“Always maintain a level of security expertise in-house, and seek out an MSSP to provide the arms and legs that can cost effectively perform functions you cannot do internally.”

Cybersecurity is a critical need for all organizations. Deciding if you are going to outsource a security function or process to an MSSP really comes down to asking yourself a series of questions. You need to determine if you can better protect the organization by partnering with a security services provider that can offer experts (and potentially technology) not available internally.

If this is something that you need to do to protect the organization— something customers require, a response to a regulatory issue, or addressing a new threat—then the next issue is how to go about meeting that need. Answering that question involves determining if you have the ability to do it internally with the people and skills you have. Will it incur significant cost because of its specialized nature, requiring people to have certain certifications? Finding those people and maintaining them on a 24/7 basis may be essential because information security is a 24/7/365 proposition. There is never a day or a time when something is not happening. It might involve collecting log files from servers. Depending on how many you have and if they are virtualized, that in itself becomes a burden. You need to maintain the tooling and the expertise to use it.

With this understanding of what’s needed, you have to drill into exactly how many of those resources you require to support the kind of security response and risk management the organization expects. And at that point you can begin to make a realistic evaluation as to whether this is something you can build internally or if you need an external partner to implement it.

Every organization and situation is different, but regardless of the path an organization takes, it should never outsource all its information security capabilities. Too many security issues arise that have business implications and require involvement of business managers. Always maintain a level of security expertise in-house, and seek out an MSSP to provide the arms and legs that can cost effectively perform functions you cannot do internally.

Key Questions to Ask:

What types of human and technology resources are needed to support the information security and risk management the organization expects? What is the most effective and sustainable approach to get those resources?

This is an excerpt from 7 Experts Share Key Questions To Ask When Evaluating Providers.  This series was generously sponsored by BlueVoyant.