If you feel like your IT team is overwhelmed and lacking time to really focus on your security needs, you are not alone.
In fact, most organizations feel this exact same way.
That’s why it is often necessary to outsource some of your security tasks.
Let’s talk about managed security as a service and why it might make sense for your organization.
Before we begin, let’s be totally clear:
What exactly is security as a service?
Managed security as a service is a service offering in which an organization such as a Managed Service Provider (MSP) or Managed Security Service Provider (MSSP) perform all or some of a businesses’ security responsibilities. This can range from completely outsourced security to managing only certain tasks.
The blunt truth about the state of cybersecurity at most small and mid-sized businesses is this – it’s a mess.
Security is a completely different mindset and skill set than regular IT.
This means that for organizations where the IT team has to handle security, vulnerabilities go unnoticed.
What’s the solution?
Outsourcing some of your security tasks and responsibilities.
Most organizations are already outsourcing some of their business processes – cleaning, pest control, etc.
Managed security as a service is the answer for cybersecurity.
Types of managed security as a service models
There is actually a wide spectrum of managed services that fall within the managed security as a service umbrella.
In short, you can outsource a single security process – like managing a firewall – or you can outsource your entire security program.
What is best for your organization will really depend on your team.
Let’s look at a few of the common managed security models.
Virtual Chief Information Security Officer (vCISO)
A Chief Information Security Officer (CISO) is an employee who oversees the security for an organization.
They are responsible for implementing the security goals of the organization.
Here’s the problem though:
CISOs are highly skilled and very expensive. (The average salary is $240,000)
For smaller, lower risk organizations, the option to hire a virtual CISO exists.
The relationship can work a few ways.
Somethiemes, the vCISO will be on site for a certain number of days a week.
In other cases, they are mostly remote and assist the company with security guidance and oversight.
They usually cost 30% to 40% of an actual CISO.
Fully Managed Security Services
In this arrangement, the company providing the security services usually “owns” the entire security program.
It is still up to the client what security controls they want, of course.
They will pick what they want – firewall, endpoint protection, SIEM, etc – and the providing company implements their own solutions.
The security company will have already picked out the particular firewall they are using, for example.
This model works well for smaller organizations or companies that can’t handle security internally.
Co-managed security services
For co-managed security services, a company can outsource certain components of their security program.
This could be managed firewall services or managed incident response.
These days, pretty much every part of a cybersecurity program can be outsourced.
Organizations that simply don’t have expertise in a certain area or have limited manpower can benefit from this model of managed security.
Whichever model you choose, there are risks.
IT and Security companies are increasingly becoming the targets of hackers.
Let’s look at how you can be sure you are choosing a good company for your managed security needs.
Why security as a service is a good investment
Cybersecurity is a constantly changing field.
Every day, new threats emerge and security teams have to keep current and constantly adapt their tools.
Outsourcing security tasks means that your internal team doesn’t have to worry about making time for these security tasks.
They can focus on improving business technology and processes.
Another thing that can seem prohibitive about security for many organizations is the cost.
As you probably know
Security tools and solutions are not cheap; they can become quite costly.
For example, security monitoring tools like security incident and event management solutions (SIEM) can very easily cost $25,000 or more a year.
And that’s only one component of a cybersecurity program.
Imagine trying to justify that cost to upper management.
When you use a managed security service for monitoring, on the other hand, you will likely end up paying much less.
The service provider is absorbing that cost and distributing it among all of their clients.
Note: Check out our guide on developing a SMB cybersecurity program for under $10k per year. You should note this does not include cost for training.
Furthermore, tools and software aren’t the only cost associated with your security program.
Two other immediate costs to consider are employee salaries and training.
Trained security professionals have obviously spent many more years honing their skills than the average IT Support person.
Thus, they demand a higher paycheck.
Also, there’s training to take into consideration.
Security professionals require training so they can stay abreast of current attack methods and defenses.
If you’re trying to train up regular IT professionals, there’s perhaps more training required.
Either way, training and salaries are another line item to add to your budget if you choose to forgo managed security as a service.
How to choose a good security service provider
If you keep up with IT or cybersecurity news at all, you are probably aware that hackers have hit MSPs pretty hard in the last couple of years.
For example, there was an MSP for dentists in Wisconsin that was compromised.
Over a hundred of their clients were then hit with ransomware.
So, it’s important that you choose wisely.
Here are a few things that you can look for in a prospective security service provider to ensure they actually are vested in your company.
First, the security company should strive to understand your business structure and processes.
It is impossible to build an effective security plan without understanding the inner workings of a business, what data and proprietary information they actually have, and how the loss of that data would affect them.
So, if a managed security comes in with a list of security controls your organization “needs” without ever taking the time to thoroughly understand your company, that’s a red flag.
Another sign of good managed security service companies is that they follow standard security frameworks.
Any organization can come up with their own list of “best practices” around cybersecurity.
The problem is that these lists often neglect or overlook certain risks.
That is why it is so important that every security program be based on proven methodologies for mitigating security risks.
You should know that these security frameworks are well vetted by security professionals and quite comprehensive.
So, when you are seeking to choose a managed security services provider, ask them this:
What security framework do you follow?
It doesn’t really matter which one they say – NIST, CIS20, ISO, etc – what matters is that they are actually following one.
Cybersecurity is a highly skilled field.
It’s not quite like other paths in IT that someone can simply figure it out as they go.
It can be expensive to find or train the talent to manage an effective security program for your company.
That is why managed security as a service can be so beneficial for many small and mid-sized organizations.
Whatever model you choose – fully managed, co-managed, vCISO – be sure that you are hiring a skilled organization that will protect your company.