Yitzhak (Itzik) Vager, vice president of cyber product management and business development at Verint Systems, said selecting managed security services versus in-house security is a matter of strategy before tactics. Management needs to decide whether it is better to invest in the in-house personnel and tools required to reinforce organizational security and ensure complete control over protection processes, or to invest the same dollars in a company whose sole focus is security, but who will not have the same focus on the business itself. “When investing the money in an MSSP, it is important that the MSSP will understand the business risk associated with specific assets within the organization to better prioritize their work.”
Amir Jerbi, CTO of container security company Aqua Security, said MSSPs are a at a level of maturity that is often as good as or better than in-house security. The decision of whether to outsource some or all security to an MSSP should be based on several factors, including the level and skills of your own security staff (and whether you can maintain a high enough skill set), the sensitivity and compliance requirements of your systems and data, how strategic security is to your business (e.g., do you consider it to be a core competency), and of course costs.
“As a rule of thumb, large enterprises in regulated industries have a large enough and skilled enough in-house team and prefer to manage all aspects of security in-house. As you go down the midmarket and into SMB territory, it becomes a lot more sensible to use an MSSP for all or most of your security needs,” Jerbi said. “One thing to keep in mind when considering MSSPs is that their expertise is likely to focus on common, well-established areas, leaving emerging technologies such as containers in the hands of the user organizations themselves."
Derek Brost , director of engineering at Bluelock, gave the pros and cons of both ways to attack security. He said for many companies, investing in procuring, developing, integrating, deploying, operating, and supporting security controls may not outweigh the total risk profile of their assets. For this type of organization, using managed security services is far more cost-effective, however, investing in enterprise risk management is still a required, ongoing expenditure. For organizations where in-house security might make sense, they likely have a robust risk management discipline and can forecast the loss potential effectively to demonstrate the value of bringing security activities in-house. This type of organization will have the maturity and discipline required to meet or exceed a managed security service value proposition with internal resources.
In Cisco’s annual security report, 21 percent of the survey respondents said they did not outsource any security services in 2014. In 2015, that number dropped to 12 percent. Fifty-three percent said they outsource services because doing so was more cost-efficient, while 49 percent said they outsource services to obtain unbiased insights.
Sign up for CIO Asia eNewsletters.