Nmedia - Fotolia

Is it worth using outsourced security services instead of in-house?

Outsourced security services are always an option for enterprises. Expert Mike O. Villegas outlines the pros and cons of using MSSPs instead of in-house security.

Outsourcing security services is a viable option, but it doesn't always make sense for an organization. What are...

the best and worst times to outsource to a managed security service provider?

Outsourcing security services to a managed security service provider (MSSP) is an alternative to managing information security functions internally. It is typically opted for when security has become economically challenging to maintain with existing resources.

There are pros and cons of outsourcing security to third-party service providers. Let's look at these a bit closer.

Pros of outsourced security services

  • MSSPs have dedicated employees whose job it is to keep current on vulnerabilities and remediation techniques.
  • The organization does not have to spend time and money on training information security staff in niche areas such as network vulnerabilities, web application vulnerabilities, firewall configuration management, intrusion prevention system and intrusion detection system configuration management, computer forensics, penetration testing and other security operation center duties.
  • MSSPs typically provide 24/7 year-round information security monitoring.
  • The organization can focus on information security administration, such as user provisioning, password resets, role-based access control fulfilments, cybersecurity management reporting, security awareness, compliance reporting, and information security policy development and maintenance.
  • Critical security patches will most likely always be current, providing this service is built into the MSSP service contract.
  • Organizations will undoubtedly lose most of their highly skilled, in-house cybersecurity resources.
  • There may be a loss of quality, unless that is built into the MSSP contract with associated service-level agreements.
  • The cost of a breach at the MSSP site may be substantial. This can be mitigated if the MSSP contract also requires the service provider to carry sufficient cybersecurity insurance.
  • The MSSP typically decides the software and equipment used for providing cybersecurity services to the organization. These may not be in line with the organization's IT standards and approved software and hardware environments.
  • If the organization decides to terminate the MSSP service and return in-house, the cost to rebuild the cybersecurity staff and acquire software tools, such as security information and event management, firewall maintenance, web applications and network vulnerability testing, can be substantial, and the process can be time-consuming.
  • MSSPs, to keep operating costs down, may hire foreign workers, which may be perceived as un-American or problematic by customers, partners or stakeholders.
  • MSSPs do not know the organization's business culture or mission-critical IT environments.
  • Organizations may be concerned about confidential or sensitive corporate data becoming exposed to third-parties at an MSSP.

Cons of outsourced security services

For decades, organizations have painted themselves into a corner by not addressing cybersecurity. However, According to Gartner, $81.6 billion was spent on security technology in 2016. Despite this increase in cybersecurity budgets, there is a continued rise in breaches and other disruptive security-related incidents. To mitigate this challenge, organizations are predisposed to outsourcing and increasing cybersecurity insurance.

Ensure that, before you engage with an outsourced security service, the MSSP contract clarifies pragmatic service-level agreements on scope, continuous monitoring, timely response, coverage and predefined reporting. Ask for references and proof of independent cybersecurity assessments and cybersecurity framework compliance -- such as SSAE-16, Payment Card Industry Data Security Standard, NIST SP 800-53 and NIST SP 800171r1 -- for the MSSP's IT environment.

Cybersecurity insurance is generally a compensation strategy involving partner and stakeholder interests. It is actually damage insurance in case of a breach, fraud or major disruption to an organization's ability to operate.

Outsourced security services that uses MSSPs or obtains increased cybersecurity insurance does provide augmentation services and risk mitigation, but they do not necessarily reduce risk or limit an organization's liability.

Ask the expert:
Have questions about enterprise security? Send them via email today. (All questions are anonymous.)

Next Steps

Take a closer look at outsourced security services

Learn why patching should be part of all outsourcing contracts

Find out what you need to know about the MSSP market

This was last published in April 2017

Dig Deeper on Security operations and management