Obvious and Not-So-Obvious Questions to Ask When Considering an MSSP

Deciding whether to outsource cybersecurity to a managed security service provider (MSSP) is one of those questions that seems simple enough at first glance. But the deeper you dive into it, the more complex it becomes to decide whether using an MSSP is the best fit from both a technical and financial perspective.

I can't tell you whether hiring an MSSP is the right decision for your business, of course, because it depends on many variables specific to each organization. But as a cybersecurity executive who has both worked extensively with MSSPs and overseen cybersecurity operations entirely in-house, I can offer some guidance on what to think about — and, especially, which factors businesses often overlook when considering the "to MSSP or not to MSSP" question.

What and Why of MSSPs

Managed security service providers are companies that specialize in providing outsourced cybersecurity services to other businesses. MSSPs are a type of managed service provider (MSP), companies which offer outsourced IT services.

Typically, businesses that choose to work with MSSPs do so either because they lack the resources to manage security effectively on their own, or they believe an MSSP can provide the security services they need at a lower total cost. In some cases, MSSPs also can deliver specialized types of expertise (such as the ability to manage the unique security challenges associated with deploying AI services, for instance) that are harder to address with in-house staff.

It's worth noting that MSSPs aren't an all-or-nothing type of solution. It's possible to use an MSSP to cover some security requirements, while relying on your own employees to manage others. For instance, a business might outsource security monitoring to an MSSP but use in-house staff to respond to incidents the MSSP flags.

Basic Questions to Ask When Evaluating MSSPs

When businesses consider working with MSSPs, they typically begin by asking some obvious questions, such as:

These are the first questions you'll want to ask about an MSSP because the answers could be deal-breakers. For example, if an MSSP can't beat the security incident response times of your own staff, that would be a major reason not to hire an MSSP.

The Not-So-Obvious Questions When Considering Using An MSSP

But don't stop with those questions. There are additional critical factors to weigh before committing to an MSSP — and these are the ones that businesses often overlook.

If your security needs are basic, you can hire mostly tier 1 engineers, who are less experienced and expect less compensation. In that case, there's a higher chance that in-house cybersecurity will prove to be more cost-effective. But for highly complex cybersecurity requirements, you'd need to hire tier 3 engineers, and outsourcing to an MSSP who can deliver the same complex services may be more cost-effective.

There are two basic approaches to doing this. One is to hire enough engineers that you always have sufficient staff on the clock to handle all aspects of your operations. This is more expensive because you need a larger overall staff. You might find that an MSSP is more cost-effective because they can cover 24/7 scheduling for you, regardless of your internal headcount.

The other approach is to hire a smaller crew, but require every staff member to sign up for on-call hours — meaning time when they are not otherwise working, but are expected to be ready to respond to a security event. This costs less money in salary, but most engineers don't enjoy being on-call, so requiring them to do so on a regular basis may place more stress on your team. You may also find it more challenging to retain skilled employees. Viewed from this perspective, an MSSP can also offer value because it allows you to meet 24/7 scheduling needs without hampering team morale.

By hiring an MSSP, you outsource the risk of burnout to an external firm, which guarantees a level of service availability to you without requiring you to manage staff morale.

A Complicated Question

There are clear financial and technical advantages to working with MSSPs, as well as clear drawbacks. I've used both approaches at different companies, and it would be a mistake to say that one is always better than the other.

What matters most is ensuring you're asking yourself all the right questions when evaluating whether an MSSP is right for your business. Don't think just about considerations such as how much the MSSP charges or which SLAs it offers. Think, too, about deeper, more complex factors, like the company's on-call scheduling needs and staff burnout concerns.