EDITOR’S QUESTION
Tips on building that
security ops centre
Gartner’s Siddharth Deshpande gives an overview of the pros
and cons of setting up a security operations centre.
A
security operations centre can
be defined both as a team, often
operating in shifts around the
clock, and a facility dedicated to and
organised to prevent, detect, assess
and respond to cybersecurity threats
and incidents, and to fulfil and assess
regulatory compliance.
Building a security operations centre,
or generally creating some form of internal
security operations capabilities, is a costly
and time-consuming effort that requires
ongoing attention in order to be effective.
Indeed, a great number of organisations,
including some large organisations,
choose not to have a security operations
centre. Instead, they choose other security
monitoring options, such as engaging a
managed security service provider.
CISOs and technology leaders
contemplating building their own security
operations centre should be very cognizant
of the cost and staffing implications
involved in this approach. There are plenty
of alternatives to building and staffing
an in-house security operations centre,
and companies should explore them in
addition to the various types of security
operations centre models.
There are various types of security
operations centre models listed below.
Virtual security ops centre
There is no dedicated facility, it has
part-time team members, and is reactive,
being activated when a critical alert or
incident occurs.
Dedicated security ops centre
This is a dedicated facility with a dedicated
team and is fully in-house.
Distributed co-managed security
ops centre
This has dedicated and semi-dedicated
team members, with typically 5x8
W
hat are some
of the best
practices for
administrators when
they choose to build or
transform their data,
security, network
operation centres?
operations and when used with a managed
security service provider, it is co-managed.
Command security ops centre
This typically coordinates with other
security operations centres, provides
threat intelligence, situational awareness
and additional expertise, but it rarely
directly involved in day-to-day operations.
Multifunction security ops centre
This is a dedicated facility with a dedicated
team performing not just security, but
other critical 24x7 IT operations like
network operations, from the same facility
to reduce costs.
Fusion security ops centre
This delivers traditional security
operations centre functions as well as new
ones, with as threat intelligence, computer
incident response team, operational
technology functions, integrated into one
security operations centre facility.
In addition to these six models, where
the customer’s internal security teams
are involved in varying degrees, there is
another fully outsourced model. In fully
outsourced models, a service provider
builds and operates the security operations
centre with minimal or at best, supervisory
involvement from the customer
Siddharth Deshpande is Principal Research
Analyst at Gartner.
organisation. Organisations are building
internal security operations capabilities,
even if in a limited sense, because they
desire more control over their security
monitoring and response process.
They also want to have more informed
conversations with regulators.
The strategic business impact of
a security operations centre build
project makes it a critical initiative for
organisations. Organisations that decide
to move ahead with an in-house security
operations centre allocate both initial and
ongoing funds in a structured manner, and
expect the project to move with a sense of
urgency once approved. When building an
organisation’s security operations centre,
administrators should keep the following
guidelines in mind:
Perform a realistic cost-benefit analysis
of various security operations models
before committing to a completely in-
sourced security operations centre.
Focus on aligning security operations
centre deliverables with business
objectives by developing tightly defined
goals and metrics that the operations
centre needs to deliver against.
Identify high business value and
critical security functions and keep
them in-house.
Consider use of managed security
service provider services to offset the
cost of 24/7 security operations centre
operations and to fill coverage gaps.
Develop a security operations centre staff
retention strategy from the outset.
49