollars — perhaps millions — building out private cloud infrastructure. The wiser option, in most cases, involved embracing public cloud services. After all, you can’t fight Moore’s law — increasing performance, falling prices — in the cloud age.

History is set to repeat itself in the cybersecurity market. Quite a few MSPs will waste time and money trying to build everything on their own. Instead there’s a wiser path forward: Partner first, learn from those mistakes, then decide just how much you want to invest in this market.






Return Home



    Joe Morin:


    Great article highlighting some of the initial hurdles in building a true SOC. These are only the initial hurdles based on my in-the-life experience. How to consistently handle constant security alarms and confirmed incidents is where the rubber hits the road for most as it stands today. The real problem that clients want answers to is how does the MSSP close the gaps in the moment. A SOC with a bunch of tech and smart people are really the core requirements but the integrity of incidents raised and response value comes from ridiculous process building and realization of SOAR platforms.

    MSSP’s cannot continue to SEE something and SAY something. MSSP’s must SEE something and DO something to truly absorb the burden on the client.

    Just like it does not make sense for most to build a datacenter because they can easily and efficiently turn on AWS/Azure/GCP they should not build their own SOC. Build a SOC if you have true expertise to differentiate. Do not build a SOC as a me-too offering. It is already built, more effective, more efficient and more profitable.


    Always learn from MSSP Alert!
    Tell me this, what are we calling companies like Continuum and infogressive? Should we create a new classification, that better describes their play in the market? I have come across many more that serve as a service back office for MSPs.

    Joe Panettieri:

    Barbara: Thanks for the note. I gotta confess: We posted this blog entry roughly two years ago, but resurfaced it this week amid continued chatter about the topic. To answer your question, I generally consider Infogressive and Continuum to be master MSSPs — companies that host their own managed security services, SOCs and Talent, but then extend those services out to MSPs.


    Chris DesRosiers:

    Joe, the cost of staffing as you’ve outlined I think is spot on. I might also recommend any MSP that considering a full blown a dedicated security operation center will also be severely handicapped by the acquisition cost of the (ever evolving) technology as well as ongoing maintenance contracts with vendors to support those technologies. There’s also much to be said about separating and creating networking air gaps between the network operation center and the security operation center. They should not be one in the same. Incident response can be extremely expensive and will also burn cash. Partnering is best there in my opinion. The solutions should be priced right and to do so requires somebody with skill and expertise or to build an MSSP practice and formulate the grand plan. It’s an ambitious project to be sure.

    Joe Panettieri:

    Hi Chris: Thanks for your readership. We’ll reveal more details on September 19, when we unveil our Top 100 MSSPs report for 2019. We’ve got some interesting stats about the percent of MSSPs building their own SOCs, percent outsourcing the capability, etc. Stay tuned.

Leave a Reply

Your email address will not be published.