Pros and cons of internal and external Security Operations Centre (SOC)

If you are reading this blog, you are not just seeking solace, but have realised that it is time to make a decision as to whether you should invest in an internal or external Security Operations Centre (SOC).

Breaches only happen to other people and other larger organisations! Right? No! Cyber attacks do not concern themselves with the size, scale, type, location or vulnerability of the host they seek to penetrate, they just seek a host and once exploited, wreak the damage they have evolved or been designed to cause.

Equally, you should not be concerned with what, where, when, how or who the Cyber attacker is, just know that sooner or later, it will find an exploitable window of opportunity, and unless the appropriate measures are put in place, an attack is inevitable.

The question, is not “should I invest?”, the question is “how do I invest appropriately, to get the most revenue for my MSP business, whilst providing my clients with the highest level of security?”

Today, IT threats are increasingly sophisticated with disastrous consequences for companies – for their finances, brand and reputation. Countering these threats requires the use of proven processes, effective security solutions and high-level skills. The whole system must be available and operational at all times 24/7. This is the promise of the Security Operations Centre (SOC).

But first, the company must make a strategic choice: set up an internal SOC or use a third-party via an outsourced SOC. In this blog, we discuss the pros and cons involved for both an internal and external SOC.



  • You can recruit from within, creating a new career path for 3rd line engineers that have reached their technical capabilities within your service desk team.
  • A dedicated internal team with a strong reactivity has the advantage of knowing your client’s systems and challenges. This often allows a high level of reactivity in solving security problems.
  • Event logs and all elements for tracking alarms and incidents are stored internally. This reduces the potential risk of external data transfer.
  • Communication in the event of an attack is often faster because it uses the company’s own means of communication.
  • The solutions implemented are highly customised to the company’s needs.



  • Recruitment of skills and training: a SOC requires experts in a variety of areas, some of which demand qualifications to perform security best practices. Today, the recruitment of SOC analysts and cybersecurity experts is a real challenge and can take some time. You also need to take into consideration maintaining and developing the skills of these experts on new technologies and processes as they require time and a significant budget.
  • The scope of business expertise: managing the unknown is the most complicated paradox in terms of risk management. It may be more difficult internally to discover threats that will be more obvious to a company that specialises in identifying malicious behaviour. An internal SOC will need to monitor your client’s systems 24/7 in order to manage new threats quickly and effectively.
  • The documentation of internal processes is often forgotten. Knowledge is often based on a limited number of experts, thus becoming essential. The result, not surprisingly, is a risk factor for loss of information in the event of an employee departing.



  • Choosing an external SOC brings transparency and simplifies the costs as they are agreed prior to sale. Many SOC’s provide a fixed cost per user, allowing you to easily calculate your revenue.
  • Having an external SOC allows top management to be reassured. The technical elements are outlined clearly to improve management’s understanding of the issues and to demonstrate a return on investment.
  • The external SOC also limits potential conflicts of interest between internal departments within the organisation with sound advice and reports.
  • In this model, competent and operational people are made available immediately – without having to wait for lengthy recruitment processes. It is also a way to benefit from the experience of analysts who have monitored other environments and who follow proven processes.
  • Service Level Agreement (SLA) ensure the entire service is defined and precise, sparing the company from unpleasant surprises, especially during attacks.
  • The monitoring of threats and incidents is very difficult to do alone. A SOC operator is well placed to consolidate many sources of information, both external and internal, to achieve this.
  • Finally, an external SOC is much cheaper because most equipment, solutions and experts are shared. There also isn’t any operating expenses (OPEX) and not an infrastructure expense, so it is easier to include in your budget.


  • External experts: although experienced, dedicated people cannot know the organisation’s infrastructure as well as you do. In this context, the partner must take the time to fully understand the organisation’s business issues and implement procedures involving internal and external people.
  • Outsourcing data, having items outside the company can mean risks if security measures have not been implemented.
  • Accepting the handling of security by third parties is not necessarily natural and requires change management. MSP’s need to work with external partners as though they are an extension of your own business.

If you would like more information on Inbay’s white-label, fully managed Security Operations Centre (SOC) service please get in touch today on +44 (0) 20 3435 6435 or [email protected].

Comments are closed.