What a SOC is, and when you need your own
A plain-English guide to what a Security Operations Centre really does, what one costs to run, and why most Norwegian SMBs should rent rather than build.
Here is what a SOC is, and why most Norwegian SMBs should rent one, not build one.
Note, SOC in this article means Security Operations Centre, the team and tooling that watches for security events. It is unrelated to SOC 2, which is a US audit report on a service provider’s controls. If you are here for the audit, read our SOC 2 guide for Norwegian SMBs instead.
1. What a SOC really does, day to day
A security operations centre is the function that watches your systems for signs of attack, decides which signals are real, and acts on the ones that are. On a normal day that work is dull on purpose. Analysts triage alerts, close the false positives, write up the ones that look real, and hand the live ones up the chain.
Three things have to be true for a SOC to earn its name. There is telemetry coming in from endpoints, identity, and cloud. There is a person looking at it. And there is a runbook that says what happens when something fires. Tooling without staffing is a dashboard. Staffing without tooling is a help desk. You need both, around the clock.
2. The math of 24/7 coverage
A SOC is only useful if someone is watching when the alert fires, and attackers prefer hours when nobody is. That sets the staffing floor.
To keep one seat filled every hour of the year, by typical shift-cover math, you need roughly four and a quarter people once you account for nights, weekends, holidays, sick days, and training. To run a viable tier-1 plus tier-2 rotation with a lead, you are at around six to eight analysts in total (composite figure, drawn from public SOC-staffing references like Expel’s build-vs-buy breakdown). Below that, single-person shifts and burnout start to do real damage.
Six to eight senior security analysts on Oslo-area salaries, plus the SIEM, the EDR, the threat intel feeds, and the management overhead, lands at several million NOK a year. The exact number depends on your stack and your salary band, but the order of magnitude is what matters for the decision.
3. When building your own SOC is the right call
There are organisations where an in-house SOC is the right answer, and we should be honest about which.
- Very large organisations, where the per-employee cost of a SOC is small and the volume of internal telemetry is high enough to keep analysts busy.
- Regulated entities with data-localisation rules, where telemetry legally cannot leave the country or the organisation.
- Defence, intelligence, or critical-infrastructure operators, where sensitivity is high enough that outside eyes on the console are not acceptable.
- Firms with an existing 24/7 operations bridge, for example a network operations centre, where adding security analysts to the rota is incremental rather than greenfield.
If you are not one of these, the economics of doing it yourself rarely work out.
4. The alternative, managed detection and response
For everyone else, the right shape is managed detection and response. MDR is a service where a vendor’s analysts run the 24/7 bridge on a platform you both have access to. You keep the business context, they keep the night shift staffed.
We deliver MDR on CrowdStrike Falcon. The around-the-clock bridge is run by CrowdStrike Falcon Complete Next-Gen MDR, CrowdStrike’s own global team operating on the Falcon platform. They watch the console at 03:40 on a Sunday. We did not build that team and we do not staff it. FM CyberSecurity is a certified CrowdStrike partner in Norway, and our work sits on either side of the bridge, the onboarding, the sensor tuning, and the local escalation in Norwegian when something on a Norwegian client needs a business decision.
If you want the longer reasoning, see why we picked CrowdStrike Falcon for modern MDR and what the Falcon platform is.
5. A decision rule for the IT manager reading this
You can fit the choice on one line. If you have under a hundred staff, no 24/7 operations function already, and no rule that forces telemetry to stay in-country, you are an MDR buyer, not a SOC builder. If you have all three the other way, you are looking at building, and it is a board-level investment, not an IT-budget one.
Halfway answers, the part-time analyst, the office-hours-only SOC, the “we will get to weekends later” plan, are the worst outcome. They produce alerts nobody reads after Friday.
6. What to do this week
Three concrete steps for a Norwegian SMB IT manager who has read this far.
- Map your current coverage. Write down who answers a security alert at 22:00 on a Saturday today. If the answer is “nobody”, you have your gap.
- Inventory your endpoint and identity telemetry. What is on the laptops, what is on the identity provider, what is in the cloud admin logs. MDR works best when there is signal to read.
- Get one independent view on which shape fits. Build, rent, or hybrid. Thirty minutes with someone who has done it for other Norwegian firms is enough to settle the direction before you commit budget.
Next action
Talk to Kenny in our detection and response practice for a 30-minute view on your endpoint and identity coverage, and whether MDR or a self-built SOC fits your shape. We will tell you straight if MDR is the wrong answer for you.
If this resonates:
- Read why we picked CrowdStrike Falcon for modern MDR for the platform-level reasoning behind the service.
- Forward this to your CFO before they approve a SOC business case. The headcount math is the part that usually gets missed.
- Send Kenny a message for a 30-minute view on your current coverage.
FAQ
How many analysts does a 24/7 SOC need?
By typical shift-cover math, you need around four and a quarter people just to keep one seat filled every hour of the year, once you account for nights, weekends, holidays, sick leave, and training. A viable SOC with tier-1, tier-2, and a shift lead is more like six to eight analysts in total. Below that, you end up with lone-shift cover and burnout, which is worse than no SOC because it produces alerts that nobody is fit to act on.
Is MDR the same as a SOC?
MDR is a way of buying SOC-shaped outcomes without staffing the bridge yourself. A vendor’s analysts watch the platform, triage detections, and contain threats on your behalf, while you keep the business context and the final call on disruptive actions. You still need someone on your side who owns the relationship, reviews the weekly reports, and decides what gets escalated to the business. That is a few hours a week of an IT lead’s time, not a 24/7 rota.
Does NIS2 require us to have a SOC?
NIS2 does not name a SOC as a control. It requires risk management, incident handling, and timely incident reporting under Article 21, and it expects the measures to be proportionate to the entity’s size and risk. An in-scope SMB can meet that with MDR plus a documented incident process, you do not have to build a bridge to comply. The Norwegian transposition is still working through the system, so confirm timing with your compliance lead.
What is FM CyberSecurity’s role if CrowdStrike runs the bridge?
We do the onboarding, the sensor tuning, and the local escalation. Onboarding gets the sensors on the fleet and the policies tuned to your stack, which is where most of the noise gets removed. Tuning is the unglamorous work of teaching the platform what is known-good on your endpoints. Local escalation is the Norwegian-language conversation when CrowdStrike’s team confirms something that needs a business decision on your side. FM CyberSecurity does not staff a 24/7 bridge, and we will not claim we do.
When should we revisit the build-versus-rent decision?
When you cross a threshold that changes the inputs. Growing past a few hundred staff, taking on a regulated workload with localisation rules, acquiring a company that already has a SOC, or adding a 24/7 operations function for non-security reasons. Outside those triggers, the decision is stable, MDR keeps scaling with you without a step-change in cost.
