Cyber Defence Center – Why "make" is not always a better solution than "buy"

Author
Reinhold Zurfluh
Published
13. December 2018

In recent weeks and months, we have written a lot about cyber defence. Over the course of time, you will have realised that rapid detection and even faster reaction to cyber attacks in a Cyber Defence Center are crucial to boosting your cyber resilience. In this article, we would like to show you what you have to bear in mind when you set up a Cyber Defence Center - and why outsourcing this elementary part of cyber security is a sensible, economical alternative.

Cyber Security Center – the mega-trend in cyber security

According to Gartner Research, cyber attack detection and response is a top priority, and this trend will continue for several years to come. This is unsurprising, as managing the risk associated with these events and focusing on minimising the impact makes economic sense, and it is the only way to optimise your cyber resilience in the long term- as we have already shown in a previous article.

So it is also unsurprising that many companies are considering setting up a Security Operations Center (or SOC for short). Sooner or later, a SOC is essential for improving detection and response capabilities. Along with companies, we are convinced that it is only possible to master the current and future challenges in cyber security with a Cyber Defence Center!

A SOC, or as we call it a Cyber Defence Center, is key to fending off increasingly complex and sophisticated cyber attacks. But first, companies face fundamental questions, like how do I build a SOC? What does it cost? Do I have the necessary know-how or the right specialists? These are just a few of the many burning questions, but building your own Cyber Defence Center is not the only way to improve detection and response to cyber attacks, and not always the best way either - and certainly not the cheapest.

The critical factors in the success of a Cyber Defence Center

But one thing at a time. What do you even need from a Cyber Defence Center? A Cyber Defence Center is usually made up of a team of experienced security analysts who are tasked with identifying security attacks, analysing them, devising counter-measures and ultimately providing mitigation support. But this is only half of it. In addition to well-trained experts, tools and the appropriate processes are also required.

Cyber defence needs experienced experts

Of course, the security analysts make up the heart of the Cyber Defence Center. Despite all technical advances being made in the field of artificial intelligence, there is still no substitute for human skills, and that’s not about to change in the near future.

To do this, they have to analyse the anomalies that have been detected. False positives are discarded, standard cases are processed according to a predefined process, and the more difficult or complex security incidents are forwarded to senior analysts or forensic experts. The results of the analysis have to be used to determine the corresponding counter-measures taken (incident response), which are implemented by the cyber defence team itself, or in cooperation with experts from other security areas. As well as this, proactive activities such as threat hunting and threat intelligence are also part of the analysts' field of activity. The requirement profile for the employees of a Cyber Defence Center is very high - and experienced security analysts are not just as plentiful as ''pebbles on the beach'''. They are in great demand because many companies are in the process of expanding their cyber defence capabilities. This brings us to the first major stumbling block for having your own SOC - the shortage of skilled staff!

Cyber defence needs the right tools

However, cyber defence cannot be implemented by just having the best experts. To enable them to accomplish their tasks successfully, they must be in a position to quickly identify and assess the threat situation, and this requires the right information at the right time and the right tools. Therefore, defence requires technological support in the form of a central security intelligence platform and corresponding agents on the end devices. It automatically collects all information from the infrastructure components, compares them with external threat feeds and examines them for attacks in real time. This system is enhanced by breach detection systems that search and evaluate data traffic using data science, machine learning and behavioural analysis. If an attack is detected - or if an attacker is already inside the internal network - a company must be able to react quickly at any time, for example by starting an analysis on every end device. This is the only way to search the entire infrastructure for «indicators of compromise" (IOC) such as process hashes, file hashes, directory paths or involved external IP addresses. It is important to note that all tools must be adapted to suit the specific needs of the company. Otherwise, the tools will only be of minimal benefit - which brings us to the second critical success factor.

Cyber defence needs established processes

If you have concentrated the right employees in the Cyber Defence Center and have the right tools in place, what might still be missing? That’s right, the link between the security analysts and the tools, that is, functioning interfaces and established processes. Integrating the Cyber Defence Center into the company's process landscape, such as risk management, is essential. Of course, this also includes mapping the infrastructure and assets in the tools of the Cyber Defence Center. Because at the end of the day, Cyber Security is all about protecting these "crown jewels"! But of course, established processes also play an important role in the Cyber Defence Center. In order to be able to scale more effectively, analysts usually work in different "levels" or "tiers". Junior analysts deal with standard cases and escalate more complex attack patterns to senior analysts or to dedicated experts in threat analysis and forensics. This is why predefined playbooks have an important role to play in ensuring efficient processing and consistent quality.

Our advice: the playbooks must be second nature to the analysts, part of their DNA because, in the event of a security incident, the most important thing is to be quick. If when it happens, the processes do not work, valuable time is lost. You lose the advantage you have gained in having a great team and the right tools in the Cyber Defence Center.

Make or Buy – the decisive question in cyber defence

A Cyber Defence Center makes a critical contribution to cyber security. Based on the critical success factors that have been presented, companies need to ask themselves whether they want to build and operate one themselves or buy this service in from a partner. There is no single right answer to this question, and a decision needs to be carefully thought through.

However, we would like to give you some ideas along the way because, after all, this is a strategic decision for your cyber security. As we see it, there are basically two decision criteria that usually provide a good basis for a "make or buy" decision:

  1. Staff and Staff Costs: Do we have or can we find suitable security analysts who have the required skills? Both the number of employees and the associated personnel costs can often be an impediment to this.
    From our experience it requires at least three full-time posts - and if you want to work 24/7, you need at least five (per analyst role)! So, a Cyber Defence Center with three analyst levels will need at least 15 full-time jobs.

  2. Initial outlay and investment costs: The costs for setting up and operating a modern Cyber Defence Center are huge. The first thing to be done is to create the right space. Of course, these must have a multi-level, physical security concept. Furthermore, the vital technical components in a Cyber Defence Center also need to be designed several times in order to ensure maximum availability - and here we are quickly talking about several hundred thousands of Swiss francs. In addition, the planning and construction of a mature Cyber Defence Center takes on average 18 to 24 months - in our experience, this is too long for most companies, and believe us, we know what we are talking about! Only last year, we built our own Cyber Defence Center in Baar. Technology costs, construction and maintenance, however, are not the main factors in the high overall costs of a Cyber Defence Center. The main cost drivers are now and will remain in the future the staffing and recruitment costs.


These huge costs associated with setting up and operating a Cyber Defence Center makes it obvious that outsourcing to a qualified third-party provider is a valid, viable option for companies of all sizes. All the other things you have to consider when making a "Make or Buy" decision have been summarised in a detailed guide:

Download guide «Make or Buy»

Share article