Years ago it would have been unthinkable to give up control to securing your most valuable assets. But for some companies the risk of handing the security keys to a third party is less than the idea of facing the daily barrage of attacks.
When asked why a company would cede control, many vendors said it depends on the level of staffing that company has. If the expertise is lacking, why take the chance. Or if it is a small to midsize enterprise, maybe there is just not a budget for creating a security staff up to the level needed. Therefore, partnering with a managed security services provider (MSSP) has become almost a must when faced with worries over data theft and the number of mobile devices entering the workplace.
MSSPs are specialists in IT security, said Alertsec’s CEO Ebba Blitz, and as they serve several clients they have the capability to be up-to-speed with advanced requests. “If a company is big enough to staff its own IT department, with the same capabilities, then they’ll most likely do that. However, if you are an SMB and don’t have the resources, then an MSSP may prove to be the better choice.”
However, Pat Patterson, vice president of strategic architecture at Optiv, wrote recently that choosing an MSSP should not be done simply to “throw the security responsibility over the fence.” “Hopefully the days are gone when security leaders believe they simply can hand their entire security monitoring and incident response programs off to third parties and expect to be successful. Engaging an MSSP will not fix a broken information security process. In fact, it can easily highlight poorly defined processes or areas where no process exists.”
Alvaro Hoyos, chief information security officer at OneLogin, said when debating outsourcing security it parallels the SaaS versus on-premise app argument, or