He suggested having a mix of in-house personnel and an MSSP; the MSSP can cover the basics, while the in-house security team can focus on the more complex or nuanced issues that an MSSP doesn’t have the sufficient background to understand. “Having the MSSP cover those basics also provides meaningful challenges for your team, thus reducing turnover and augmenting your security program organically with more skilled personnel.”
Companies might not want to use an MSSP if they already have vendor contracts in place and an in-house team that knows the ins and outs of your particular environment. “MSSPs are more one-size-fits-all, so you have to account for that when planning a migration to an MSSP. You also need to be cognizant that all your data will be going through an MSSP, so confidential agreements and concerns with proprietary or customer data need to be considered as well,” Hoyos said.
Neal Bradbury, senior director of business development, Intronis MSP Solutions by Barracuda, also offered the option of “as-a-service” that allows companies to pick and choose what they want implemented.
Stu Sjouwerman, CEO, KnowBe4, said one factor to consider is the complexity of your environment when determining whether to keep security in-house. Very complicated environments can be a challenge for MSSPs, especially if they have a high employee turnover rate, however they may also have a more diverse skillset to tap in to.
“It takes time to learn about complex environments, so you want to minimize repeated learning curves,” he said.
Another factor is a company’s geographic location. Is there a local talent pool for security professionals, or are they in short supply? If your organizations salaries, benefits and perks are focused on lower-level positions, it could prove a challenge to retain a security individual that is being courted by other organizations, Sjouwerman said.
Advantages to in-house security are that you have a dedicated resource that will know the ins and outs of the environment better than most MSSPs because they are immersed in it daily. “You are free to leverage the in-house security resource for any number of projects or advice that you may not want to bring an outside organization into,” Sjouwerman said.
“Ultimately, you also need to research any MSSP or direct hire before you make a step either way. These people will be the guardians of your information and will likely have a lot of access to your customer data. A company or individual with a strong track record and proven trustworthiness are critical,” he added.
Sign up for CIO Asia eNewsletters.