MSSP or In-House? How To Weigh Your Cybersecurity Options

Key Takeaways

The threat landscape is getting complex and costly, and enterprises have to weigh whether to outsource security operations or keep them in-house.
MSSPs offer a lot of benefits, but there are challenges, and many organizations don't want to give up control of their data or their security.
Keeping operations in-house comes with challenges, particularly finding the right people when there don't seem to be many.
Outsourcing the talent search and recruitment—rather than the entire security apparatus—to placement firms may be the right step.

Listen: MSSP or in-house? How to weigh your cybersecurity options.

Enterprises in the modern business world are beset on multiple sides by mounting cybersecurity challenges. In today’s highlighted distributed IT environment, their applications and data are being run and stored not only in their on-premises data centers but also in the cloud and out at the edge, making traditional perimeter defenses moot and vastly increasing the attack surface.

Meanwhile, cybercriminals are launching more and more sophisticated attacks, from ransomware and phishing to identity theft, denial-of-service (DoS), and spoofing. More recently, the rising adoption of cybercrime-as-a-service and generative AI has not only made it easier and faster for hackers to run their campaigns but also lowered the bar for less-skilled bad actors to launch complex attacks.

In the background of all of this is the global shortage of skilled cybersecurity pros, with the Boston Consultancy Group saying that 28% of open security jobs go unfilled, an ongoing issue at a time when organizations spend $200 billion on cybersecurity products and services every year. The ICS2 found that there are about 5.5 million people in the global cybersecurity workforce, but 4.8 million more are needed.

MSSPs to the rescue?

Given all these challenges, it’s not surprising that companies are outsourcing more of their cybersecurity operations to managed security services providers (MSSPs) or managed services providers (MSPs) that offer security capabilities, relying on them to monitor, manage, and respond to security threats on their behalf rather than on costly in-house teams. The worldwide managed security services market is expected to grow from $24.68 billion last year to $28.15 billion by 2029.

And no doubt, there are good reasons to hook up with an MSSP. They have a professional cybersecurity staff offering around-the-clock monitoring and response, resources dedicated to monitoring threats from the outside. and a company’s security posture for keeping them out; they can pull in and integrate the necessary resources, and they can get up to date on the latest threats.

Then there is the ongoing challenge of attracting talent that you may need but that an MSSP may already have.

MSSPs come with challenges

While the MSSP approach may seem straightforward and convenient, it is not without its complexities. There are as many reasons to keep security operations in-house as there are for outsourcing them. Weighing the pros and cons is critically important for any enterprise.

Not all MSSPs are created equal: They may not have the same levels of industry expertise, threat intelligence capabilities, incident response capabilities, customization tools, or technology stacks. MSSP “A” may be the right one for you, but given the stakes, if you pick “B,” you could be in trouble.
Control and responsibilities: You give up a lot of control when signing on with an MSSP, from the tools they use to the decisions they make. However, the ultimate responsibility for protecting data, employees, customers, infrastructure, and everything else remains with you. They have access to what you have on-premises, in the cloud, and at the edge. As they go, you go.
Data: In today's modern IT environment, data is the coin of the realm. Businesses are built around it and bad actors want to get ahold of it. With an MSSP, you're trusting a third party with highly sensitive personal, corporate, and targeted data and hoping they can protect it. In addition, as more data privacy and security regulations are enacted, issues like compliance and data sovereignty become even more important.
Costs: There may be some cost savings, but you don't get to sign up for an MSSP and forget about it. You need people in-house—like a CISO or other security pros—to keep an eye on things and ensure that the MSSP can and is protecting your entire IT environment.

Placement firms for finding talent

Then there are people: finding them, recruiting them, and putting them in place. With a global talent gap in the millions, this is no easy feat. But it’s doable, and if the decision is to keep security in-house, there are paths to follow. An important step to consider is using a placement service to find those needles in the haystack for you.

The good news is there are dozens out there, and there are advantages to using them:

Expertise: Placement firms will have recruiters with specialized knowledge of what talent is needed for a cybersecurity position, and trends in the industry, enabling them to better assess candidate skills and experience for your needs.

Networks: These recruiters are plugged into the industry and each other and have extensive databases of the cybersecurity talent on the market, even of so-called “passive candidates” who may not be actively searching for a new job.

Saving time: Finding the right candidate for any position can be an arduous task. Doing so in an industry like cybersecurity, where seemingly everyone is out there picking up rocks, hoping to find the right prospect, is even more difficult. A placement firm can do the work for you and have you back to doing what you do best.

Targeted searches: The placement firm knows you and what you are looking for and can narrow down the choice of candidates to those who fill those specific needs.

Understanding your needs: Maybe you don’t need a full-time cybersecurity expert. Maybe a part-time employee or temporary worker will work. A placement will work with what you need and pair it with the right talent.

In today’s increasingly complex and rapidly evolving cybersecurity landscape, complete with more sophisticated attacks, a widely distributed IT environment, and new technologies like AI, making the right decision on security is paramount for a company. Some may choose to outsource the challenge and hope for the best.

However, you may want to retain control over sensitive data to ensure it’s protected and complies with regulations, so keeping everything in-house is the way to go. If so, placement firms have the industry and workforce knowledge and reach that can ease the struggles of finding talent at a time when it’s a rare commodity.

Consulting & Operations (42)

Technology (27)

About the authors

Brian is a results-driven business executive with a proven track record of over 20 years, specializing in marketing operational excellence within the Technology, Media, and Entertainment industries. He leads a team that collaborates with top-tier brands, driving growth and streamlining marketing operations for increased efficiency and profitability. A trusted advisor to his clients, Brian provides strategic guidance on navigating the complexities of the modern marketing world. His commitment to excellence is evident in his academic achievements: Bachelor of Arts in Communication from the University of Colorado and is a Certified Contingent Workforce Professional. He currently serves as a program advisor for the Strategic AI program at the University of Colorado Colorado Springs.

Jeffrey Burt has been a journalist for more than three dozen years and has written about the IT industry since 2000, covering a broad array of technologies that range from data center infrastructure and cloud computing to AI, cybersecurity, quantum computing, and developer tools. He's written for such news sites as eWEEK, The Next Platform, The New Stack, SecurityBoulevard, and Techstrong.ai.