Lessons from a conversation with 15 CISOs - The Pros & Cons of a hybrid SOC

2 minute read

In May, e2e-assure held the first of two ‘virtual private events’ (VPEs), hosted by Amar Singh of the Cyber Management Alliance. Attending the event were a group of 15 CISOs from a broad range of companies and sectors and we were fascinated by the level of engagement, different experiences and thoughtful discussion that happened, all within 90 minutes. Attendees varied from those who had plenty of experience running hybrid SOCs to those that had traditionally only kept them in-house and everyone in between.

Over the next few weeks, we’ll be bringing you some key lessons we took from the various conversations, including from the 2nd VPE which takes place on Wednesday 16th June. In this blog, we’ll dissect discussions we had about the ‘hybrid SOC’ model; a term that can mean different things to different companies and comes with a range of pros and cons, which we hope will help anyone considering a hybrid security operating model now or in the future.

What is a hybrid SOC?

Fundamentally a hybrid SOC is a part-outsourced service, with an organisation keeping some element of their security operations in-house, whilst leaning on an expert provider for other elements of the service. What is kept in-house and what is outsourced is subject to a much wider debate than we’ll go into here, but should come down to the capabilities and requirements of the customer, in particular any skill or resourcing gaps they’re looking to cover.

What are the pros and cons of a hybrid SOC?

This was discussed in two breakout sessions and in those we saw a number of interesting real-life examples brought to the table. To our surprise, there were a lot more pros than cons drawn up, but this, perhaps, is down to the flexible nature of the hybrid model, meaning organisations can tailor elements of the service to suit them, rather than be completely reliant on in-house or outsourced resource.


  • Extending team capability, capacity and size
  • The ability to ‘Bring your own Licence’ - retaining and maximising previous investments (with the right partner)
  • External validation of the in-house security function to take to the board
  • Faster detection and response
  • An uninterrupted, 24/7/365 service, without buring out in-house staff
  • The ability to outsource the mundane, keeping in-house analysts interested
  • Getting around the huge costs of creating and maintaining an in-house SOC
  • Greater flexibility as your organisation changes (add to or remove from the service more easily)
  • Wider access to threat intelligence
  • Reduced TCO throughout a contract through improving ‘cyber maturity’


  • May have to give up elements of control
  • The requirement for privacy and/or clearance checks with the chosen partner (not all will have this)
  • Potential loss of business context (atleast initially)
  • Insight stored externally
  • With the wrong pricing model (e.g. per alert), costs can soar as the business grows
  • A potential lack of service customisation (depending on the partner)

Is there anything on this list (or not on this list) that surprises you, or anything you don’t agree with? Let us know!

Of course, some of the benefits and challenges will be more or less pronounced depending on the organisation and the SOC partner chosen, for advice on questions to ask potential providers, why not ask for our guide: ’10 questions a CISO should ask service providers’, by emailing [email protected] or visiting e2e-assure.com/contact.

If you’d like to attend the 2nd VPE on the 16th June, then message us using the details above.