There is an increasing requirement for organizations to use managed security services. The main drivers of this are threefold. First, adversaries are getting so much better. This isn’t just a random hacker kid in a basement – this is full-blown economic extortion. Second, it’s challenging to hire top talent unless you are a large enterprise and can compete with the salary, job satisfaction, benefits, etc. Third, it has become far too costly and complex for most organizations to operationalize all the right technology themselves.
This article explores the key benefits and drawbacks of managed security services and how organizations can evaluate which MSP best fits their needs.
The Media Sonar research team asked 306 security professionals what the most significant benefit is of using managed security services. The leading benefit was higher quality security (41%), followed by a faster implementation (22%), help with compliance (19%), and cost-effectiveness (18%).
Benefits of Managed Security Services
1. Higher Quality Security Talent
There is a high demand for top-tier talent, especially in security. Unless you are a very large organization, hiring experienced and skilled security professionals is challenging because they are costly, difficult to find, and hard to retain. The barriers to finding skilled security workers have led many organizations to settle for the best they can find. In many ways, a half-qualified security professional can do more harm than good.
When you work with an MSP, you can access an entire team of vetted security talent with the necessary qualifications, certifications, and experience. MSPs can choose from a much larger pool and hire a broad range of professionals that meet several security needs. MSPs tend to be more operationalized, have sophisticated tools, ongoing education/training, and have more funding. Plus, they are typically available 24 hours a day, 7 days a week, 365 days a year. With an MSP, you get all the benefits of the top talent without having to pay HR benefits, give them sick leave, call them in on the weekend, pay them overtime, and manage burnout.
2. Faster Implementation
It can take multiple years to develop a security plan, hire professionals, and implement a security tech stack. While the time to implement a security program is dependent on several factors such as budget, company size, and leadership – our research found that only 10% of security professionals think that a security program can be implemented in less than one year, and 65% believe it will take more than two years. And this is just for the implementation. After implementation, a significant amount of skill and time is required to measure the effectiveness and refine the strategy and technology.
Managed security services allow for more seamless and efficient implementation, where clients typically start to see value upon the completion of onboarding. MSPs are trained and up to speed on their security tools and techniques and are constantly upskilling and evaluating their processes and tech to make improvements where possible.
The Media Sonar research team asked 926 security professionals how long it typically takes to implement a security program. Only 10% said it could be done in less than one year and 65% said it takes more than two years.
3. Help with compliance
While the intent behind compliance regulations is good, it can be challenging for organizations to keep up with the ever-changing and overlapping requirements without help. Because an MSP shares some of the liability with those that they serve, compliance is a top priority for them to attract and retain clients. Whether it’s PCI, HIPAA, GDPR, or FISMA, working with an MSP helps organizations stay on top of changes and ensure they remain compliant.
In our article “Digital Risk Assessments in the Era of Compliance”, we discuss the importance of going beyond compliance and accounting for day to day risks and security procedures.
4. Cost Effectiveness
Working with an MSP is not necessarily cheap. Still, there is no question that it is far more cost-effective than hiring internal teams and implementing and maintaining a full security tech stack internally. The Security and Compliance Survey conducted by Foushée Group looked at the compensation of different security professionals in 2017 compared to 2022. The average total compensation for a single top global security executive, such as a Chief Security Officer, was $489,966 in 2022 – a 10.4% increase from 2017. When you layer in multiple security professionals and the cost of a security tech stack – it’s clear that funding an internal security program is not realistic for many organizations. MSPs can provide an entire team of skilled professionals and a complete tech stack by distributing their costs across several clients for a flat monthly or annual fee.
A Security and Compliance Survey conducted by Foushée Group looked at the compensation of different security professionals in 2017 compared to 2022.
Drawbacks of Managed Security Services
1. Potential Data Leakage
One thing that holds some organizations back from outsourcing their security functions is the risk of giving an external party privileged access to their sensitive data and internal infrastructure. Threat actors know that compromising one MSP gives them access to several client networks, which places a target on MSPs and their clients. Organizations must consider this when evaluating MSPs and ensure that the MSP they select can clearly articulate how they reduce the additional risk they pose.
2. Less Business Context and Awareness
Another drawback to working with managed security services is the fact that an outside provider will never know the ins and outs of your business as much as your internal people do. MSPs are good at knowing and understanding how their client’s technology works but do not necessarily know the nuances of the business side of their clients. There must be good documentation, an extra communication layer, and a good relationship. Otherwise, it’s a foreigner trying to tell you things about your business and what to do without the proper context and awareness.
3. Less Control
Delegating an entire function of a business to a third party can be daunting. Keeping security in-house means everything is in the hands of the organization. From the staff to the servers and network – internal teams can control each detail, which many organizations prefer. Again, it all comes down to proper evaluation when finding an MSP that works best for the organization’s specific needs. A trustworthy MSP will create peace of mind and clearly articulate how they manage the responsibility and control they have been delegated.
Evaluating MSPs
To mitigate the risks that can arise when working with an MSP, organizations must have a thorough vetting process when evaluating which MSP to choose. Knowing the best questions to ask and what to probe can be complicated and will differ based on a number of factors – such as industry, risk appetite, and specific business requirements. A few places to start are using vendor assessment questionnaires or evaluating an MSP under each of the seven risk types. While most MSPs will likely not disclose all of this information, getting as much insight as you can into each of these categories can help tremendously.
Balancing the Risks and Rewards of Managed Security Services.
More and more business leaders are coming to terms with the fact that security cannot be ignored. For many organizations, specifically small and medium size businesses, leveraging managed security services is the best option for working towards a stronger security posture. With proper evaluation, organizations can select an MSP that aligns with their risk appetite and business goals. Finding that alignment and developing a trusting relationship will be the key to having the rewards outweigh the risks.