, ,

Building a Successful Security Operations Center (SOC) Part Two – Estimating SOC Budget

Image credit Pixabay

Budget estimates are a major part of SOC business case. A typical budget will consist of capital cost, payroll expenses, and annual recurring costs. The budget estimates also helps in making decision about build an internal SOC or using SOC as a Service. Following is a summary of three major cost components.

  • Capital Cost – This consists of initial expense of building SOC and includes everything from furniture to hardware, software and external consulting fees.
  • Annual Payroll Cost – This includes salary and benefits for people running the SOC. Depending upon location and the size and scope of SOC, this can vary significantly. However, this is a major part of annual cost.
  • Annual Recurring Costs – These costs include annual licensing fees, equipment depreciation, skills training, threat intelligence feeds, and general IT cost.

While estimating these costs, think about major cost buckets and get cost estimates from multiple vendors. For example, you may want to consider cost from multiple SIEM vendors by providing them high level requirements. Similarly, you can estimate number of IP addresses for subscription to network vulnerability scanning and application vulnerability assessment.

Estimating Number of People

The estimate for number of people may vary significantly depending upon whether you want to run a 24x7x365 SOC or something less than that. Following is one way of estimating number of people for 24x7x365 SOC.

Consider three shifts of 8 hours each. Also, consider 3 analysts in first shift and 2 analysts for each of the other two shifts. This will make 7 analysts on daily basis with 8 hours each, resulting in a total 56 hours every day. For the whole year (365 days), this will require 20,440 hours. Let us make it an even number of 20,000. Typically, one person will work for 2000 hours on annual basis, at the most. This means you need 10 analysts to run the SOC. You can divide these analysts into Tier 1, Tier 2 and Tier3. In my example, I estimate 5 tier 1 analysts, 3 tier2 analysts and 2 tier 1 analysts.

In addition to analysts, you will also need specialists like forensics and malware experts and a SOC manager.

If the SOC is not 24×7, your estimates will change accordingly. Based upon number of shifts, you have to create a schedule for these analysts and plan for vacation, training, and other situations. Typically, SOC manager will perform these duties.

We will have a separate blog posts about roles and responsibilities of each person and scheduling.

Estimating Technology Cost

As for as technology cost is concerned, you can explore options for Software as a Service (SaaS), purchasing perpetual licenses, or licenses with an annual cost. Vendors provide a number of options. You should keep about 20% of the software cost as annual maintenance fee, but vendors can provide you these numbers.

For initial SOC implementation, you will need external professional services. Vendors with expertise in building and running SOC can provide initial installation and tuning help to get the SOC up and running.

Build or Outsource?

For a comparison, you should also consider option for outsourcing the SOC. There are many vendors who provide “SOC as a Service” and bring their expertise to your benefit. Some vendors can co-manage SOC with your team, reducing the overall cost. You should explore all options as SOC is a major undertaking and needs significant planning.

You can use SOC Budget Calculator which is an Excel file to help you estimate budget for different components of SOC.

This is a second part of the blog. Click here to go to Part One which provides an introduction to Building a Successful SOC.

About the Author

Rafeeq Rehman is the creator of “CISO Mind Map”, a blogger and consultant. He is helping many Fortune 500 global organizations achieve their business goals using latest innovations in technology. His areas of  focus include Information Security, IoT, and Advanced Networking. He can be reached @rafeeq_rehman and on his personal blog site.