IT Security: in-house or MSSP?

In a world where cyber security has become a very strong suit to wear for any type of company, more and more organizations are struggling with keeping up with the ever-emerging threats.

Zero day vulnerabilities pop up every day, many of them we see in the news, which means some people know about them for a while but the majority of people just found out about them, including manufacturers and thus there is no security patch for them. Most organizations are faced with two main options. a) they either go and decide to build up their IT security in-house or b) they hire an MSSP to handle it for them.

Handling the IT security in-house can be expensive, require specialized staff, certifications and software. Many times it requires an large investment of initial capital.

I have had the pleasure to sit down and discuss one of the trends we are heading down when it comes to IT security with Elsworth Anthony, director of technology at DSolution, one of the leading Montreal based IT security software resellers. Here's a short transcript of key points that were discussed:

HIPP: What is an MSSP for people who are not familiar with the term?

E. ANTHONY: An MSSP is an acronym for managed security service provider. An MSSP is a company that provides an organization with some amount of network & endpoint security management, which may include virus/malware blocking, spam blocking, intrusion detection & prevention, perimeter protection, data loss prevention and virtual private network (VPN) management.

HIPP: What are the advantages of an MSSP?

E. ANTHONY: There are many advantages to working with an MSSP:

Minimum capital expenditures - the payment is usually done monthly for the service and goes into the operational costs,
Lower costs than implementing an in-house IT security department with the industry expertise – an MSSP costs for, analysts, security appliances, applications and facilities are distributed across their entire customer base
Uninterrupted security monitoring – a breach of contract makes an MSSP legally liable, which is up held by a service level agreement (SLA). You can set an SLA for your exact needs and have the legal backing to have it guaranteed, giving you peace of mind regarding protection of your assets
This greatly reduces the risk of loss business and even going out of business.
Security Expertise – an MSSP provides a dedicated team of security specialists to ensure your network is protected at all costs. These professionals are also able to keep up with the latest security trends in ways that many in-house teams can’t due to other responsibilities.
Complete Customer Support - MSSPs generally provide real-time cyber security reporting 24 hours a day, 7 days a week, 365 days a year. This is critical for companies because the timing of a cyber attack is almost impossible to predict.

HIPP: Let's play the devil's advocate now, what would the disadvantages of a company deciding to move to an MSSP?

E. ANTHONY: There are not many, to be honest, an MSSP's main job is to make the client's life easier. Companies are still responsible for regulatory non-compliance or liabilities – this is where a well-built SLA is important. The only hurdle I can foresee, is related to trusting a third party to manage intellectual property and client data. The MSSP makes recommendations of what security software and hardware to run for the enterprise, thus giving the internal IT staff the ability to focus on other projects and without the added burden of worrying about IT security. The MSSP really becomes an extension of their IT department, one that is self-managed and self-sufficient, but under the guise of the company that leverages their expertise.

About the author:

Ioan Hipp is not a mathematical genius, he is not a world renowned expert or a prominent figure in the cybersecurity industry. He is just a passionate person on the new cyber world that our IoT is developing into, a storyteller and a contributor to a better society.