Understanding Ponemon Report: How much does SOC cost?

In January 2020, Ponemon released a research report entitled “The Economics of SOC: How Much Will It Take to Get Results”. Surveys have shown that SOCs are expensive and average, but significant .

Based on 637 valid questionnaires [the geographical area is not mentioned in the article, the author estimates that the respondents are mainly in North America. In addition, according to the analysis that the number of respondents’ units is at least 1,000, the average annual expenditure for self-built SOC is 2.86 million US dollars. Surprisingly, the average annual expenditure for the commissioned SOC (purchasing MSSP services) reached $ 4.44 million, which is significantly higher than the self-built SOC, which is completely inconsistent with people’s expectations for MSSP. Only 17% of respondents said their MSSP was “efficient.” In addition, 51% of the respondents were satisfied with the effectiveness of their SOC detection attacks. And 44% said that the return on investment of their SOC was deteriorating.

Although the return on investment of SOC is flat, most respondents still regard SOC as a key element of their cyber security strategy , especially in reducing false positives and reporting security intelligence. To achieve results, SOC relies heavily on professional analysts to block, detect, analyze, and respond to security incidents, and these professional analysts have high costs. In order to reduce personnel expenses, many units turned to MSSP, but found that it cost more, and fell into a vicious circle.

The report analyzes in detail from five aspects:

1) Current SOC status

31% of respondents said that SOC is essential and 42% said that SOC is very important. The most important uses of SOC are to reduce false positives (84%), report threats (83%), monitoring and analysis alerts (77%), intrusion detection (77%), use of automation and ML (74 %),Wait.


The devices that the SOC monitors and manages most are FW / IPS, UTM, IDS, missing scan, anti-D, malicious code protection, other probes, and so on.


2) People are the key to the problem

The report shows that people (analysts) are the key to the success of the SOC and the bulk of SOC spending . 67% of respondents said that training SOC analysts is very important. At the same time, the employment cost of SOC operation and maintenance / analysis engineers is very high. The SOC of the interviewed organizations (basically large units) has an average of 12 IT security experts. The main salary (45%) is between $ 75,000 and $ 100,000. Level two and level three are conceivable. At the same time, 45% of the respondents said that salary is expected to increase by an average of 29% in 2020.


SOC requires many people and is expensive, but it is also difficult to recruit, educate and retain people . The survey shows that it takes an average of 3.5 months to recruit an analyst and 3.8 months to train him / her, but the average time an analyst spends in a unit is only 27.2 months. In addition, personnel mobility is also high.

From an analyst’s point of view, it’s also hard work . 70% of respondents agree that SOC analysts are quickly exhausted due to the high pressure environment and workload, which is also one of the key reasons for staff turnover.

Further research into the pain points of analysts is mainly due to increased workload (75%), standby on 24/7/365 (69%), lack of visibility into IT and network infrastructure (68%), and too many alerts (65%) And information overload (65%). As shown below:


3) Key factors affecting SOC cost

As mentioned earlier, the average annual cost of a self-built SOC is $ 2.86 million, of which $ 1.46 million is direct labor costs.

In addition, the logical location of the monitored target, the industry in which it is located, the complexity of the SOC itself, the effectiveness of the detection attack and the number of employees in the unit will affect the cost of the SOC.

In simple terms, the SOC cost of monitoring for local data centers is higher than that of mobile and cloud environments, while the SOC cost of monitoring for cloud / local hybrids is the lowest; the SOC cost of the financial industry is relatively high; the more complex the SOC, the more cost The higher the SOC effect is, the higher the unit cost is ; the more the unit is, the more the cost will increase.


4) The problem of commissioning SOC

As mentioned earlier, the method of commissioning the MSSP to build an SOC is actually not cost effective. Therefore, 40% of the respondents intend to switch back to the self-built model. 23% plan to change suppliers.

5) Characteristics of high performance SOC

Ponemon classified 134 of the 637 questionnaires as high-performance SOC units and considered them very effective. Then he compared this group of high-performance SOC units with the overall SOC situation and found some interesting information.

First of all, high-performance SOC units believe that SOC is more important to the overall security strategy; SOC complexity of high-performance SOC units is slightly lower than the overall average, the team is more pressure-bearing, the analysts are more stable, and they are better for future development. Expectations are also higher.

[My opinion]

Through this report, although the analysis target is North America, we can make some analogies to our country. Not to mention the superiority and inferiority of the self-construction commission, for large units, the annual input cost of building a SOC is certainly in the millions (RMB) level. However, the proportion of SOC construction costs in the overall safety investment is definitely still at the bottom. Moreover, it can be said with certainty that the cost of SOC construction hardware and software systems is very high, and the cost of operation and maintenance personnel and analysts is very low, or even ignored. This is a major difference at home and abroad. I mentioned it many years ago. [See, for example, the Information Security Investment Structure “,” Security management platform is not equal to SOC! ”And other articles published by the author on 51CTO earlier] Ponemon’s report at least pointed out that the construction of SOC [in fact, it should be more accurate to run SOC] human investment is large (146 divided by 286 greater than 50%). In addition to paying attention to selecting the appropriate SOC platform and tools, you also need to spend a lot of energy on those who use SOC: how to establish a staff team system, how to select people, how to educate people, how to use people, how to motivate people, how to retain people. The theme of RSAC2020 is “human element”. This report was published before RSAC2020, but it confirms this slogan. If this is not the case in our country, it will definitely be like this in the future, sooner or later.

In fact, the career of SOC operation and maintenance engineer / analyst has already improved, and it is relatively tight. It is believed that the future demand will expand sharply, and the gap will be large in the medium term. At the same time, given the shortage of manpower, the tools given to engineers / analysts are also extremely urgent, which will help them better allocate their work focus and focus on the release of core capabilities.

Finally, we still have to admire the level of old American research. Due to various conditions, the author’s analysis is mostly qualitative, and they always issue some quantitative analysis reports (regardless of the quality), it seems to people who have C Level feel different. Investigations, statistics, … are still too few in the field of domestic cyber security.


Ponemon : Improve the effectiveness of SOC

Ponemon research report reveals value proposition of security automation and AI and relationships with people

Information security investment structure

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.