Sometime back I published an article “What it Really Takes to Stand up a SOC”. This included a MindMap showing everything you need to consider while making a decision about establishing an internal Security Operations Center. Since then, many people have asked questions about estimating budget for standing up an internal SOC.
In my last article, I pointed out different budget components. Let us explore some of these components in a little detail with SOC Budget Calculator Version 1. This budget calculator is an Excel spreadsheet with sample data. I have tried to keep it close to reality but these number can vary significantly depending upon size of an organization. Feel free to download the calculator and make changes based upon your needs.
People Cost
The following table shows a sample cost for SOC personnel. The annual salary and benefits may vary from state to state (or countries). The number of people are estimated for running a 24×7 SOC with 3 analysts in first shift and two analysts in second and third shifts. See my other blog post about how I came up with these numbers. This is a recurring annual cost.
Capital Cost for Technology
Following table shows estimated cost of technology. This may vary depending upon size of your organization but I have tried to cover major expenses. As an example, the cost of SIEM may be much smaller or quite large depending upon geographical locations, amount of data collected, applications, and so on. This is to give you a starting point.
Other Annual Recurring Costs
The following table provides estimate of other recurring costs. I have intentionally left the first two rows empty to enable you add depreciation and software maintenance costs. As a simple rule, use 20% of your capital expense as annual depreciation and maintenance cost. Your accounts department can help you get a more realistic number here.
Putting it All Together
Following is the complete picture of the sample budget calculator. Once again I will encourage to download the calculator and make changes as you deem necessary.
Your feedback is welcomed on my Twitter handle at @rafeeq_rehman
References