When it comes to weighing up the costs of securing your business it is important to understand the tradeoffs between an in-house solution and MSSP’s. As the information security domain becomes strategically important for organizations of any size and increasingly complex for organizations in any industry, a businesses strategic decisions are increasingly being driven by the need to secure their intellectual property and protect their IT infrastructure from ever-evolving cybersecurity threats. Securing customer records, protecting confidential financial information and complying with regulatory, legal and compliance requirements can place enormous stress on IT decision-makers and their resources. For a long time, many organisations have outsourcing critical elements of their IT to managed service providers, but increasingly businesses have begun to proactively outsource their security functions to specialized information security service providers, to the point that it is now common to evaluate the benefits of outsourcing elements security and compare them to managing these security processes internally. I wrote this article to help business leaders understand how best to think about Managed Security Service Providers (MSSP’s) in the context of TCO (total cost of ownership), a subject that is near and dear to the hearts of technical and non-technical business leaders alike.
In-house or Outsource?The key to evaluating MSSP’s in the context of TCO is to understand the concept of Core vs Context, an important distinction that separates the activities of a business into two clear and logical categories. Simply put, the activities in your business which create differentiation from your customers point of view fall into the core category, everything else that your business does operationally in order to stay in business falls into the context category. Businesses use this distinction to help them make outsourcing decisions, typically the core activities that contribute to its competitive advantage should be handled internally, while the context activities which provide operational support should be outsourced. Businesses do this in order to focus on what is most important to the business (differentiating against their competition in order to increase their profit margins) while outsourcing the mundane operational aspects of their business (which do not really help them differentiate) to managed service providers, lowering their costs in the process. At the heart of these decisions are financial considerations and basic questions like “does it cost more to manage these activities internally than it would cost to outsource them to a trusted services provider”. As information security has increased in complexity over time (requiring experienced cybersecurity managers) and against the backdrop of ever-tighter budgetary pressures, many businesses ask these questions in order to work the best financial solution to managing their IT and cybersecurity. Increasingly this kind of (TCO) analysis often pushes businesses towards the benefits of using an experienced and trusted managed security service provider to manage their cybersecurity for them. Evaluating the outsourcing of activities using the core versus context approach is not a new concept, but what is new is the basis for that evaluation. A decade ago the in-house versus outsourcing decision making was driven by a need to move the ever-increasing costs of information technology and personnel off the companies books, converting it from a capital expenditure to an item of operational expenditure, but now the focus is on delivering IT services like cybersecurity in an expert, but cost-effective way.
This shift towards outsourcing critical cybersecurity functions is part of many organisations information security strategy, a strategy driven by the need to deliver cybersecurity services in a more cost-effective way, give your business access to specialized and expert professionals which would otherwise cost you a small fortune to employ, operational needs such as 24/7 cybersecurity monitoring and of course the need to make your costs more predictable in comparison to unpredictable in-house costs. While evaluating the financial benefits of using a service provider to manage your cybersecurity functions, decision-makers must understand not just the direct costs, but also the indirect costs of managing those security tasks. While working out the direct costs of managing your cybersecurity can be straightforward, working out the indirect costs of can sometimes be a difficult task, but nevertheless indirect costs must form an important part of the evaluation process in order to make an accurate comparison against in-house solutions. Business leaders need to understand the full cost of their cybersecurity operations and this is where many TCO analysis exercises often fall short. The only effective way to run an accurate TCO analysis is for a business to comprehensively work out its true costs, it's not just about being able to say “the cost of securing our business is X”, but also putting that into business terms and understanding the price per email scanned, or the cost of securing each customer transaction.
The Cost Of CybersecurityWorking out the ongoing costs of cybersecurity is a lot harder than it used to be because cybersecurity is embedded into business operations and threaded throughout your IT infrastructure, making it much more difficult to properly calculate the TCO. A balanced TCO analysis of cybersecurity operations should include the following:
Employee Costs - Recent research indicates that up to 40% of businesses are not satisfied with the investments they have made in their cybersecurity technologies because they do not employ enough specialized employees to effectively leverage them. For your average enterprise-class business, the cybersecurity management and monitoring alone requires a minimum of five full-time cybersecurity engineers and analysts, that equates into approximately $500,000 in direct salary costs (based on the average base salary of a security administrator). Then you have to take into account the incremental costs such as training, office space, taxed and benefits, which typically add an additional 50% to the salary costs. Then you must consider that the average turnover of IT staff (including IT security) is 18 months, forcing you to take into account the cost of hiring and then training new people to replace them. Many businesses migrate their cybersecurity activities to an MSSP in order to avoid these costs over the long term.
Infrastructure Costs - Your business will probably always need IT infrastructure in the form of security hardware, servers and storage, but by leveraging an MSSP you can mitigate against these costs over the long term. No longer will your business be exposed to the cost of acquiring, deploying and managing security monitoring and management infrastructure, because typically your MSSP will already be making these investments on behalf of their customers and already be leveraging the newest security technologies. A good MSSP will also have worked out how to integrate these technologies with other, often incompatible, technologies across a range of different software and hardware platforms. They will also have made significant investments into their own management environments and built cybersecurity operations centres (CSOC) to support their operations and so that their customers do not have to make those investments.
Compliance Costs - One of the biggest advantages of working with an MSSP is that it can dramatically reduce both the time and effort required to comply with regulatory compliance requirements because regulatory authorities take the MSSP’s regulatory processes and controls into account during an audit. You can think of an MSSP as a cost-effective way to deliver the compliance controls that are required by the security regulations which govern your business and typically your MSSP will be in front and ahead of these requirements, able to provide knowledge and guidance that goes far beyond the knowledge and experience possessed by your own employees possess. By leveraging an MSSP in this way and consuming the services that the MSSP delivers, a business can quickly and easily bring itself into compliance with regulations.
Incident Costs - When businesses think about cyberattacks, it is best practice to plan for the inevitable attack that will one day come, if it hasn't already, a question of when they will be attacked rather than if they will. Forward-thinking businesses accept that they will be compromised at some point and plan for this worst-case scenario, over and above the primary goal of defending their perimeter from an attack, the main focus of their cybersecurity efforts is their ability to respond to attacks when they occur. The problem with maintaining this posture though is that it requires significant and continuous investment into people with a variety of skill sets and certifications, just so that your business can keep up with the constantly changing cybersecurity landscape. Because MSSP’s work with a variety of customers they will already employ these people and have extensive experience responding to and remediating cybersecurity incidents.
The Advantages of Using An MSSPThe primary advantages of using an MSSP are cost and capabilities. MSSP’s provide cybersecurity services at a lower cost than you could deliver them yourself internally, while dramatically increasing your capabilities with experienced and expert personnel.
Costs - When you compare the complete costs of managing your own cybersecurity internally against the predictable, and often monthly, fees that an MSSP would charge you the comparison looks good on paper, with MSSP fees typically showing a clear cost-saving. In some cases, depending on your internal ability to manage your own cybersecurity, an MSSP offers significant costs savings when compared to building your own capability internally. The key to unlocking this value from an MSSP relationship lies in the MSSP’s ability to deliver the services you need at a demonstrably lower cost than if you delivered those same services yourself. The benefits of using an MSSP can be substantial, both in terms of actual dollars saved and by allowing internal staff to focus on activities that are closer to a company’s core competency. Because MSSP costs are subscription-based, they don’t impact your capital budget and managers find it easier to get approval for operating expenses (OPEX) rather than capital expenses (CAPEX).
Capabilities - Beyond cost savings, the primary advantage of using an MSSP is to close the capability gap within your organisation, instead of acquiring the capability you need you simply hire an MSSP who already has the capability in place. Because of their experience and varied customer base, an MSSP will be hugely capable at handling the ‘everyday’ cybersecurity mission of protecting your networks and infrastructure from criminals and staying on top of your firewall, handling intrusion detection and protection and a hundred other things that together make up your cybersecurity posture. If your business needs 24/7 monitoring and coverage, it makes much more sense to hire an MSSP to deliver the capability than it does to hire the people you need to deliver the same level of capability internally. An MSSP allows you to leverage the collective experience and expertise of their own workforce which will typically hold a wide range of different specialist skillsets and cybersecurity certifications, they will also invest heavily in the ongoing training of those people too. MSSP specialists are in a much stronger position to manage your cybersecurity than the in-house staff that businesses employ.
Advantage Conclusions - With IT budgets at most businesses under pressure to deliver more with less and as businesses seek to maximize the value of their security investments, many organisations are moving towards a managed services model in order to deliver a range of cybersecurity functions. When the relationship with an MSSP is managed properly, IT organizations benefit from having best-of-breed capabilities available to them on a “rental” basis instead of having to beg their CFO or other senior executives for additional staff only to risk having it downsized in difficult business cycles and that kind of financial flexibility is extremely attractive in any economic climate.