Cybersecurity is siloed by areas of responsibility and skills: operations, engineering are the worst. There is also vulnerability| threat management.
Due to the hierarchy of the analysts and incident management borrowed from ITIL: Levels one - three of analysts: triage - investigate - respond, the first people who deal with signals are the least experienced, their approach to spotting real breach is also limited and the actual response time starts way too late.
MSSPs assign too many clients to SOC, thus analysts on-duty have low to zero understanding of context of the client's environment
One dedicated team with roles rotated at different schedules. One month you are an analyst working on breach preparedness or disrupting an actual breach, the other month you are off on-shift| on-call duty designing and deploying a security control to establish automatic response to a particular TTP.
Details on the setting up teams with balanced "management overhead" is in this article [1]
You might also want to check whether there is something you should add from this article [2] in order to enable the team with proper authority and so on.
Your cybersecurity team should be one dedicated team which executes all functions: defense, protection and Reconnaissance/Analysis/Planning.
You do want to maintain virtual independence between functions from the management perspective even though you have one team. You achieve this through having roles (defensive and protecting) which you rotate your team members through.
DevOps suggests initiating transformation in the new team which is relieved from any legacy/historical duties to ensure success. I agree. I understand that it might feel expensive, but having ineffective cyber security is more costly.
Manual response is the “King”. The true purpose of the protection function is to free up the defenders so they can laser focus on preparation to responding to a cyber security breach which can’t be disrupted with preconfigured security solutions and hardening. Risk mitigation, and even automatic protection from breaches are the means to achieve the true purpose.
Design and establish a new team with a separate scope according to BRSE principles.