How to Determine If You Need a SOC Team, CSIRT Team or Both [source: infosecinstitute]

SOC and CSIRT teams have distinctive roles and responsibilities. In this article we describe the differences between a SOC and CSIRT to help you determine which team will fill your organization’s needs.


A SOC stands for security operations center. Obviously, the term SOC bears the connotation of an environment designed specifically to defend corporate data and networks, and it can be used to describe the facility where carrying out security tasks takes place or the people who are responsible for that. A SOC is either an information security hub that centralizes cybersecurity activities in a given organization or a cybersecurity team that deals with anything concerning protection of an organization’s information systems:

  • Prevention
  • Detection
  • Incident management/response
  • Reporting
  • Compliance and risk management

What Does a SOC Do?

A SOC is dedicated solely to protecting the enterprise’s IT assets. Consequently, every IT security plan must be approved by the SOC. In addition, SOCs must enforce regulatory requirements, for instance, PCI DSS or CESG GPG53, and oversee all people, processes and technologies within an organization that must comply.

What separates a SOC from other cybersecurity units is the fact that it tends to provide a centralized and dedicated department that focuses on pairing techniques, talent and technology with intelligence gathering capabilities in order to increase the chances an organization has to ward off potential threats. Although its specialty is not incident prevention and management — something in which the CSIRT has the high ground — a SOC covers this activity as well, since it is a unit with all-embracing functions as far as cybersecurity is concerned.

SOC-as-a-service is not uncommon. EY is one organization that offers that option to its clients. According to EY’s studies, “over half (56%) of organizations are unlikely to detect a sophisticated cyber attack, and a similar number (53%) lack the skilled resources to handle them.”


The CERT Division of the
Software Engineering Institute (SEI) considers a Computer Security Incident Response Team (CSIRT) to be “a service organization that is responsible for receiving, reviewing and responding to security incident reports and activity.” It is either a formalized or an ad-hoc team, and it usually performs services for an already designated constituency (e.g., a corporation, government or client).

For more, click here.