When firewalls emerged to protect networks in the early 1990s, outsourcing cyber security to a Managed Security Service Provider (MSSP) wasn’t even a consideration.
However, defending your network from sophisticated cyber attackers today requires a laundry list of appliances and applications, including DDoS protection, intrusion prevention systems (IPS), web application firewalls, data loss prevention, security information and management, deep packet inspection, Wireshark, network analyzers, and more.
With so many requirements just from an appliance perspective, it’s easy for companies to become overwhelmed by their growing cyber security budget. Like many other aspects of your business, outsourcing security might make sense now—but do your research before deciding.
Before diving into the world of MSSPs, check out these pros and cons to see if outsourcing security is right for you.
Cost Savings and Security Expertise Top the List of MSSP Advantages
If you’re already outsourcing functions such as customer support, web design, or manufacturing, the advantages of outsourcing security might seem familiar to you. These are some of the key benefits to having a managed provider take care of your cyber security needs:
- Cost Savings: Because MSSP costs for analysts, security appliances/applications and facilities are distributed across their entire customer base, you end up paying a reasonable fee. An MSSP can provide you with an entire team of security experts working to protect your network, at a fraction of the cost it would take to build your own team. For example, you might have to pay an annual fee of $75,000 for access to an MSSP’s protection—which pales in comparison to in-house costs. You might pay $75,000 for the necessary cyber security equipment and software and then pay 3 IT security specialists an additional $75,000 each per year (plus benefits). It’s no surprise that cost-savings are an attractive benefit of outsourcing.
- Security Expertise: We recently wrote about the network security skills shortage that is plaguing the business world. It’s hard enough to find IT security professionals for an in-house team, let alone pay for them. With an MSSP, you have a dedicated team of security specialists to ensure your network is as protected as possible. These professionals are also able to keep up with the latest security trends in ways that many in-house teams can’t due to other responsibilities.
- All-Encompassing Customer Support: MSSPs generally provide real-time cyber security reporting 24 hours a day, 7 days a week, 365 days a year. This is critical for companies because the timing of a cyber attack is almost impossible to predict. You can set a service level agreement (SLA) for your exact needs and have the legal backing to have it guaranteed, giving you peace of mind regarding network protection.
- Compliance Management: In industries that are highly regulated, having cyber security plans that ensure your company adheres to a specific regulatory measure can be difficult to implement. Regulations such as PCI, HIPAA, GDPR, FISMA, and others are constantly changing. If you're security plans don't change with them, you'll soon find yourself not in compliance. Your MSSP on the other hand is an expert in risk management and compliance programs. They will stay on top of changes in the industry, ensuring your company meets industry regulations.
While these advantages can be enough to push companies of all sizes to outsource their security, there are still disadvantages to keep in mind.
MSSP Disadvantages Boil Down to Increased Risk
Before diving into the risks associated with hiring an MSSP, it’s important to understand that MSSPs do not completely eliminate your security costs—for example, you’ll still need an in-house CISO or similar security team member for the MSSP to report to and coordinate with. MSSPs offer security expertise; but they are meant to supplement your own security team, not replace it.
One disadvantage that keeps companies from outsourcing their security functions is the risk of letting someone take care of their sensitive data. For many companies, allowing outsiders to handle customer personal identifiable information (PII) is totally unacceptable. This is why a detailed SLA is essential to an MSSP relationship—so that confidentiality can be maintained and you are protected legally in the case of a data breach.
At least when security is in-house, you can take it on yourself to guarantee customer data protection, which leads to another risk-related MSSP disadvantage—a lack of control. We mentioned the standard security appliances and applications any defense strategy needs; but with an MSSP you don’t have control over the actual cyber security portfolio. While MSSPs are hired for their security expertise, it can still be a daunting task to relinquish all defense responsibilities to an external provider.
To mitigate these disadvantages, do your research before choosing who to outsource with. There are plenty of service providers and each one will approach your network slightly differently—make sure you take the time to ensure SLAs will meet your needs and that you can trust the provider with your sensitive data.
Check Your MSSP’s Toolbox
One last thing to remember when choosing your MSSP is that an MSSP might have all of the necessary appliances and applications for security and network monitoring; but without the guaranteed visibility from a network TAP, there’s no way to ensure these solutions are effective.
Ask prospective MSSPs how they handle NGFW/IPS updates, maintenance and trouble-shooting. Only a network TAP will allow for continued network monitoring while performing these tasks.
[Want to learn how to increase your network resiliency by expediting troubleshooting and shortening your maintenance windows? Download our latest whitepaper, 3 Keys to Network Resiliency, it's a Security Engineer's Go-to-Guide to Avoiding Network Downtime]