Does Your Company Really Need an MSSP?

What enterprises may be missing when they outsource their cybersecurity

Share this page
Cybersecurity Jobs

Cybersecurity’s job shortage has been well-documented. As threats grow more frequent and sophisticated, there doesn’t seem to be enough skilled talent out there to protect enterprises.

As a possible solution, companies have been entertaining the idea of hiring an MSSP. These Managed Security Service Providers are outsourced experts who can fill those holes. (Last year, Gartner reported that consulting and IT outsourcing made up the largest areas of security spending.) But in industries where third-party workers have been proven to dramatically weaken security postures, is embracing contracted “new collar” help a good idea?

Here are three questions to consider:

Can You Trust an MSSP?
This is the most important assessment a company can make before hiring an MSSP. Inside threats take on many forms, including the malicious or negligent behavior of contractors. Companies must, in kind, vet both the people working on their account, as well as an MSSP’s larger vulnerabilities. Even with partial access to your networks—by co-sourcing security between contractors and a company’s in-house talent—credentials can escalate in the wrong hands. Enterprises may have to determine which has the greater threat potential: an ill-prepared security-operations center or a third-party with server access.

Does the MSSP Make Budgetary Sense?
The omnipresence of SIEM system has created a wealth of expensive and/or unfillable positions. Companies need employees with specific skills to install, operate, and recalibrate SIEM platforms. They also require extra labor to sort through false positives, in the chance one of them turns out to be a legitimate threat. Outsourcing can theoretically save money, but internal IT staff must still monitor MSSP teams and react to threats. In contrast, automated analytics would accelerate that threat detection (when equipped with machine-learning), while simplifying it: These solutions are much easier to deploy (and even integrate SIEM investments), eliminate false alarms, and do not require expensive rule-setting.

How Can an MSSP Investment Help Risk Management?
This is a major consideration. We now know that the most successful security works within a corporate ecosystem. It is challenging to fit MSSPs into this infrastructure, because they are not accountable for much more than the task before them. In the most impactful scenario, the security group (everyone from IT worker to architect to CISO) proactively facilitates collaboration between SecOps and the HR, legal, and executive departments. They do this through full visibility into the enterprise. In this enlightened scenario, minimizing risk is just as, if not more, important as stopping a theft in action. That’s where a data-hungry security platform that streamlines operations can be far more useful than a hired gun. With it, security teams gain nuanced understandings of how an enterprise’s threat-detection investment works. Because in the end, they’re not just responsible for compliance, customer, stockholder, and board-member demands—they’re also pivotal to healthy company growth.

Share this page