Years ago it would have been unthinkable to give up control to securing your most valuable assets. But for some companies the risk of handing the security keys to a third party is less than the idea of facing the daily barrage of attacks.\n\nWhen asked why a company would cede control, many vendors said it depends on the level of staffing that company has. If the expertise is lacking, why take the chance. Or if it is a small to midsize enterprise, maybe there is just not a budget for creating a security staff up to the level needed. Therefore, partnering with a managed security services provider (MSSP) has become almost a must when faced with worries over data theft and the number of mobile devices entering the workplace. \n\nMSSPs are specialists in IT security, said Alertsec\u2019s CEO Ebba Blitz, and as they serve several clients they have the capability to be up-to-speed with advanced requests. \u201cIf a company is big enough to staff its own IT department, with the same capabilities, then they\u2019ll most likely do that. However, if you are an SMB and don\u2019t have the resources, then an MSSP may prove to be the better choice.\u201d\n\nHowever, Pat Patterson, vice president of strategic architecture at Optiv, wrote recently that choosing an MSSP should not be done simply to \u201cthrow the security responsibility over the fence.\u201d \u201cHopefully the days are gone when security leaders believe they simply can hand their entire security monitoring and incident response programs off to third parties and expect to be successful. Engaging an MSSP will not fix a broken information security process. In fact, it can easily highlight poorly defined processes or areas where no process exists.\u201d\n\nAlvaro Hoyos, chief information security officer at OneLogin, said when debating outsourcing security it parallels the SaaS versus on-premise app argument, or the more recent IaaS versus build your own data center. Those two discussions are still being had, but the pendulum for a lot of companies has swung in the direction of cloud service providers.\n\nAccording to a recent report from Trustwave, for a second consecutive year, the number of respondents reported that their security is installed and maintained entirely by their in-house IT staff and security teams dropped \u2013 this year to 67 percent. Twenty-six percent of respondent organizations are involved in a partnership between in-house teams and an MSSP. Another 5 percent delegate the entirety of their security solution set to an MSSP, and 2 percent answered \u201cother.\u201d \n\nTrustwave\u2019s report also stated as to their plans to partner with an MSSP, 43 percent already do, which rose from 39 percent in last year\u2019s report. That stat is considerably more pronounced in the United States, where 53 percent of respondents already use managed security services \u2013 a 14 percent leap from last year. Another 40 percent overall plan to partner with an MSSP in the future, with 17 percent indicating such an arrangement appears unlikely. \n\nYitzhak (Itzik) Vager, vice president of cyber product management and business development at Verint Systems, said selecting managed security services versus in-house security is a matter of strategy before tactics. Management needs to decide whether it is better to invest in the in-house personnel and tools required to reinforce organizational security and ensure complete control over protection processes, or to invest the same dollars in a company whose sole focus is security, but who will not have the same focus on the business itself. \u201cWhen investing the money in an MSSP, it is important that the MSSP will understand the business risk associated with specific assets within the organization to better prioritize their work.\u201d\n\nAmir Jerbi, CTO of container security company Aqua Security, said MSSPs are a at a level of maturity that is often as good as or better than in-house security. The decision of whether to outsource some or all security to an MSSP should be based on several factors, including the level and skills of your own security staff (and whether you can maintain a high enough skill set), the sensitivity and compliance requirements of your systems and data, how strategic security is to your business (e.g., do you consider it to be a core competency), and of course costs.\n\n\u201cAs a rule of thumb, large enterprises in regulated industries have a large enough and skilled enough in-house team and prefer to manage all aspects of security in-house. As you go down the midmarket and into SMB territory, it becomes a lot more sensible to use an MSSP for all or most of your security needs,\u201d Jerbi said. \u201cOne thing to keep in mind when considering MSSPs is that their expertise is likely to focus on common, well-established areas, leaving emerging technologies such as containers in the hands of the user organizations themselves."\n\nDerek Brost , director of engineering at Bluelock, gave the pros and cons of both ways to attack security. He said for many companies, investing in procuring, developing, integrating, deploying, operating, and supporting security controls may not outweigh the total risk profile of their assets. For this type of organization, using managed security services is far more cost-effective, however, investing in enterprise risk management is still a required, ongoing expenditure. For organizations where in-house security might make sense, they likely have a robust risk management discipline and can forecast the loss potential effectively to demonstrate the value of bringing security activities in-house. This type of organization will have the maturity and discipline required to meet or exceed a managed security service value proposition with internal resources.\n\nIn Cisco\u2019s annual security report, 21 percent of the survey respondents said they did not outsource any security services in 2014. In 2015, that number dropped to 12 percent. Fifty-three percent said they outsource services because doing so was more cost-efficient, while 49 percent said they outsource services to obtain unbiased insights. \n\nAlthough a company will want to control their own security program, most cannot afford to run those elements themselves as it would require a 24x7 security operation center (SOC) such as an SEIM or IDS\/IPS, said Asher DeMetz, manager, security consultant at Sungard Availability Services. \u201cIt is vital that companies \u2013 of a size and risk profile to need these services \u2013 have 24x7 monitoring as attacks can come any time of day or night. An attack at 9 p.m. that is not detected till 9 a.m. when employees come into the office can be disastrous.\u201d\n\nAdditionally, MSS providers companies with the deep skills and experience needed to know what is a \u201creal attack\u201d and what is a false positive, DeMetz said. \n\nCarl Herberger, vice president of security solutions at Radware, agrees stating that the speed at which the threat landscape is changing, and the fact that SMBs have become an increasingly frequent target of attacks with 43 percent of all cyber-attacks now focused on small businesses, all make in-house security challenging. \u201cFor example, a retail ecommerce business might not have the ability to invest in a robust, well-trained security staff to thwart attackers. Managed security services help to bridge the gap and let businesses focus on what\u2019s at their core,\u201d he said.\n\nThe sophistication of the information technology environment, types of devices or controls in place, location and type of data centers, breadth of geographic scope\/global footprint, cost, skilled resources, and coverage needed during the week\/year should be taken into account when deciding to go with a third party, said Viewpost\u2019s CSO Chris Pierson. \n\n\u201cIt is critical to note that the people who best know the layout and operations of your company\u2019s data flows are those people who created the architecture (either network or security) and understand the business processes and product. This ownership is really best achieved by having at least a central core team within the company,\u201d he said.\n\nHaving managed security be a part of specialized devices that focus on Indicators of Compromise or behavioral forensics is a smart fiscal and operations move, Pierson added. \n\nKennet Westby, president and co-founder of Coalfire, said outsourcing is happening in other facets of technology such as hosting, cloud services and application service providers. \u201cIt really is more about understanding the scope of network security you look to third parties for. Your organization\u2019s most valuable assets may no longer reside behind your corporate firewall with a network managed by your employees.\u201d\n\nHe added that making a decision to handle corporate network security in-house or to leverage third parties should be based on a number of important criteria:\n\nTrust is a big issue, said Richard Henderson, global security strategist at Absolute. \u201cIt can take a lot of trust and convincing to move to that model, but the simple fact that we\u2019ve seen an incredible explosion in the MSSP space is proof that for those that use it, like it. Any security organization inside a small or midsized company should at the very least evaluate the possibilities of integrating some MSSP offerings into their world.\u201d \n\nHe also added that there is a reality that security human resources are often hard to find, hard to keep, and hard to keep happy. \u201cMany security positions are thankless jobs, and when things go wrong, the amount of stress placed on these employees can be staggering. And if you\u2019re a company located in a smaller \u2018uncool\u2019 city, it can be difficult or impossible to recruit top-quality talent.\u201d\n\nCisco\u2019s 2017 Security Capabilities Benchmark Study found that most organizations rely on third-party vendors for at least 20 percent of their security, and those who rely most heavily on these resources are most likely to expand their use in the future.\n\nRod Murchison, vice president of product management at CrowdStrike, said with the increased volume and sophistication of cyber threats that organizations must deal with, there is a value proposition to working with an MSSP, whether for all or part of your security operations. \u201cSome MSSPs are able to work with security solution providers through APIs, creating truly unique offerings that unlock real value while minimizing complexity for the end user. This level of sophistication and integration can provide MSSP customers with the perfect combination of capabilities to protect their particular network.\u201d\n\nIn some cases for companies struggling or for startups, Trish Tobin, FireEye's director of product marketing, said MSSPs can assist security leaders in designing the overall program, building the SOC, training staff and providing incident response. \u201cAs their security programs evolve, organizations strive to improve threat detection and incident response capabilities. More often than not, they are constrained by a lack of skilled security expertise as well as lack of visibility into new techniques being used by targeted threat actors.\u201d\n\nScottie Cole, network and security administrator at AppRiver, favors a well-trained in-house security team over a managed security service. In-house security teams understand the requirements for both the company\u2019s security needs as well as the company\u2019s goals. \u201cThe downside to an in-house security team for many companies is the cost to maintain the team. Well trained, quality talent can be expensive to employ. Another added cost is continuing education for the team, whether it be for trainings, seminars, or re-certification.\u201d\n\nIf cost is an issue, then a managed security service is the next best thing, Cole adds. \u201cThere are many companies that offer high quality, well-trained individuals who can come into a client\u2019s location and immediately assist with the client\u2019s security needs. The plus side to using a managed security service is that the service usually has a larger pool of talent to draw from. Depending on the client\u2019s wants or regulatory requirements, the managed service can find an expert or team of experts to support the client\u2019s needs.\u201d \n\nBoaz Shunami, CEO of Komodo Security Consulting, said one area MSSPs can be an advantage is in red team exercises (real attack scenarios), red vs. blue team exercises. penetration testing, threat intelligence centers and incident response and forensics capabilities. \u201cReplacing these with internal employees will usually prove to be less effective, with larger learning curves and, in general, less value over longer periods of time.\u201d\n\nTom Bain, vice president of marketing at CounterTack, believes organizations want to "collapse the stack" and move to fewer providers and platform offerings. They want less agents and ultimately not as many providers under the hood. \u201cTaking technologies into a managed deployment gives an enormous advantage to MSSPs who can remove the burden from operators, monitoring and responding to threats on their behalf,\u201d he said.\n\nNot so fast\n\nWhile those interviewed do see pros to MSSPs, they also have some issues with blindly giving up security.\n\nWestby said as with most services, \u201cthere are many that over market and under deliver on true security service. Taking the time to get under the covers of how the service is provided and validate how they will protect your company is important in vendor selection. Maintaining security leadership and program\/vendor oversight in-house is also very important. \u201c\n\nIt\u2019s important to factor in the overall requirements and needs of the organization, said Javvad Malik, security advocate at AlienVault. For example, if a company has many custom apps that need customized monitoring, then in-house may be more appropriate than an MSSP. Other considerations can include whether there\u2019s a preference for dedicated personnel or regulations that require data to be stored locally.\n\n\u201cIf a company does choose to opt for an MSSP it\u2019s important to evaluate them for effectiveness and their ability to execute on their methodology. Finding the right type of MSSP that is a good cultural fit with your organization is just as important as finding one with technical the right technical skills.\u201d\n\nMalik said there\u2019s no easy or right answer to this \u2013 both approaches have their own challenges and benefits. But it\u2019s best to make an informed decision based on budget, expertise, and desired outcomes.\n\nSalim Hafid, product manager at Bitglass, believes that for many of the most security conscious industries and organizations, in-house security is a must. An in-house security team with specialized knowledge of the security capabilities necessary to achieve compliance and that can evaluate multiple security solutions against their needs, can be very effective. \n\nHaving in-house security allows you to build on tribal knowledge that is not easy to export to a third party, Hoyos said. \u201cYour internal team will better understand the risks you face, including internal risks from your own personnel, which is something that an MSSP simply cannot do without boots on the ground.\u201d\n\nHe suggested having a mix of in-house personnel and an MSSP; the MSSP can cover the basics, while the in-house security team can focus on the more complex or nuanced issues that an MSSP doesn\u2019t have the sufficient background to understand. \u201cHaving the MSSP cover those basics also provides meaningful challenges for your team, thus reducing turnover and augmenting your security program organically with more skilled personnel.\u201d\n\nCompanies might not want to use an MSSP if they already have vendor contracts in place and an in-house team that knows the ins and outs of your particular environment. \u201cMSSPs are more one-size-fits-all, so you have to account for that when planning a migration to an MSSP. You also need to be cognizant that all your data will be going through an MSSP, so confidential agreements and concerns with proprietary or customer data need to be considered as well,\u201d Hoyos said.\n\nNeal Bradbury, senior director of business development, Intronis MSP Solutions by Barracuda, also offered the option of \u201cas-a-service\u201d that allows companies to pick and choose what they want implemented.\n\nStu Sjouwerman, CEO, KnowBe4, said one factor to consider is the complexity of your environment when determining whether to keep security in-house. Very complicated environments can be a challenge for MSSPs, especially if they have a high employee turnover rate, however they may also have a more diverse skillset to tap in to.\n\n\u201cIt takes time to learn about complex environments, so you want to minimize repeated learning curves,\u201d he said.\n\nAnother factor is a company\u2019s geographic location. Is there a local talent pool for security professionals, or are they in short supply? If your organizations salaries, benefits and perks are focused on lower-level positions, it could prove a challenge to retain a security individual that is being courted by other organizations, Sjouwerman said.\n\nAdvantages to in-house security are that you have a dedicated resource that will know the ins and outs of the environment better than most MSSPs because they are immersed in it daily. \u201cYou are free to leverage the in-house security resource for any number of projects or advice that you may not want to bring an outside organization into,\u201d Sjouwerman said.\n\n\u201cUltimately, you also need to research any MSSP or direct hire before you make a step either way. These people will be the guardians of your information and will likely have a lot of access to your customer data. A company or individual with a strong track record and proven trustworthiness are critical,\u201d he added.