Every company is required to have some variation of IT and security operations. From the most essential elements: giving an employee a laptop, an email account, and a selection of company-tools like Slack and Google drive, to the more complex elements of deploying cybersecurity software across a large fleet of devices, IT and security operations are a core business requirement.
There are lots of different ways an organization can approach managing their IT and security. The approach to managing IT and security needs can vary greatly among organizations and may evolve over time based on factors such as the size of the workforce, compliance obligations, and technological advancements. Navigating the different options can be complex. The first step is understanding what the current management options are. This article will break that down: MSP, MSSP, in-house, outsource, and SaaS solutions.
The second step is thinking about the guiding principles for building a security strategy. This article will touch on some principles, most notably: the importance of building a future-friendly strategy that aligns with key security principles by voiding complex migrations, and multiple restructurings.
In assessing ins-house and outsourced work, let’s start by defining those terms in a cybersecurity context.
In-house refers to handling cybersecurity internally, with an organization establishing its in-house team of cybersecurity professionals responsible for safeguarding the company's assets. Managing security and IT in-house means an organization has full control and visibility of their strategy and operations. This offers a high level of control and customization, allowing organizations to tailor their security measures to align with their specific needs and requirements. However, it also presents challenges such as the significant investment required in recruitment, training, and continuous education for an in-house cybersecurity team.
Outsourcing involves partnering with external cybersecurity service providers to handle security tasks on behalf of the organization. Outsourcing cybersecurity, on the other hand, provides access to expertise, around-the-clock monitoring and support, and can be cost saving. Outsourcing can be challenging in the reduced visibility, flexibility and ability to meet the custom needs of an organization.
There is also a third pathway that involves a hybrid approach, combining elements of both insourcing and outsourcing, allowing organizations to outsource certain tasks while retaining others in-house. This approach can be thought of as a co-management structure, where a in-house resource manages the strategy with the support (either human support or software) that enables them to do their job. We’ll get into this later.
Managed Services
Managed Service Providers (MSPs) deliver broad IT operations and infrastructure management services, while Managed Security Service Providers (MSSPs) focus exclusively on cybersecurity services. These providers can offer an outsourcing of all IT and security tasks, including device procurement, IT tickets, and deployment and management of a full stack of security tools.
The primary difference between the two lies in the scope of their offerings, with MSPs providing basic security services as part of their broader IT services, while MSSPs specialize in comprehensive cybersecurity services. Co-Managed IT Service Providers offer a collaborative approach, blending client management, internal IT teams, and MSP offerings together.
The Role of Software
There are also a range of options to outsource some IT and security operations via software. The scope of what can be automated without the involvement of a human is limited and this is mainly used for tasks such as generating automated reports for compliance purposes. In deploying tools, there is also a level of expertise that is required to oversee the software’s deployment and on-going management. An MSP/MSSP may often use software to streamline their operations.
While this doesn’t apply across the board, there is a general pattern that can be tracked with how the management of an organization’s IT and security strategy evolves in relation to outsourcing and keeping operations in-house. In the space of IT and security, there’s a common patterns that emerge, in what we’ve named ‘the Maturity Model’:
It’s worth recognizing that this style of evolution is common as a business grows (both relating to security and beyond). Companies make calculated decisions around how to balance resources, budget, and business needs, and the reality is that as the balance of those factors shifts with time, choices for how to manage operations and processes may also change.
However, there are costs associated with it in the context of cybersecurity. Firstly, migrations and transfers of management are costly and disruptive. Any IT person who’s going through an MDM or IdP migration understands the work (and frankly, pain) associated with this, so being thoughtful from the outset of establishing a strategy that is scalable could save a lot of pain over time. Multiple migrations can lead to fragmented data, gaps in coverage, and a negative user experience as they are disrupted in the move from different systems. Secondly, the impact to users can be huge: migrating tools places a burden on users to repeat activities, such as device enrollment, and contributes to confusion as they are requires to navigate new tools.
So, what other options are there?
In the maturity model we have outlined, beyond the pain of multiple migrations or changes in processes and management, another problem lies right beneath the surface. When a company brings management back in house, the goal is to increase the service quality and tailor it to the organization. However, usually an organization significantly underestimates this challenge and what happens is something different. A company will hire a dedicated IT-resource, have them bring everything in house, and they spend their days fire fighting and handling tickets — spending time on the problems not actually unique to the organization. The size of the task forces them to be reactive instead of proactive. But they were hired with aspirations of being proactive and getting ahead. Begs the question: is there a way to empower this in house resource and get the best of both worlds?
Here enters the concept of a co-management model, which involves an in-house IT team remains responsible for the IT/secuirty operations of their business, but leverage a software or tool to help them manage it. From an IT perspective, this hybrid approach utilizes software to automate time-intensive, repetitive tasks such as pushing out versions updates, responding to tickets, or managing password resets. From a security perspective, tools and software can lift the heavy burden of configuration, deploying and managing security tools, such as MDMs and anti-virus softwares. The benefits here are countless, but a few key ones to understand includes:
Deployed correctly, the co-management model helps overcome both the challenges faced by in-house teams who are bogged down by cumbersome IT tasks, and help an organization build a more robust, yet flexible, strategy that can be more consistent with the lifecycle of an organization.
Deciding the security strategy that is right for an organization depends on several factors, and the right structure will look different for different organizations. The scale, flexibility, level of expertise, and budget within an organization are all key factors in determining the outcome.
That being said, there are some core principles and considerations that any organization should explore when assessing the security strategy that’s right for an organizations. Let’s take a look below:
Interested in learning more on this topic? Check out our latest article: What cybersecurity tools do you need to build and effective security strategy? and our other articles here.
To stay up to date on Company news, follow us on LinkedIn.