Obvious and Not-So-Obvious Questions to Ask When Considering an MSSP

Go beyond cost when considering using an MSSP and consider both on-call scheduling needs and staff burnout concerns.

Johnny Fitrakis, CISO

June 18, 2024

5 Min Read
Questions when considering an MSSP

Deciding whether to outsource cybersecurity to a managed security service provider (MSSP) is one of those questions that seems simple enough at first glance. But the deeper you dive into it, the more complex it becomes to decide whether using an MSSP is the best fit from both a technical and financial perspective.

I can't tell you whether hiring an MSSP is the right decision for your business, of course, because it depends on many variables specific to each organization. But as a cybersecurity executive who has both worked extensively with MSSPs and overseen cybersecurity operations entirely in-house, I can offer some guidance on what to think about — and, especially, which factors businesses often overlook when considering the "to MSSP or not to MSSP" question.

What and Why of MSSPs

Managed security service providers are companies that specialize in providing outsourced cybersecurity services to other businesses. MSSPs are a type of managed service provider (MSP), companies which offer outsourced IT services.

Typically, businesses that choose to work with MSSPs do so either because they lack the resources to manage security effectively on their own, or they believe an MSSP can provide the security services they need at a lower total cost. In some cases, MSSPs also can deliver specialized types of expertise (such as the ability to manage the unique security challenges associated with deploying AI services, for instance) that are harder to address with in-house staff.

It's worth noting that MSSPs aren't an all-or-nothing type of solution. It's possible to use an MSSP to cover some security requirements, while relying on your own employees to manage others. For instance, a business might outsource security monitoring to an MSSP but use in-house staff to respond to incidents the MSSP flags.

Basic Questions to Ask When Evaluating MSSPs

When businesses consider working with MSSPs, they typically begin by asking some obvious questions, such as:

  • How much does the MSSP charge? Is that sum higher than the cost of hiring, training and paying in-house security staff?

  • Which service level availability (SLA) and incident response time guarantees does the MSSP offer? Are its service levels better than what our in-house engineers can achieve?

  • Which technology does the MSSP use? Does it have access to solutions that are more sophisticated than we could deploy ourselves, or that we lack the budget to acquire on our own?

These are the first questions you'll want to ask about an MSSP because the answers could be deal-breakers. For example, if an MSSP can't beat the security incident response times of your own staff, that would be a major reason not to hire an MSSP.

The Not-So-Obvious Questions When Considering Using An MSSP

But don't stop with those questions. There are additional critical factors to weigh before committing to an MSSP — and these are the ones that businesses often overlook.

  • Engineering tiers: Different companies require different levels of cybersecurity expertise, depending on the complexity of their operations and the types of security threats they face. This factor impacts the total cost of running cybersecurity in-house — and, by extension, it helps to determine whether an MSSP is a more cost-effective solution.

If your security needs are basic, you can hire mostly tier 1 engineers, who are less experienced and expect less compensation. In that case, there's a higher chance that in-house cybersecurity will prove to be more cost-effective. But for highly complex cybersecurity requirements, you'd need to hire tier 3 engineers, and outsourcing to an MSSP who can deliver the same complex services may be more cost-effective.

  • On-call scheduling: Cybersecurity is a 24/7 affair. You need someone monitoring for and capable of responding to threats on an ongoing basis.

There are two basic approaches to doing this. One is to hire enough engineers that you always have sufficient staff on the clock to handle all aspects of your operations. This is more expensive because you need a larger overall staff. You might find that an MSSP is more cost-effective because they can cover 24/7 scheduling for you, regardless of your internal headcount.

The other approach is to hire a smaller crew, but require every staff member to sign up for on-call hours — meaning time when they are not otherwise working, but are expected to be ready to respond to a security event. This costs less money in salary, but most engineers don't enjoy being on-call, so requiring them to do so on a regular basis may place more stress on your team. You may also find it more challenging to retain skilled employees. Viewed from this perspective, an MSSP can also offer value because it allows you to meet 24/7 scheduling needs without hampering team morale.

  • Technician burnout: On that note, an important, but often overlooked, selling point of MSSPs is that outsourcing eliminates or reduces the risk of burnout among your own cybersecurity team. Cybersecurity operations can be stressful, given the high stakes of failure and the never-ending stream of alerts technicians must contend with. Even experienced and patient engineers can feel overwhelmed — and the last thing you want is for an employee in a critical function like cybersecurity to quit suddenly or stop working effectively due to burnout.

By hiring an MSSP, you outsource the risk of burnout to an external firm, which guarantees a level of service availability to you without requiring you to manage staff morale.

A Complicated Question

There are clear financial and technical advantages to working with MSSPs, as well as clear drawbacks. I've used both approaches at different companies, and it would be a mistake to say that one is always better than the other.

What matters most is ensuring you're asking yourself all the right questions when evaluating whether an MSSP is right for your business. Don't think just about considerations such as how much the MSSP charges or which SLAs it offers. Think, too, about deeper, more complex factors, like the company's on-call scheduling needs and staff burnout concerns.

Read more about:


About the Author(s)

Johnny Fitrakis

CISO, Vega Cloud

Johnny Fitrakis is the CISO at Vega Cloud. He has a passion for fixing IT problems, learning new technologies and providing the best customer service.

Free Newsletters for the Channel
Register for Your Free Newsletter Now

You May Also Like