Security Operations: Outsource vs. In-House, The Saga Continues
To date, there have been two options for SecOps. But for many, if not most organizations, neither was quite right.
There was building an in-house security operations program, and there was outsourcing to an external provider. To choose between them, you needed to weigh a complex set of trade-offs. Spending more on cybersecurity services wouldn't always yield as great a reduction in risk as you might hope. Or, in line with the law of diminishing returns, your spending would result in only small marginal improvements. Finding the right balance--so that your investment is manageable, and your payoff worthwhile--can be a challenge.
But the advent of robotic decision automation software is changing the game, and rewriting the equations and formulas you need to use in these calculations.
Let’s take a closer look into the pros and cons of outsourcing your organization’s cybersecurity program and discuss the ways in which robotic decision automation software is a better option for some organizations.
Cybersecurity labor costs are high—both for enterprises and for cybersecurity service providers
The outright monthly cost of engaging a managed security service provider (MSSP) can vary tremendously depending on the service level you select, and add-on items you choose, the number of employees in your organization, and the complexity of your IT infrastructure. Rough estimates range from $10,000 to $100,000 per month for a midsize to large organizations.
Given the current status of the cybersecurity job market, in which there’s a dire lack of qualified and experienced professionals—2.93 million unfilled positions worldwide, according to one estimate—staffing a security operations center (SOC) is no easy task. Organizations developing their own internal cybersecurity programs usually discover that finding the right people to fill security analyst job openings is a major challenge. And MSSPs face the same difficulty: the pool of qualified labor from which they need to draw is no larger.
Salaries for highly skilled and experienced cybersecurity analysts—especially those with specialized knowledge of particular parts of the incident workflow, like cyber incident response—often exceed $100,000 per year.
Frontline console monitoring, which some organizations call the “Tier 1 Analyst” function, is typically performed by the least senior members of the security team. These employees are often fresh out of college or have just moved into their first security role from an IT helpdesk position. Their salaries may be in the neighborhood of $45,000 per year, but it’s often hard to find good people at these pay rates. And turnover rates are typically high, making the struggle to find the right talent a recurring problem.
Conceptually speaking, it might seem like a good idea to consolidate multiple organizations’ security programs within the infrastructure provided by a single outside service provider, but there are multiple drawbacks to this model.
MSSPs are, by design and by nature, for-profit companies. This means that their primary mission is to maximize their profits, and to deliver the best possible return on the investments of their owners, funders, and/or shareholders. Inevitably, they must extract some profit margin—above and beyond the basic cost of providing security services—in order to be successful.
To do so, they usually standardize their service offerings, bundling them into packages designed to minimize the amount of time that each senior engineer has to spend managing each client’s systems. Without additional customization, for which you’ll need to jump to a higher (and more expensive) service tier, or select extra add-on service offerings (at additional cost), your cybersecurity program can’t be tailored to meet your unique business and security needs.
Hiring an MSSP may not yield the time savings you’d hoped for
If you engage with a traditional MSSP that doesn’t offer additional detection and response capabilities, they’ll take on primary responsibility for monitoring your environment but will still escalate the incidents they deem worthy of further investigation back to you for cyber incident response. In other words, they’ll call to let you know when they notice something suspicious, and you’ll still need to maintain a cyber incident response team capable of triaging the alerts they bring to your attention.
Unfortunately, cyber incident response skills are among the “advanced” cybersecurity analysis skills, requiring more training or more extensive experience, and thus building an incident response team requires finding more specialized analysts—those with salaries greater than the $100,000 per year range.
In contrast, monitoring your environment and escalating alerts—fulfilling the terms of MSSPs most basic service agreements—can be accomplished by Tier 1 Analysts—the ones with salaries in the $45,000 per year range.
Furthermore, because their services are standardized, and their escalation decisions aren’t being made of the basis of a deep understanding of your environment or enriched with a great deal of contextual information, there are likely to be a large number of false positives among the alerts that they escalate. Your team may, in fact, find themselves spending more time on cyber incident response with an MSSP than they would if they brought cybersecurity analysis and monitoring capabilities in-house.
Don’t be seduced by their mysterious aura of expertise
Many people hire professional financial advisors to guide them in making personal financial decisions even though these services come at a high cost. They do so because they find dealing with financial matters confusing, emotionally unpleasant, or intimidating. They believe that they need an expert’s help in this area.
It’s tempting for business leaders to see cybersecurity in a similar light. When slightly better educated about what securing your environment actually entails, your IT team may find that those “experts” aren’t quite as expert as you thought. In particular, with outsourced services, it’s difficult if not impossible to ascertain how well trained or experienced the people making the decisions about which events to escalate actually are.
Even in the best conditions, the most senior of human analysts won’t be able to consider more than a small fraction of the events generated by network telemetries. And even the most experienced human analysts won’t be able to be 100 percent consistent in their decision-making: humans simply aren’t wired to do this.
What to look for if you need a managed security service provider
Although cybersecurity analysis software solutions like robotic decision automation can offer better results than MSSPs at a fraction of the cost, not every organization has the resources to manage an in-house cybersecurity program. If your organization cannot assemble a cyber incident response team and trying to do so would take you far from your core business capabilities, it may make sense to outsource your cybersecurity program.
In this case, look for a service provider offering deeper, higher-value services, going beyond simple monitoring and analysis. Such providers typically call themselves managed detection and response (MDR) providers rather than MSSPs, and take on a larger share of responsibility for incident remediation. It’s more common for MDR providers to have full-scale “prevention to resolution” capabilities, and to take over all aspects of cyber incident response.
In particular, make sure that the MDR provider you choose doesn’t outsource their monitoring and detection program to a security operations center (SOC) that’s located in Eastern Europe, India, or Asia. Such outsourcing lowers the service provider’s labor costs but may put your data or intellectual property at risk.
Instead, look for a service provider who’s seeking to reduce labor costs through smart use of automation. Cybersecurity automation software tools incorporating robotic decision automation are available to managed service providers, and those making use of automation’s capabilities stand to offer the highest-value services at the most reasonable cost to their customers.
It’s an economic reality: human analysts’ salaries will continue to rise. As they do so, replacing their labor with automation will make more and more sense—both for organizations seeking to build strong and cost-effective cybersecurity programs in house, and for the cybersecurity service vendors looking to compete by offering the strongest possible security programs for their cost.