The CISO’s Dilemma: Driving SOC Maturity – People, Services or Technology?

By David Stoicescu

Estimated Reading Time: 6 minutes

SecOps efforts must evolve and adapt or they will eventually fail. New vulnerabilities are discovered every day, and threat actors are highly motivated to adapt themselves. So when should security leaders improve their technology stack, when should they hire additional analysts and engineers, and when should they augment their existing team’s capabilities with managed services? And, in what order? These are critical questions for any CISO at organizations facing an array of security threats and resource challenges. 

The natural inclination for CISOs is to believe in their team’s ability and potential, and thus look to tools and technology to help them improve visibility or respond more quickly and effectively. Security leaders must naturally grow portions of their tech stack to keep up with growing threats and an expanding attack surface. But what happens when new detection tools don’t live up to expectations, or the analyst that’s been trained hours to utilize them suddenly leaves the company?

The point is every security leader’s success relies on the balance between building capabilities in-house through hiring or technology upgrades, and partnering with a trusted service provider to fill the gaps or augment with specialized expertise. It’s also about balancing the day-to-day fire fighting while improving security maturity over time. To help teams on their SecOps maturity journey, here are some considerations for determining whether to hire, invest or outsource improvements to your detection and response capabilities.

When to Add Headcount

Adding new team members makes sense when you are prepared to make the investments of money and time. In the current economic climate, that means providing justification for salary and benefits, for training and onramp hours, and the tools to make them successful. If that new team member extends coverage through the weekend where there was none, they could be a great decision for improving on-site capabilities. 

As part of long term team building, adding team members has benefits. Unfortunately, CISOs must then find the right talent, with the right skill set. While startups and mid-sized companies may reduce staff in other areas, hiring for engineers is robust and competitive. New regulations and executive orders are driving security talent to finance and government-serving organizations. Once CISOs do find the right talent, retention can be a challenge in this climate.

And let’s face it, CISOs might find a growing team attractive if budgets allow. SecOps maturity can grow, a new member can respond to threats, and the security program can stay entirely in-house. Do this when building a new team or expanding, but only when you have the time to invest in their development. This might not have an immediate impact on response capabilities.

When to Add Technology or Tools

Technology undoubtedly plays an important role in modernizing and maturing the SOC. There is a natural upgrade progression to keep up with growing threats and an expanding attack surface. But before you dive deep into exploring the latest shiny tools, ask yourself if you’re getting the full value out of the technology you have. If you do have technology gaps that you need to fill with new tools, how do you decide which sets to prioritize for your maturity journey? What’s your integration plan? And is this going to cause more work and overhead than it does actual security value?

For example, most organizations want the outcomes that XDR can provide for their security programs. XDR, or extended detection and response, is a great progression for going beyond the endpoint and achieving real-time response and increased automation. However, the technology adoption is dependent on the people and processes needed to implement and support it. While the interest in XDR is pervasive, a lot of security teams, especially smaller ones, haven’t invested in XDR solutions because they don’t have the expertise or staff to manage it

Furthermore, what happens when new tools don’t live up to expectations, or the resident expert  that’s been trained hours to utilize them suddenly leaves the company? If you’ve lost team members or can’t afford headcount, consider the possibilities and limitations of adding new technology to your security stack. Due to employee turnover, a lot of time and money is often invested only to create gaping holes in coverage when team members leave.

Growing the technology capabilities should be aligned with a strategic SecOps maturity playbook that considers your overall environment in comparison with industry benchmarks and where you want to be, so you can prioritize the right investments and coordinate the right resources to get the full value of them.

When to Add Managed Services

If you are struggling with detection and response, it may well be time to look at partnering with a managed detection and response service provider (MDR).  MDR providers provide more than just the tools; they should offer deeper expertise than your in-house team and be more available (including on nights and weekends.) When throwing people and technology at the challenge of detection and response isn’t fast enough, or affordable now, or technically feasible, more CISOs than ever are turning to a hybrid approach that includes managed services. Organizations that don’t have the depth of skill needed to address cybersecurity challenges often leverage MDR.

If you already have a Managed Security Service Provider (MSSP), you may have outgrown them. MSSPs often support different parts of a security program, but detecting and responding to advanced threats is not where they specialize. As SecOps teams mature, the tools or relationships that helped initially craft their security program may not be sufficient to achieve a more advanced security posture.   

MDR services can dramatically increase security coverage of assets; reduce technology spend and subscriptions; provide flexible capacity and scalability; and allow your team to focus on strategy and core business initiatives. MDR is also a path for getting the support of world-class security experts and modern SOC technologies without the internal overhead.

Make the Right Choices

Given the responsibility placed on CISOs to protect the organization, these decisions are critical. Whether you’re building a new security program, or managing a team of 5 to 10 or more full time employees, you’ll have to make some hard decisions on how to approach your security program, especially in light of an uncertain economy and escalating threats. 

Let us show you why Deepwatch and the Deepwatch SecOps Platform are the best choice to help you strengthen your ability to detect, respond, and remediate security incidents. Let us help you grow your SecOps program maturity, helping you implement the best next steps that can include MDR, EDR, active response, vulnerability management and threat intelligence. Choose Deepwatch to help you realize the value from existing security investments, and allow your in-house security team to focus on strategy and business initiatives. 

To learn more about advancing your SOC with MDR services: For insights into advancing SOC capabilities, read The State of the Modern SOC Report:


LinkedIn Twitter YouTube

Subscribe to the Deepwatch Insights Blog