Can a company’s IT security be outsourced?

Companies today rely heavily on technology and the internet to run their operations. This reliance comes with increased risks and vulnerabilities from cyber threats. As such, IT security has become a top priority for organizations of all sizes to protect their data, systems and customers. But maintaining robust IT security requires skillsets that are scarce and expensive. This has led many companies to consider outsourcing some or all of their IT security needs to managed security service providers (MSSPs).

Outsourcing IT security can provide companies with access to advanced security technologies, threat intelligence and expertise at a lower cost than developing these capabilities in-house. However, it also comes with risks around loss of control, security gaps and legal liabilities. Companies need to weigh the pros and cons to determine if outsourcing is the right approach for their specific IT security requirements and risk profile.

What Does IT Security Entail?

IT security refers to the technologies, policies and procedures in place to protect an organization’s computer systems, networks and data from cyber threats and vulnerabilities. It encompasses a broad range of activities including:

– Network security – Protecting the infrastructure and endpoints that connect a company’s devices and systems. This includes firewalls, intrusion prevention systems (IPS), secure remote access and more.

– Endpoint security – Safeguarding laptops, desktops, servers, mobile devices and other endpoints from malware, unauthorized access and data leaks. Tools like antivirus, encryption and mobile device management play a key role.

– Application security – Securing the code that powers websites, SaaS apps, APIs and other applications to prevent exploits like SQL injection attacks or cross-site scripting.

– Identity and access management – Managing user identities and controlling access to company resources via technologies like multi-factor authentication, single sign-on and role-based access controls.

– Data security – Protecting sensitive data at rest and in transit through encryption, tokenization, data loss prevention (DLP) and rights management.

– Security monitoring – Tracking user activities, system logs and network traffic for anomalous behaviors that could indicate a breach. SIEM tools and threat intelligence feed into monitoring.

– Incident response – Having processes to quickly detect, investigate and remediate security incidents like data breaches, malware infections or Denial of Service (DoS) attacks.

– Compliance – Adhering to regulations like HIPAA, PCI DSS, GDPR and various privacy laws that impose strict security requirements with audits and potential fines for non-compliance.

This mix of people, processes and technologies makes IT security a complex beast. It requires ongoing risk assessments, policy setting, solution deployment, monitoring, maintenance and training.

Why Would Companies Consider Outsourcing IT Security?

There are several compelling reasons why outsourcing some or all of a company’s IT security makes strategic sense:

– **Cost savings** – Rather than hiring full-time security staff and building an in-house SOC, outsourcing to an MSSP brings economies of scale. Fixed pricing models are common.

– **Access to expertise** – MSSPs have dedicated security analysts, engineers and SOC teams with skills that are hard to recruit and retain in-house.

– **Expanded coverage** – 24/7 monitoring and management across networks, endpoints and cloud environments exceeds what most companies can handle alone.

– **Accelerated deployment** – Turnkey solutions allow faster rollout of security tools versus acquiring, deploying and integrating complex technologies in-house.

– **Flexibility** – Security needs tend to fluctuate. Outsourcing provides ability to easily scale up or down.

– **Focus** – Frees up internal IT staff to focus on core business objectives rather than distraction of managing security.

– **Risk transfer** – Liability for security failures shifts to the provider rather than falling solely on the company.

For small and mid-size businesses without sizable IT staff, outsourcing security can be especially advantageous. Larger enterprises can also benefit from augmenting in-house capabilities via outsourcing.

What Are the Risks of Outsourcing IT Security?

Despite the benefits, relying on third-party security also introduces potential risks that must be carefully evaluated:

– **Loss of control and visibility** – outsourcing security transfers control to the provider. Internal visibility into issues may be reduced.

– **Integration challenges** – tightly integrating solutions from outsourced providers with internal infrastructure can be difficult.

– **Compliance risks** – outsourcers may not understand regulatory requirements or company policies. Liability remains.

– **Dependency risks** – over reliance on outsourcers could negatively impact operations if relationships sour.

– **Data protection risks** – having sensitive data accessed by third parties increases exposure and privacy concerns.

– **Performance risks** – if providers fail to detect or respond to threats promptly, damage occurs.

– **Inconsistent quality** – service levels and staff skills vary enormously amongst providers. Choosing poorly will degrade security posture.

– **Vendor lock-in** – Once dependent on a provider, switching vendors becomes extremely difficult and costly.

To mitigate these risks, thorough due diligence is required in evaluating providers, structuring contracts and monitoring ongoing performance. But risks cannot be fully avoided when relinquishing control to outsourced security.

Key Considerations When Outsourcing IT Security

If outsourcing IT security is deemed a worthwhile path, there are several important considerations for selecting the right provider and managing the relationship:

– **Assess internal capabilities** – Be realistic about existing security staff, technologies and processes – and gaps – to determine what can or should be outsourced versus managed in-house.

– **Prioritize security needs** – Not all security capabilities need to be outsourced. Focus on needs that require specialized expertise or capacity like managed detection and response (MDR).

– **Research provider options** – Vet providers thoroughly on aspects like size, financials, client base, services, delivery models and technologies to short list candidates that align to requirements.

– **Evaluate track records** – Look for proven experience, solid customer references and satisfied clients in comparable industries.

– **Interview staff** – Meet key delivery team members during the sales process to assess skills, experience and professionalism.

– **Review audits and reports** – Examine SSAE 18, ISO 27001 or other independent audit results as evidence of effective security controls and processes.

– **Scrutinize SLAs** – Require meaningful service level agreements (SLAs) with guarantees on metrics like maximum response times, uptime and escalation procedures.

– **Limit data access** – Only provide outsourcers access to the minimal customer data required for them to deliver services.

– **Maintain role separation** – Ensure outsourced staff handle defined security tasks but do not control internal systems or policies.

– **Conduct oversight** – Put reporting and governance models in place to regularly monitor vendor performance and compliance.

– **Build in flexibility** – Structure shorter-term contracts with extension options to reassess outsourcing decisions down the road.

Examples of IT Security Functions Commonly Outsourced

While outsourcing all security capabilities to an MSSP is an option, most companies take a hybrid approach. This allows focusing outsourcing on functions that require specialized expertise or resources. Common examples include:

Managed firewalls and IPS – An MSSP monitors and manages the configuration and logs for corporate firewalls and intrusion prevention systems on an ongoing basis. This relieves internal staff of 24/7 firewall administration and IPS fine-tuning.

Endpoint detection and response (EDR) – EDR tools are installed on devices firm-wide but an MSSP monitors the fleet for indicators of compromise. They can remotely remediate infected endpoints. Internal staff maintain endpoint hygiene.

Security Operations Center (SOC) – A fully managed SOC from an MSSP provides 24/7 eyes on glass monitoring via a team of Tier 1-3 analysts. They detect and respond to security events the company alone may miss.

Incident response – If a suspected breach occurs, specialized incident response firms can be called in to conduct forensic analyses, determine root causes, quantify impacts and guide recovery.

Application security testing – One-off or periodic testing of internally developed or COTS applications by specialized app sec vendors uncovers risks missed by in-house staff. Remediation guidance is provided.

Security training – Rather than developing and updating employee security awareness training in-house, it can be outsourced to a vendor specializing in content development and delivery via an online platform.

Identity as a Service (IDaaS) – Full lifecycle management of user identities, credentials and access controls is handled by an IDaaS vendor and seamlessly integrated with on-prem systems.

The specific security capabilities suitable for outsourcing will vary by a company’s size, vertical, risk tolerance and existing in-house skills. But the examples above reflect functions commonly leveraged from MSSPs.

How are IT Security Outsourcing Services Typically Delivered?

MSSPs support outsourced security via two primary delivery models:

Co-managed Security

With a co-managed model, the MSSP partially assumes management and monitoring of security solutions that remain deployed on-premise or in the company’s cloud environment. So data stays within corporate infrastructure. The MSSP takes on defined operational aspects like log analysis, rule tuning, vulnerability scanning and alarm monitoring via remote connectivity. But internal staff maintain control over security policy, tool selection and deployment. Responsibilities are shared.

Fully Managed Security

Under a fully managed model, the MSSP takes total responsibility for delivering security-as-a-service from their facilities. The corporate network is extended via VPN or other connectivity to the MSSP data centers or cloud where their technologies are housed. Data is visible to the provider who handles all monitoring, management and incident response. The company relinquishes most control over data, tools and processes to the MSSP’s platform and staff.

The optimal balance between co-managed and fully managed services depends on each company’s specific requirements, risk appetite and outsourcing philosophy. But the fully managed option provides maximum leverage of the MSSP’s scale, skills and resources.

How Do IT Security Outsourcing Costs Compare?

Outsourcing IT security – when done right – offers compelling total cost of ownership (TCO) advantages relative to managing similar capabilities in-house. Consider a sample TCO comparison:

Cost Factor In-House Team Outsourced to MSSP
Technology (tools, licenses, infrastructure) $500,000 Included
Staffing (salaries, benefits, HR) $1.5 million Included
Facilities (space, power, etc.) $250,000 n/a
Training / conferences $100,000 Included
Contracted services $500,000 n/a
Annual MSSP contract fee n/a $2.5 million
Total TCO $2.85 million $2.5 million

While savings will vary based on services received, the economies of scale and specialized focus from MSSPs often results in 15-30% lower TCO versus in-house security. And outsourcing reduces headaches around staffing, tool management and other complex overheads.

What Questions Should You Ask Prospective MSSPs?

The decision to outsource IT security should not be taken lightly. During the vendor evaluation and selection process, asking probing questions is a must to assess provider qualifications, offerings and fit. Key questions to consider include:

– How long have you been in business as an MSSP?
– What is your geographic service coverage?
– Which industries are your top clients?
– Do you hold any security certifications or attestations?
– What is your team size and background? What are turnover rates?
– What tools and technologies are used to deliver services?
– How are client data and systems segmented and secured?
– Where are your SOCs physically located?
– Can we tour your SOC facility?
– What SLAs and performance metrics do you offer?
– How flexible are your contracts and services?
– What is your incident response process and reporting?
– How are clients involved in tool selection and policy decisions?
– How do you help clients validate compliance?
– What third parties do you rely on for supporting services?
– What is the financial health of your company?
– What are examples of breach cases you’ve detected and stopped?

The MSSP responses will help assess their capabilities, experience, flexibility, transparency and overall fit. Require on-site visits, customer references and proof of concepts. Don’t be afraid to grill vendors with even more specific questions on offerings.


Outsourcing IT security can offer compelling advantages for companies seeking specialized expertise, flexibility and cost savings. But it also comes with risks around loss of control, visibility and integration challenges. Smaller businesses with limited security staff often stand to benefit most from outsourcing. Larger enterprises can outsource strategic portions of a security program for efficiency and focus while retaining in-house oversight and governance.

If outsourcing security makes sense, set requirements and thoroughly vet providers considering factors like experience, delivery models, technologies, scalability, reporting and financial stability. Scrutinize SLAs. Structure shorter-term contracts. Closely monitor performance. Take an incremental approach to outsourcing security functions versus wholesale turnover to maximize benefits while minimizing risks.