The "RISKY BUSINESS" Blog

If you have read our white paper "Five Best Practices for Security Information Event Management (SIEM)" you are already familiar with SIEM Best Practice # 4 "Commit the Resources Required on a Go-Forward Basis".  Failure to adequately resource a SIEM post initial deployment is one of the greatest risks to successful SIEM deployments.  Resourcing is closely coupled to the SIEM model that you choose:

•  In-Sourced (Buy & Operate) - this model is best where SIEM is mission critical, there is a larger security team, 24/7 operations, and a higher risk profile (e.g., US Navy). The Good: full control, intellectual capital development, wow/buzz for team. The Bad: Sourcing/managing multiple talented (expensive) resources.
• Out-Sourced (Buy (or Monthly) & Delegate) - this model is best where compliance is focus (e.g., perimeter security for Regional Bank). The Good: Reduced capital costs, buy SME at a bargain price, lowest total cost. The Bad: Pure outsourcing results in a lack of event contextualization/understanding, risk (monitor the monitor).
  
• Co-Sourced (Buy (or Monthly) & Joint Operation) - this model is best where requirements are complex (e.g., Enterprise wide compliance with multiple regulations). The Good: Reduced capital costs, buy SME at a bargain price. The Bad: Internal stakeholders are needed to provide event contextualization/understanding.

No matter the model -- the key is ensuring that you have appropriately qualified folks with sufficient time on their hands to optimize the return on your SIEM investment.