Security Magazine logo
search
cart
facebook twitter linkedin youtube
  • Sign In
  • Create Account
  • Sign Out
  • My Account
Security Magazine logo
  • NEWS
    • Security Newswire
    • Technologies & Solutions
  • MANAGEMENT
    • Leadership Management
    • Enterprise Services
    • Security Education & Training
    • Logical Security
    • Security & Business Resilience
    • Profiles in Excellence
  • PHYSICAL
    • Access Management
    • Fire & Life Safety
    • Identity Management
    • Physical Security
    • Video Surveillance
    • Case Studies (Physical)
  • CYBER
    • Cybersecurity News
    • More
  • BLOG
  • COLUMNS
    • Cyber Tactics
    • Leadership & Management
    • Security Talk
    • Career Intelligence
    • Leader to Leader
    • Cybersecurity Education & Training
  • EXCLUSIVES
    • Annual Guarding Report
    • Most Influential People in Security
    • The Security Benchmark Report
    • The Security Leadership Issue
    • Top Guard and Security Officer Companies
    • Top Cybersecurity Leaders
    • Women in Security
  • SECTORS
    • Arenas / Stadiums / Leagues / Entertainment
    • Banking/Finance/Insurance
    • Construction, Real Estate, Property Management
    • Education: K-12
    • Education: University
    • Government: Federal, State and Local
    • Hospitality & Casinos
    • Hospitals & Medical Centers
    • Infrastructure:Electric,Gas & Water
    • Ports: Sea, Land, & Air
    • Retail/Restaurants/Convenience
    • Transportation/Logistics/Supply Chain/Distribution/ Warehousing
  • EVENTS
    • Industry Events
    • Webinars
    • Solutions by Sector
    • Security 500 Conference
  • MEDIA
    • Videos
      • Cybersecurity & Geopolitical Discussion
      • Ask Me Anything (AMA) Series
    • Podcasts
    • Polls
    • Photo Galleries
  • MORE
    • Call for Entries
    • Classifieds & Job Listings
    • Continuing Education
    • Newsletter
    • Sponsor Insights
    • Store
    • White Papers
  • EMAG
    • eMagazine
    • This Month's Content
    • Advertise
  • SIGN UP!
CybersecurityManagementPhysicalSecurity Enterprise ServicesSecurity Leadership and ManagementSecurity & Business ResilienceCybersecurity News

Building a security operations center (SOC) on a budget

By Matthew Warner
security leader salary

SARINYAPINNGAM/ iStock / Getty Images Plus via Getty Images

December 19, 2022

A security operations center immediately incites images of a large, windowless room filled ceiling-to-floor with large flatscreen monitors. Security analysts sit dutifully at desks, taking in information from several screens at once, ready to pounce on even the slightest anomaly.

This vision of a security operations center, or SOC, is rooted in reality but only for a select few. The types of setups and capabilities showcased in these portrayals exist for large enterprises, such as Fortune 500 companies, major government agencies, or international finance organizations.

The reasoning is simple: Operating an entire SOC is a tremendous undertaking that requires significant investments in technology and personnel. It is often not practical, or even possible, for small and medium-sized businesses to strive for this type of environment. Instead, they should look to build a SOC that meets their needs at a price point that fits within their overall security expenditures.

They need to build a SOC on a budget.

 

What Exactly is a SOC?

A SOC is an organizational framework for security. It combines many components of a robust security environment, including people, processes, and tools that can detect, respond, and analyze security threats. SOCs run 24 hours a day, seven days a week, with security analysts interacting with environmental data to watch for emerging threats and respond as required.

Along with the SOC, organizations may also hear the terms SIEM (security information and event management) and EDR (endpoint detection and response). 

SIEM is a centralized logging tool. As its name suggests, it takes data from many places, including applications, systems, servers, antivirus trackers, and EDR, to notify team members of suspicious activity. 

EDR is a type of software that runs on endpoints to detect incoming threats. It provides real-time monitoring with an automated response that helps mitigate known issues.

 

Who Works in a SOC?

Along with the technology components, a SOC leverages several levels of cybersecurity analysts. They are broken up into tiers and manage different tasks based on their experience. 

Tier 1 (Triager): An entry-level position that works on the front lines of the SOC, typically triaging and prioritizing the hundreds of alerts that get set. This person may also provide end-user support and endpoint installation. Since this role can be tedious, employees often do not stay in it for long due to stress and burnout.

Tier 2 (Security Investigator): A more experienced team member, this person provides deeper analysis and investigation into the sources of an attack. They may also be involved in mitigation strategies.

Tier 3 (Advanced Security Analyst): This person takes a high-level approach to SOC maintenance, identifying known vulnerabilities and reviewing past threat information. They often create detections and reports and look for trends. They also may help with incident response.

SOC Manager: Outside of the tier system, this person manages SOC operations and communications with technology leadership, such as the chief information security officer and chief technology officer.

 

What Are The Challenges Of Building a SOC?

SOCs rely on technology and people to operate. Information security is a universal business need, making the fight for talent tough. Organizations must commit to recruiting, hiring, and retaining professionals in a competitive industry that currently has more jobs than qualified employees.

Hiring outside staffing firms can help cut time from this process, but often the cost is prohibitive for small businesses. Even once they are hired, a Tier 1 analyst with just a few years of experience can command a significantly higher salary on the open market.

Along with hiring, there is also the challenge of technology. While different security solutions provide a range of essential roles, the excess technology in a SOC can become overwhelming. This results in a phenomenon known as “alert fatigue,” where team members become numb to the constant barrage of security threats.

This can lead to decreased performance and employee burnout. Too many false positive alerts can contribute to this as well. False alarms account for about 40% of all alerts and further encourage the bad habit of ignoring these warnings, especially during busy times.

 

The Costs of a SOC

The staffing component of a SOC eats up most of the cost. For a traditional SOC, organizations should expect to hire a minimum of five security analysts. Even if organizations employ junior team members to monitor the SOC, they should expect to budget a minimum of $500,000 for these analysts alone. Some organizations choose to hire experienced engineers and build automated alerting tools, but even that scenario requires paying a team member $150,000 annually or more.

Other costs include technology licenses, certification programs for analysts, and hardware. According to Ponemon, the average organization spends $2.86 million per year to run an in-house SOC.

 

Building on a Budget

A SOC is a strong option for large enterprises, but it is undoubtedly cost-prohibitive for small and medium-sized businesses. Those with smaller budgets should aim for the capabilities a SOC provides without the cost.

The ultimate goal of a SOC is to provide visibility into an environment and detect and respond to threats. Smaller organizations can achieve that with a solid monitoring strategy and a few key tools deployed in the correct areas. The best approach is to start slowly, collecting data logs from the most important sources in an environment.

Begin with systems that already deliver security logs, such as IPS/IDS and endpoint protection. This will allow IT teams to become familiar with the software and configuration options while combining applications into one log management system. From there, keep adding logs for high fidelity programs such as Windows, DNS, honeypots, applications and databases that can provide more visibility into your infrastructure. 

Centralized logging provides visibility into the environment, but analyzing log files from multiple sources can be overly time-consuming. A SIEM can provide analytics, search, and reporting capabilities to provide context around these events and alert to suspicious behavior. Find a SIEM solution that can consume the log data affordably. Some SIEMs charge based on log ingestion, while others do not, so look for a product that fits your budget. 

With a SIEM that can better manage alerts, users can ensure they only get actionable items. Accompany alerts with context or built-in workflows and playbooks that give suggestions for next steps. With the right SIEM, you can quickly respond immediately to critical threats and delay lower threats to when time allows.

Leveraging a SIEM along with data logs can create many of the same functionalities of a SOC without the high cost. While a SOC is not possible for everyone, the capabilities and a secure network are something everyone can afford with the right approach.



This article originally ran in Security, a twice-monthly security-focused eNewsletter for security end users, brought to you by Security magazine. Subscribe here.

KEYWORDS: cyber security risk management security framework security operations Security Operations Center (SOC)

Share This Story

Looking for a reprint of this article?
From high-res PDFs to custom plaques, order your copy today!

Matt warner

Matthew Warner is CTO and Co-Founder of Blumira, a cybersecurity provider of automated threat detection and response technology. At Blumira, he leads the security and engineering efforts to provide actionable insights into cybersecurity risks at scale. Warner has over 10 years of experience in IT and development, focusing on business strategy, development, compliance, threat detection and penetration testing. Previously, he was Director of Security Services, Development & Security at NetWorks Group, responsible for defensive information security and services.

Recommended Content

JOIN TODAY
To unlock your recommendations.

Already have an account? Sign In

  • Security's Top Cybersecurity Leaders 2024

    Security's Top Cybersecurity Leaders 2024

    Security magazine's Top Cybersecurity Leaders 2024 award...
    Security Leadership and Management
    By: Security Staff
  • cyber brain

    The intersection of cybersecurity and artificial intelligence

    Artificial intelligence (AI) is a valuable cybersecurity...
    Cyber Tactics Column
    By: Pam Nigro
  • artificial intelligence AI graphic

    Assessing the pros and cons of AI for cybersecurity

    Artificial intelligence (AI) has significant implications...
    Cybersecurity
    By: Charles Denyer
Manage My Account
  • Security eNewsletter & Other eNews Alerts
  • eMagazine Subscriptions
  • Manage My Preferences
  • Online Registration
  • Mobile App
  • Subscription Customer Service

More Videos

Sponsored Content

Sponsored Content is a special paid section where industry companies provide high quality, objective, non-commercial content around topics of interest to the Security audience. All Sponsored Content is supplied by the advertising company and any opinions expressed in this article are those of the author and not necessarily reflect the views of Security or its parent company, BNP Media. Interested in participating in our Sponsored Content section? Contact your local rep!

close
  • Crisis Response Team
    Sponsored byEverbridge

    Automate or Fall Behind – Crisis Response at the Speed of Risk

  • Perimeter security
    Sponsored byAMAROK

    Why Property Security is the New Competitive Advantage

  • Duty of Care
    Sponsored byAMAROK

    Integrating Technology and Physical Security to Advance Duty of Care

Popular Stories

Coding

AI Emerges as the Top Concern for Security Leaders

Half open laptop

“Luigi Was Right”: A Look at the Website Sharing Data on More Than 1,000 Executives

Shopping mall

Victoria’s Secret Security Incident Shuts Down Website

Laptop with coding on ground

Stepping Into the Light: Why CISOs Are Replacing Black-Box Security With Open-Source XDR

Gift cards and credit cards

Why Are Cyberattacks Targeting Retail? Experts Share Their Thoughts

2025 Security Benchmark banner

Events

June 24, 2025

Inside a Modern GSOC: How Anthropic Benchmarks Risk Detection Tools for Speed and Accuracy

For today's security teams, making informed decisions in the first moments of a crisis is critical.

July 17, 2025

Tech in the Jungle: Leveraging Surveillance, Access Control, and Technology in Unique Environments

From animal habitats to bustling crowds of visitors, a zoo is a one-of-a-kind environment for deploying modern security technologies.

View All Submit An Event

Products

Security Culture: A How-to Guide for Improving Security Culture and Dealing with People Risk in Your Organisation

Security Culture: A How-to Guide for Improving Security Culture and Dealing with People Risk in Your Organisation

See More Products

Related Articles

  • video wall SOC

    How to build a security operations center on a budget

    See More
  • alert-freepik1170x658.jpg

    Wiperware (pseudo ransomware) used in Ukraine cyberattacks

    See More
  • SEC0119-Cover-Feat-slide1_900px

    4 Trends for Building and Operating a Security Operations Center

    See More

Events

View AllSubmit An Event
  • August 27, 2025

    Risk Mitigation as a Competitive Edge

    In today’s volatile environment, a robust risk management strategy isn’t just a requirement—it’s a foundation for organizational resilience. From cyber threats to climate disruptions, the ability to anticipate, withstand, and adapt to disruption is becoming a hallmark of industry leaders.
View AllSubmit An Event
×

Sign-up to receive top management & result-driven techniques in the industry.

Join over 20,000+ industry leaders who receive our premium content.

SIGN UP TODAY!
  • RESOURCES
    • Advertise
    • Contact Us
    • Store
    • Want More
  • SIGN UP TODAY
    • Create Account
    • eMagazine
    • eNewsletter
    • Customer Service
    • Manage Preferences
  • SERVICES
    • Marketing Services
    • Reprints
    • Market Research
    • List Rental
    • Survey/Respondent Access
  • STAY CONNECTED
    • LinkedIn
    • Facebook
    • YouTube
    • X (Twitter)
  • PRIVACY
    • PRIVACY POLICY
    • TERMS & CONDITIONS
    • DO NOT SELL MY PERSONAL INFORMATION
    • PRIVACY REQUEST
    • ACCESSIBILITY

Copyright ©2025. All Rights Reserved BNP Media.

Design, CMS, Hosting & Web Development :: ePublishing