Security executives are increasingly seeking to outsource their enterprise security tasks, driven partly by the growing complexity of the work and the resulting challenges in keeping pace.
The rising use of managed security service providers (MSSPs) is significant. Global spending for managed security services will grow 8% annually and surpass $46 billion by 2025, according to a May 2020 report by MarketsandMarkets. The research firm attributed the growing use of MSSPs to the rising instances of security breaches, as well as the increasing number and greater sophistication of cyber attacks. The report also noted that the complexity of the modern enterprise IT environment -- more cloud services, remote work and IoT -- is also fueling the need for help from outsourced providers.
What can you outsource and what should you keep in-house?
When it comes to outsourcing cybersecurity, deciding whether to outsource some, most or all enterprise security tasks requires a high-level examination of an organization's risk profile, its tolerance for risk, and its current and future capacity to fulfill security requirements. Therefore, each organization must reach its own conclusions about what it should outsource and keep in-house.
A company that determines it can't do certain security tasks because its security function doesn't have the time, talent, ability or bandwidth to properly execute the job should opt for outsourcing cybersecurity, Forrester Research vice president and principal analyst Jeff Pollard said. Similarly, an organization whose security professionals don't want to handle certain tasks because they're focused on more critical, high-priority functions should outsource those low-priority tasks. And an organization that determines it has some security activities, such as evaluating insider threats, that should not be handled by its in-house team should likewise hire an MSSP for those responsibilities.
Few organizations outsource their entire security function, according to experts. "Most organizations are looking to create a hybrid: some outsourcing with some internal expertise in specific areas," Pollard said. Hybrid models typically have in-house security executives, managers and senior experts handling strategic tasks, while MSSPs perform lower-level tasks, like monitoring.
What are the benefits of outsourcing cybersecurity?
The benefits that MSSPs can deliver vary based on each individual scenario and how a company crafts the contract and service-level agreements (SLAs) it has with the provider. However, organizations typically see the following benefits when using an MSSP:
- Lower costs. Like most managed service providers, MSSPs bring economies of scale and are thus able to provide capabilities at a price lower than what an in-house security team would cost.
- Fixed or nearly fixed costs. Going to an MSSP can switch big chunks of the security budget from Capex to Opex, which can afford certain accounting advantages for the organization and create predictability in the budgeting process.
- 24/7 year-round coverage. Most organizations, particularly those in the small to midsize category, can't afford to build out a round-the-clock security operations center. But, because of their larger size, MSSPs can attract and afford the talent needed for nonstop operations.
- Reliability and sustainability. Due to their larger size, MSSPs can typically handle turnover more easily, whereas an organization with only an in-house security team "can get blindsided when one or two of their key people leave," said Alan Brill, senior managing director for cyber risk at Kroll, a corporate investigations and risk consulting firm.
- Quicker path to maturity. "You get to leapfrog forward a lot of capabilities by bringing in an organization that's already matured them," said Rick McElroy, principal security strategist at VMware Carbon Black.
- Threat detection and response. MSSPs can provide better insights into existing and emerging threats and how to detect and defend against them. "Service providers have larger data sets, so they should have better intelligence," McElroy said.
- More experience than a typical in-house team. "An external organization handles far more alerts and breaches than a typical in-house organization will, so their level of experience tends to be better," Brill explained. "And, because of that experience, an external organization in many cases can do a more nuanced job of turning an alert into an actionable recommendation."
- Broader experience. Providers work in different verticals and with companies of different sizes, giving them a breadth of experience that they can use to advise clients. "They generally have really good wisdom and guidance to help set a strategic vision," McElroy said.
- Continuity. According to a 2020 study by domain name registry firm Nominet, the average CISO tenure is just 26 months, so a multiyear contract with an MSSP can deliver stable services and continuity of operations even when senior leadership changes within an organization.
- Early warnings on emerging threats. "Many outsourcing companies have arrangements with major software vendors," Brill explained. "So, as zero days and other threats emerge, they're usually the ones who receive that information right upfront."
- Documented compliance with security standards. Cyber insurance providers, business partners and even customers are increasingly looking for proof that an organization has satisfied certain compliance requirements and has security standards in place. An MSSP "represents more of a known," Brill said, and can often confirm to those third parties that best practices are in place and being followed.
- In-depth knowledge of regulatory requirements. Since they have broader experiences, many MSSPs provide a thorough knowledge of varying state, national and international regulations. "That's the business of the right provider," said Tony Coulson, executive director of the Cybersecurity Center at Jack H. Brown College at California State University, San Bernardino.
- Earlier implementation of emerging technologies. Outsourced providers are more incentivized to pilot -- and can more readily afford -- new tools and technologies, including AI, that have the potential to deliver better results, reasoned technology risk expert Rahul Mahna, managing director of managed security services at accounting and advisory firm EisnerAmper.
- Better access to talent. "Oftentimes, enterprise service providers are more capable in being able to hire cybersecurity talent, and they have partnerships and can reach into colleges and universities," Coulson explained. "Considering the [skills] gap in needed cybersecurity workers, it might be the only way an organization can get needed talent."
- More specialized talent. MSSPs can also afford to have more specialized talent on staff to work across their multiple clients that may not have enough work to justify the cost of specialists on their own staff.
Potential drawbacks of outsourcing cybersecurity
Although hiring an MSSP can bring many benefits to an enterprise security function, experts cautioned that outsourcing cybersecurity tasks can have drawbacks, especially if company executives don't carefully consider what they're outsourcing and how they structure the MSSP contracts. Here are some potential drawbacks to outsourcing cybersecurity:
- insufficient understanding of the organization's unique needs and culture, which could greatly influence the risk tolerance, security requirements and user security needs;
- limited or no cost savings -- not what's typically expected with outsourcing;
- high rotation of workers if the outsourced provider makes frequent changes to contractor assignments; and
- overly generic approach to security and not enough customization to fit all the organization's unique needs.
Best practices for outsourcing cybersecurity
To maximize the benefits and minimize the drawbacks of contracting an MSSP, experts advised companies to do the following:
- Take a targeted approach to outsourcing cybersecurity by thoroughly evaluating security requirements and outsourcing only what the organization can't, doesn't want to and shouldn't perform in-house.
- Vet potential providers, and select the MSSPs with the experience and expertise that match the company's specific needs.
- Craft SLAs tailored to the organization's unique security requirements.
- Build in flexibility so the MSSP can scale up and scale down services to accommodate changing organizational needs.