8 Tips for a Successful Hybrid SOC

When it comes to setting up a security operations center (SOC), be it in-house, completely outsourced or a hybrid of the two, they should revolve around the three core pillars of people, process and technology. SOC is the nerve center that provides visibility to help an organization understand its risk and security posture. Setting up a 24×7 SOC is one element, but getting the right information is another. Without proper planning and applying the right strategy with a focus and making smart decisions, success is not easy; hence, achieving maturity is not easy.

In this blog, we’ll highlight the key challenges an organization can face after setting up a hybrid SOC. Each organization’s priority, thinking process and planning and execution are different, but achieving success and heading toward maturity are all common goals. We’ll focus on core areas that need to be considered after implementing a SOC to run SOC operation not just from a compliance perspective but also as an enabler of the business.

Here is an eight-step approach to creating and managing an effective security operations center.

Sustainable Governance

A successful SOC is a strong foundation for operational excellence driven by strong governance. Key people from the client and the service provider must meet regularly and be involved in a consistent way. There must be regular monthly/quarterly meetings to understand if the operation is running as efficient as its documented in the statement of work (SoW).

Shared Technology Model

Cybersecurity is dynamic and businesses are under immense pressure to adopt new security technologies, which can put pressure on an SOC analyst. In addition to managing their current technology, they must learn the new technologies quickly.

Because of the changing nature of security technology and the time and effort necessary to incorporate new solutions into the SOC, conflict can arise, especially in a hybrid SOC. Is this solely a responsibility of the client or can a shared responsibility model can play a better role here? Has it been documented in the SoW who will pay for the training? Security training is a costly proposition. Articulating clearly in the SoW is required to avoid any issues regarding who will bear the cost and also the mode of training, which could be video conferencing on onsite.

Regular Site Visits

The primary purpose of the visit is to build trust and assure the remote team has all the necessary support from the client. It should not be simply signing the contract; there must be equal due diligence performed by both client and the service provider wherein key designated folks visit each other’s site at least twice a year. It also enables each side to see whether the working environment is conducive or not. Face-to-face meetings help develop trust and transparency most effectively. Or a remote SOC analyst to work from client’s premises for a week or two to get first-hand experience working closely with the in-house CIRT team.

Culture of Appreciation

Appreciating SOC analysts for their achievements/accomplishments must be handled appropriately both from the service provider and the client. Being in security from an analyst’s stance is a tough business and without appreciation, no one can feel valued. Satisfaction and productivity increase when someone is appreciated for their work.


To improve the SOC, consistent feedback is must-have from both sides. Without feedback, there is no growth. And if there is no growth, it defeats the whole purpose.


If the security analysts stay at the job for only about a year, then something is not right. Why are they leaving their jobs so quickly?? Are they not getting enough training? Are they dealing with alert fatigue? Are they not feeling appreciated? Are they finding difficult to maintain work-life balance? Whatever the reason, it must be identified and remedied it as soon as possible.

Business Continuity

The main goal of business continuity is to deal with disruption; in an SOC, that means ensuring no interruption to the SOC operation. Is there a plan to move the SOC to a different location if necessary? How does the SOC deal with a natural calamity? Scenarios such as these must be well-thought-out and documented. It’s better to have few resources working from the client location to run the show. Working on these thoughts will help dealt with the crisis in a better way.


Imagine a situation where a breach happens at client end and remote SOC analysts spread the news to the entire floor. Can this situation be avoided? Privacy must be protected at all times and such kind of situation must be fully documented in an agreement and well-understood by both parties.

Featured eBook
SANS 2019 Threat Hunting Survey: The Differing Needs of New and Experienced Hunters

SANS 2019 Threat Hunting Survey: The Differing Needs of New and Experienced Hunters

SANS threat hunting experts Mathias Fuchs and Joshua Lemon capture the different needs within organizations that are just starting their threat hunting journey, versus those who are honing their skills and programs. Read the report to help grow your program and improve threat hunting with: Definitions of threat hunting Methodologies of performing threat hunting Spending ... Read More
Vinay Bhatia

Vinay Bhatia

Vinay Bhatia is a security practitioner with 10+ years of experience in the security domain and still learning. He is pursuing his CISSP and is a very passionate person, which is a must-have to sustain in this field.

vinay-bhatia has 2 posts and counting.See all posts by vinay-bhatia