For SOC Leaders, 'Build vs. Buy' Now Means Blending Internal and External Expertise

The "build vs. buy" debate for today's Security Operations Center extends well beyond tech stacks to real conversations about risk, resilience, and readiness. As the future of security operations evolves, the question for leadership shifts from which tools to buy to how those tools address budgets and risk. It's a perspective already shaping C-suite cybersecurity strategy.

For experts like Deepika Joshi, FCCA, it's all about adaptability and resilience. As a Principal Advisor with Egghead Global Consulting, and with years of experience as a risk manager at companies such as Axis Risk Consulting, Revolut, and Bank of America, Joshi works alongside CFOs and risk leaders when their governance environments face heightened scrutiny. This experience with sustained regulatory pressure gives her a unique perspective on what truly makes a security function effective.

"For me, it's not about the technology stack. It's about operational resilience and whether an organization can detect and respond to issues early," says Joshi. In a modern sense, enterprise risk is about balancing internal teams (building) and external vendors (buying). The smartest strategies often embrace a hybrid model, using advanced tools and automation that can serve as accelerators, freeing internal teams to focus on judgment-based work. This balanced approach often involves leveraging expert-led services to augment internal teams, a trend reflecting a global push toward greater efficiency and stronger cybersecurity posture.

• Ghost in the SOC: Automation is a foundation of the modern SOC function, but Joshi argues that automated tools cannot do everything. "Human capital is the most underrated part of running a SOC. Tools can help speed up a process, but you need a human brain for the judgment required in tough situations. It's just as important to have skilled people to run the tools the way they should."

• The inside advantage: Internal teams shine with a deep, contextual knowledge of a business that third-party vendors struggle to replicate. Joshi adds that this is especially true for organizations operating in a tangled regulatory environment, where a rich understanding of internal processes is key. "A third party cannot understand the nitty-gritties of an organization's processes as well as an internal team can," she says. But the choice to build or buy isn't just about whether an organization prefers vendors to internal teams; it's a strategic one with a trade-off between immediate needs and long-term goals. Without a specific regulatory mandate, the decision is often driven by an organization's budget, personnel, and expected outcomes.

But an internal SOC's greatest strength can also be its greatest vulnerability. In an industry known for high turnover, staff attrition can strip away deep experience and expose vulnerabilities. This risk carries a price tag measured in the millions, according to the latest cost-of-a-data-breach report. The constant effort to build and sustain SOC maturity is a cycle of managing the core capabilities of people, process, and technology. To counter this exact instability, many organizations adopt the hybrid model Joshi highlights, using external partners to maintain operational continuity and mitigate the risk of losing skilled internal talent.

• The revolving door: Whether through attrition or downsizing, the loss of trained personnel is a massive blow to SOC functions. "When you have staff shuffling, the whole thing goes for a toss," Joshi says. "A new person takes time to get accustomed to the environment, but you don't have that luxury when an incident can happen at 2 AM. We can't afford to let our skilled resources go just like that."

And there is the challenge. Vendors can provide always-on services and provide data around controls and compliance to inform risk management. But security is a "ground-level" view of how controls actually operate. A vendor's report, for example, on a risk assessment or an ongoing incident investigation, may offer a valuable snapshot. Still, Joshi stresses that organizations only mistake it for true visibility at their peril. It rarely matches the real-time view of risk that an internal team can generate through continuous self-assessment, avoiding the pitfalls of a fragmented and costly SOC strategy. Internal oversight should be guided by formal incident response protocols that define clear ownership and escalation paths.

• Practice over paper: Control catalogs are good for checklist compliance. But in a world driven by risk and continuous monitoring, Joshi is clear that it's the hands-on team that understands how these controls work within an organization. "The existence of a control is different from how it's actually being operated at the ground level."

• A tale of two reports: The challenge of "on-paper" security is that, depending on the source, reports provide completely different levels of insight. "With an external party, you get one report," Joshi says. "Internally, data comes from various sources, allowing you to see exactly what kinds of incidents are happening and how they were handled. That level of detail often isn't available from a vendor."

Perhaps the biggest challenge isn't technical at all, but one of governance and culture. Joshi points to a common but counterproductive dynamic: a team's fear of escalating bad news. A reluctance to report issues for fear of blame can undermine even the most advanced detection tools, allowing a manageable issue to grow into a larger problem. Proper escalation, she said, can "mellow down the criticality of the situation" and allow leadership to manage potential "reputational damage" in time.

Now, SOCs ground security is in proactive prevention and response. Instead of asking reactive questions after an incident, effective boards are now proactively questioning the organization's detection capabilities, ownership matrix, and investigation procedures. The solution often involves focusing the conversation on risk rather than technology, a foundational principle of all modern SOC strategies. Joshi concludes that leadership doesn't need to understand the technical details—that's for the SOC team. They need to understand the birds-eye view of the problem. "The SOC understands and communicates the value of tools and vendors to the board. The board doesn't need to understand the technical bits. They understand the governance. They understand the risk. They understand the controls."