man working in a security operations center

A Guide to Building a Security Operations Center: Roles of a SOC Team

While many businesses are taking a crash course in the dangers of cybercrime and the need for a comprehensive cybersecurity solution, few people have a firm understanding of the inner workings of the security operations center they depend on. Understanding the roles and responsibilities of your cybersecurity team is the first step to determining if you have the security you need to successfully protect the data used and stored by your business.

What is a Security Operations Center?

A security operations center (SOC) is the headquarters that houses the professionals who take care of your company's security needs. Your SOC team is responsible for monitoring, detecting, and responding to security issues and incidents. Essentially, your SOC could be described as the hub of cybersecurity operations for your company. With a combination of advanced software and highly skilled security professionals, a SOC works in real-time to mitigate existing threats and defend against potential threats on the horizon. The two main types of SOCs. While they provide many of the same basic functions, they work in different ways.

BitLyft AIR® Security Operations Center Overview


In-House SOC

Some large companies have a fully staffed SOC located within the company. Described as an in-house SOC, these centers house all the staff members, software, infrastructure, and tools required to manage, detect, and validate current threats while also being aware of bigger, long-term threats on the horizon. Benefits of an in-house (on-premise) SOC include full control by the organization, and on-site professionals prepared to respond immediately to emergencies. With these benefits come additional costs that may be beyond the capacity of many small businesses.

Building a Security Operations Center: In-House vs Vendor

Outsourced SOC

For many small to medium businesses, the cost of hiring a full in-house cybersecurity team and purchasing the required equipment to run an adequate on-premise SOC simply isn't feasible. Yet, all organizations need a capable and professional cybersecurity team. This often means businesses seek cybersecurity services from a third-party vendor. SOC as a Service (SOCaaS) is a way for businesses to receive many of the same benefits offered by an in-house SOC without the prohibitive cost and limited flexibility. One of the most notable features of SOCaaS is that it provides 24/7 monitoring for your network. For this reason, some organizations use SOCaaS from a third-party vendor to work in conjunction with their in-house cybersecurity team.

The Responsibilities of a SOC Team

Your SOC works as your organization's first line of defense against immediate and ongoing cyber threats from a variety of sources. In today's business world, it's essential to be able to access information in real-time with seamless processes that keep your company running on schedule. The downside to these capabilities is the potential vulnerability to outside attacks. While practically all devices are equipped with a firewall and security functions designed to protect data, those tools aren't a suitable match for educated and determined criminals attempting to breach professional networks. Whether you have a fully staffed SOC team on the premises or you retain services from a vendor, the roles and responsibilities of your SOC team are basically the same. Your SOC team is the human element of your security system, responsible for performing these tasks.

Implementing and Managing Security Equipment

Any SOC team works with a variety of equipment to protect the data within a company's network. To provide security tailored to your organization, your SOC team needs the equipment and software to provide insight into your security environment. Tools used by your team may include firewalls, data analytics, intrusion detection, threat and vulnerability management tools, data loss prevention, and reporting technology. While these tools are useful resources, to utilize them properly, you need a SOC team with the capability to select and leverage the tools needed for a specific organization.

Investigating and Analyzing Suspicious Activities

Every network constantly receives information related to the actions taken within each part of the system. With the assistance of SIEM tools, the data is constantly monitored for suspicious activities that might indicate a threat. When alerts of suspicious activity are received, they are analyzed by the SOC team to understand the danger of the threat and generate a suitable response.

The ability to recognize threats allows a SOC team to stop the threat from spreading and causing significant damage within the network. The ability to contain a threat locally can prevent your company from losing productivity and cash flow due to a system shutdown.

Reducing Downtime and Keeping Your Business on Schedule

Software without the direction of a qualified cybersecurity team can lead to an influx of alerts. However, many of these alerts are false alarms that your IT team has to sort through. In the event of constant warnings, your company has two choices. Either assume the warnings are false or shut down systems repeatedly. In the first instance, the company runs the risk of allowing criminal activity to work deeper into the system. The second leads to multiple shutdowns to investigate potential threats.

When a SOC team investigates the information in real-time, the appropriate personnel and stakeholders can be notified about serious threats, and mitigation can be performed before the threat reaches critical business infrastructure. When facing false alarms or actual security risks, your SOC team works continually to eliminate the problem without costly downtime.

Providing Regulatory Compliance Support

Many types of businesses are required to comply with certain government standards. Meeting changing standards and preparing for audits can be time-consuming and complex. Your SOC team utilizes tools to keep your cybersecurity practices updated in ways that comply with standards like NIST, CMMC, PCI, GLBA, FISMA, GDPR, NERC-CIP, and GDPR. 

Job Titles and Roles within the SOC Team

While an effective SOC team utilizes advanced tools and software to provide effective security measures for any organization, the roles within the team go far beyond choosing and implementing software. Cybersecurity experts work within a multi-tiered system to eliminate threats through best practices, threat detection, and response. Generally, you can expect any SOC team to consist of the following cybersecurity experts.

Security Analyst

As the first responders to incidents, security analysts are responsible for analyzing threats in three tiers that include detection, investigation, and timely response.

  • Tier 1: Receives and looks into alerts daily, determines the relevance and urgency of these threats and carries out triage to determine if a real security incident is occurring.
  • Tier 2: Addresses real security incidents with the use of threat intelligence to pinpoint the location and severity of the attack and implement a strategy for containment and recovery.
  • Tier 3: Manages critical security incidents with vulnerability assessments and penetration tests, isolates areas of weakness, reviews alerts, and identifies threats that have entered the network.

To accomplish this, security analysts use advanced software to monitor and detect threats. They may also be involved in creating a cybersecurity plan, training staff, and creating documentation. Security analysts are typically the first responders to threats.


Security Engineer

Also called security architects, engineers create a security architecture and work with developers to include security in the development of company systems and procedures. Security engineers are responsible for building the security architecture and systems. This means they maintain existing software and tools, take care of updates, and recommend new tools for more effective security. Engineers also document requirements, procedures, and protocols to ensure all staff and network users have access to the resources that will help maintain company security.

SOC Manager

The security manager oversees the actions of the entire SOC team and reports directly to the CISO. From staff supervision to creating policies and protocols, the SOC manager must perform a variety of tasks to ensure the SOC runs smoothly at all times. Responsibilities of a SOC manager include:

  • Managing SOC team members
  • Coordinating with security engineers
  • Creating policies for hiring
  • Managing financial activities
  • Assessing incident reports 
  • Developing and implementing crisis communication plans
  • Creating compliance reports
  • Report to business leaders


The Chief Information Security Officer (CISO) is responsible for defining and outlining the security operations of an organization. They approve policies, strategies, and procedures regarding security. As the top SOC professional, the CISO is responsible for managing compliance and reporting security issues directly to the company CEO and upper management.

Related Reading: What Does a SOC Analyst Do?

Budgetary Considerations when Building your SOC

For any business or organization, security is more than an expense. It's an investment that provides returns that will save you money compared to the cost of a security breach. However, every business needs to operate within its existing budget to survive. When trying to maintain the balance between an effective SOC and staying within your budget, it helps to review important budgetary considerations before making final choices about your SOC.


The size of your SOC will depend on the size of your business, the type of data you need to protect, and your industry risks. Yet, even the cost of staffing a small in-house SOC can be expensive. Information security analysts made a median salary of $99,730 in 2019. Any effective SOC team will require multiple security analysts at different tiers and advanced security personnel as well. 

On top of the cost of paying staff salaries, it can be a costly endeavor to recruit qualified security professionals to fill your available roles. The cybersecurity industry is experiencing a skills shortage. There simply aren't enough qualified individuals entering the industry to keep up with demand. For businesses seeking security professionals with traditional recruiting techniques, the process can quickly get expensive. 

Some organizations answer these issues by utilizing existing IT staff as security professionals. This can backfire in more ways than one. IT professionals without the proper training aren't capable of providing the same level of service as trained security professionals. Even worse, when employees are forced to split their focus between multiple positions, the organization can be put at higher risk. For a SOC to be effective against the sophisticated cyber threats of today, a highly trained, qualified team of security specialists is a necessity.

Building a Security Operations Center: In-House vs Vendor


Cybersecurity requires 24/7 coverage and the ability to respond to threats as they arise. For companies building an in-house SOC, this means hiring more staff members. It also means considering the potential for part-time or extra personnel to cover sick days and vacations. Threat actors, from extortionists to nation-state actors, target weekends and holidays for successful cyberattacks. Since IT staff and cybersecurity professionals are more likely to be on vacation, response time will be slower and cybercriminals are more likely to achieve their goals. 

Security Tools

Whether you have an on-premise SOC team or vendor-supplied SOCaaS, the security tools and software used to protect your network must be efficient enough to digest a significant amount of data. While it's possible to find lower costs by shopping around for security providers, it's essential to ensure the cost isn't retained by using outdated or ineffective tools. An organization may have difficulty affording the tools necessary to deploy cutting-edge security solutions, but many external SOC providers already have the resources in place.

Compliance Audits

Failing an audit can be expensive. Preparing for your audits and the audit process is a notable expense as well. A 2019 study revealed that two-thirds of businesses planned security budgets. Compliance mandates were one of the biggest factors in the need for increased spending, with 69% of respondents citing it as a priority.

Any organization trying to achieve government-mandated compliance can expect to add these costs into the cybersecurity budget.

  • Gap analysis to identify gaps and remediate them before the audit
  • Up-to-date documentation of policies, procedures, and technologies
  • The audit, which is usually carried out by a third party
  •  Time spent by company personnel to prepare for the audit
  • Implementation and training of compliance processes and procedures
  • Ongoing maintenance to keep up with changing regulations and growing risks
  • The cost of non-compliance, which may include fines, additional audits, reputation damage, restriction from providing certain services, and lost customers

Software Maintenance Costs

Technology is always growing and changing. For threat actors, the vulnerabilities exposed during such changes present an opportunity to access and exploit multiple networks. For businesses, potential risks combined with required updates represent the need to spend more funds on advanced software or update existing software. Security software must be updated frequently to match new compliance standards or eliminate recently exposed vulnerabilities.

Key Functions of a SOC Team

Your SOC team implements a cybersecurity strategy unique to your company to assess and eliminate incoming threats before they disrupt your business. As the hub of any security system, the SOC team collaborates with the efforts of all staff and IT members to complete a fully effective security system. These are the key functions of a SOC team.

  • Monitor: With the use of advanced software and data security analysts, the SOC monitors events within a network to seek unusual or suspect behavior.
  • Prevent: Through monitoring and automated alerts, the SOC can isolate in-progress threats to prevent threat actors from moving throughout the network. Prevention can also eliminate vulnerabilities before a threat actor enters the network.
  • Detect: Through monitoring and UEBA, the SOC team can recognize normal behavior and detect unusual patterns of threat actors masking criminal activity within the system.
  • Investigate: When threats are detected SOC analysts and engineers investigate the source of the attack and any vulnerabilities that helped the attacker access the network.
  • Respond: When an attack occurs, the SOC team must react immediately to neutralize the threat, eliminate vulnerabilities, protect unaffected systems, and repair affected parts of the network.

SOC, NOC, and IT: The Differences and How They Work Together

Advanced technology allows businesses and organizations to rapidly achieve tasks they weren't capable of in the past. With these advances, companies in every industry are more productive and advanced than many people ever imagined possible. Yet, these advances come with complicated networks that must run smoothly for everything to work as it should (or often work at all). Today's technology requires even small and medium businesses to use correlated networks and devices to keep business afloat and properly maintain customer satisfaction. These networks need experienced professionals to keep them maintained and protect them from potential threats. 

While it would be great if a single technology solution could provide complete network support and security, it's simply not possible. The professionals who monitor systems are trained to specialize in certain techniques to maintain working order. Fracturing this specialized focus leads to lowered capabilities overall. When companies seek the tech support they need, they often mistakenly think common terms are slightly different versions of the same thing. This isn't the case. Your organization doesn't need a SOC or a NOC. It needs some version of both. Additionally, even if you outsource the majority of your IT support, you likely also need some on-premise IT professionals. Learning about the responsibilities of NOC, SOC, and IT can help you learn how they work and help you determine the best solutions for your organization.

NOC: Network Operations Center

A Network Operations Center (NOC) is a fully managed external team of specialists that provides 24/7 protection for network performance. These teams are experienced in the technology used to keep your organization running smoothly at all times. The goal of any NOC is to maintain uninterrupted service of on-premise and cloud-based equipment.

While specific services vary by provider, a NOC usually provides these services.

  • 24/7 network optimization for a healthy network
  • Proactive monitoring for issues that can lead to downtime
  • Updates and patch management
  • Reduced downtime and alert management
  • Maintaining consistent data flow
  • Back up management
  • Network communications
  • Trend identification and analysis reporting
  • Remediation and roadmap recommendations 

SOC: Security Operations Center

Similar to the way your NOC works, a SOC works to maintain the usefulness of an organization's network. However, all tasks completed by the SOC team are related to the security of the network and the avoidance of threats. Whether your SOC is on-premise or external, it should provide these services.

  • 24/7 monitoring for security threats
  • Proactive monitoring to uncover potential threats to a network
  • Security updates and patches when vulnerabilities are revealed
  • Avoiding network downtime by isolating or avoiding threats
  • Risk identification and analysis reporting
  • Maintaining compliance with government security regulations
  • Response and remediation to security threats

IT: IT Department, Help Desk, or Services

The information technology (IT) team in any organization has a massive set of responsibilities. Most people within an organization think of the IT team as the group that comes in to install new software, reboot the system, or fix technical difficulties when they arise. While IT specialists do complete these tasks, they also have a host of day-to-day responsibilities to keep technological systems on track. Unlike the centers designed to provide 24/7 support for a network, a typical IT team is there to maintain and assist day-to-day activities. An external IT helpdesk may be utilized to resolve issues after hours and assist a small in-house IT team.

Services provided by an IT team include:

  • Governance of an existing technology system to maintain working order
  • Implementation and maintenance of infrastructure and hardware within a company's tech system
  • Maintaining operational functions
  • Installation and maintenance of computer network systems
  • Create a crisis plan for system emergencies
  • Creating and maintaining a company's website
  • Monitoring and maintaining a company's communications network

While the IT department, NOC, and SOC all provide a series of functions related to the operations and security of a network, they specialize in different areas. When these specialized services are clearly defined, NOC, SOC, and IT correlate and coordinate activities for a highly functional and secure network. Today's advanced technology offers all types of organizations new ways to get the technological and cybersecurity support they need. All of these services can typically be outsourced to provide companies with complete services or partial or emergency services to complement the on-premise staff.

Every organization and business is subject to cybersecurity threats and network breaches that can lead to costly downtime, damaged equipment, or expensive ransom demands. If you're unsure of your company's cybersecurity posture, take action before disaster strikes. Talk to the cybersecurity experts at BitLyft to learn more about complete protection for your network with a platform that merges the best people and software to provide unparalleled protection for you.

Building a Security Operations Center: In-House vs Vendor

Jason Miller

Jason Miller, Founder and CEO of BitLyft Cybersecurity, has dedicated his 20-year IT career, including co-founding SaaS pioneer Reviora, to removing cybersecurity barriers for mid-sized enterprises. Establishing BitLyft in 2016, Jason set out to unburden security teams with innovative, approachable, and affordable solutions, a vision which has made BitLyft a respected managed detection and response provider. Outside his cybersecurity pursuits, Jason is an avid tree farmer and outdoor enthusiast, planting nearly 300 trees on his ten-acre plot and finding joy in hiking, hunting, and driving his white Tesla Model 3. His diverse passions mirror the balanced blend of expertise, dedication, and joy he brings to BitLyft.

More Reading

Cybersecurity Budget Planning
The Cost of Cybersecurity and Creating an Achievable Security Budget
The idea that cybercrime is a problem restricted to the financial industry or large conglomerates and Fortune 500 companies is a thing of the past. From manufacturing and utilities to education,...
woman looking a two computer screens
Does my company need a SOC?
A comprehensive and mature security solution isn’t just about log monitoring, or having the right SIEM tools to detect threats. Automated systems are all well and good, but eventually you’ll want a...
EDR vs MDR vs XDR header
EDR vs MDR vs XDR: How They Differ and Which One is Right for You
The cyber threat landscape is growing faster than ever, and organizations across the globe are struggling to find the protection they need to stay ahead of the risks. Along with the persistent...