Managed Security Services vs. Internal IT Security
If you take cybersecurity seriously and plan to address it meaningfully, you’re probably wondering what’s the best approach for your organization. There are two broad approaches to managing cybersecurity: You can outsource to a managed security services provider, or you can hire your own internal IT security staff. Let’s discuss the things you should keep in mind as you’re deciding the best approach for your company.
In case you’re short on time, we’ll jump right to our conclusion: Unless you are a very large company with a mature IT management process, well-staffed in-house IT team, and robust tech budget, your best option is outsourcing cybersecurity to a managed security services company. Even if you have those prerequisites covered, you should still weigh outsourcing to a managed security services provider before making a final decision. And don’t rule out a hybrid approach.
Now let’s take a step back, ask some basic questions, and explore the reasoning that led to this conclusion…
Do I need a managed security services provider?
You’ve accepted the need for comprehensive cybersecurity, but does that mean you need to hire a managed security services provider? Let’s break that question down into some pre-screening questions:
- How do you manage your technology in general?
- We outsource IT management today, should we outsource cybersecurity as well?
If you use an outsourced IT vendor or managed services provider to manage your regular technology needs, you should take the same approach to your security management. There were good reasons you determined it was more efficient to outsource the routine tech management. Those same reasons apply to deciding how to manage the more complex issue of cybersecurity.
To answer that, you’ll need to thoroughly review your managed services provider’s capabilities. Apply an added dose of skepticism. Many MSP’s will sell themselves as extremely capable with cybersecurity. Dig deeper, and you’ll likely find out they just resell some cybersecurity software, don’t have a team of cybersecurity specialists, or a 24x7 Security Operations Center (SOC) monitoring and managing threats in real-time. Absent those components, they cannot execute a comprehensive cybersecurity platform.
For more relevant points, please read the following two sections about internal IT security management. All those points are true for your existing IT vendor and their ability to deliver robust cybersecurity.
If you need more convincing, I’ll offer this anecdote. Framework is an IT managed services provider. We took a hard look at our cybersecurity prowess and what a best practice cybersecurity operation should look like. We quickly determined it was not feasible, even with our scale and capability, to deliver professional cybersecurity management independently. We decided to co-deliver these services via a partnership with a mature managed security services provider.
Can we manage cybersecurity in-house with our existing internal IT staff?
If you have in-house IT staff, your impulse is probably to consider whether the existing IT staff can address your cybersecurity. If you’re not experienced in technology management, that is a logical consideration.
Unfortunately, the short answer is almost certainly, no. Your existing team cannot adequately tackle the cybersecurity challenge. Sure, they can take steps in a positive direction and make you feel better. Positive feelings aside, they probably cannot meaningfully impact your risk exposure.
Cybersecurity is its own specialization within IT, and it requires separate training, certifications, and experience to obtain proficiency. Senior Networking Engineers and Systems Architects will have some knowledge pertaining to cybersecurity, but that does not qualify them as a cybersecurity professional. Even within cybersecurity, there’s further layers of specialization.
Can we add cybersecurity staff to the existing internal IT team?
- You can consider adding internal cybersecurity staff if you can afford an added $14,000 per month expense.
- You can consider adding internal cybersecurity staff if you’re comfortable leaving this extremely important function in the hands of a single individual? Here are some of the reasons why we recommend avoiding this scenario.
Security threats are 24x7. A single person is not 24x7, no matter how much coffee or energy drinks they consume.
Cybersecurity engineers typically have specialization within the security field. One person is unlikely to be a subject matter expert on the full cybersecurity management landscape.
Go back to that budget and start multiplying cyber staff headcount now… Ouch! A managed security services provider can negate the above challenges and may also cost less. That simplifies your decision process a lot!
What is your budget for cybersecurity management?
If you cannot spend more than $14,000 per month on cybersecurity, rule out hiring in-house cybersecurity staff immediately and focus on finding a managed security services partner. I’d argue the real minimum for in-house cybersecurity staff is $28,000 - $42,000 per month, because of coverage and specialization.
We arrived at the $14,000 minimum figure using a few simple, conservative estimates.A certified, experienced cybersecurity professional comes at an average salary of $100,000 per year. It can be more depending on their credentials, experience, and geography. This doesn’t even account for the total cost of that employee, only their salary.
The greatest cybersecurity engineer needs tools to do their job. On top of hiring your cyber-wizard, you’re going to need to purchase several cybersecurity tools to address the core aspects of a holistic cybersecurity strategy. The cost of these tools will depend a lot on your environment and security needs. Conservatively assume you’ll spend at least a few hundred dollars a month to enable your cybersecurity professional.
Managed Security Services Providers leverage their bench of certified engineers and their tools across many clients, achieving efficiency of scale. They also aggregate knowledge and experiences from managing many clients and cyberthreats. For that reason, they’re more cost-effective than building in an internal cybersecurity team for 99% of businesses.
The exception to that rule is a large company with a massive IT staffing budget that allows it to achieve cost-effective scale. Even those companies often see the value in a hybrid approach, combining their own cybersecurity staff with the backing of a managed security services provider to add capacity and expertise.
What’s the time-commitment you’re willing to devote to cybersecurity management?
Focus on what you do well and let cybersecurity professionals worry about the rest. They’re passionate about cybersecurity. They live and breathe it all day. They can deliver cybersecurity with a fraction of the time commitment and a simpler experience for you as a client. That ability to stay focused on your team’s core strengths is worth a lot.
Cybersecurity threats can pose an existential threat to businesses. Adequately managing security requires professionals, processes and tools. Hopefully this article informed your decision as you evaluate whether to outsource to a managed security services provider or build an internal cybersecurity team.