5 min read

An Overview of Security Management: Demystifying the terms MSP, MSSP, Co-Management

A breakdown of the management approaches in security, and how to avoid the common pitfalls that businesses experience as they scale.
Written by
Christina Boyer
Published on
April 19, 2024

Every company is required to have some variation of IT and security operations. From the most essential elements: giving an employee a laptop, an email account, and a selection of company-tools like Slack and Google drive, to the more complex elements of deploying cybersecurity software across a large fleet of devices, IT and security operations are a core business requirement.

There are lots of different ways an organization can approach managing their IT and security. The approach to managing IT and security needs can vary greatly among organizations and may evolve over time based on factors such as the size of the workforce, compliance obligations, and technological advancements. Navigating the different options can be complex. The first step is understanding what the current management options are. This article will break that down: MSP, MSSP, in-house, outsource, and SaaS solutions.

The second step is thinking about the guiding principles for building a security strategy. This article will touch on some principles, most notably: the importance of building a future-friendly strategy that aligns with key security principles by voiding complex migrations, and multiple restructurings.

Understanding In-House and Outsourcing in Cybersecurity

In assessing  ins-house and outsourced work, let’s start by defining those terms in a cybersecurity context.

In-house refers to handling cybersecurity internally, with an organization establishing its in-house team of cybersecurity professionals responsible for safeguarding the company's assets. Managing security and IT in-house means an organization has full control and visibility of their strategy and operations. This offers a high level of control and customization, allowing organizations to tailor their security measures to align with their specific needs and requirements. However, it also presents challenges such as the significant investment required in recruitment, training, and continuous education for an in-house cybersecurity team.

Outsourcing involves partnering with external cybersecurity service providers to handle security tasks on behalf of the organization. Outsourcing cybersecurity, on the other hand, provides access to expertise, around-the-clock monitoring and support, and can be cost saving. Outsourcing can be challenging in the reduced visibility, flexibility and ability to meet the custom needs of an organization.

There is also a third pathway that involves a hybrid approach, combining elements of both insourcing and outsourcing, allowing organizations to outsource certain tasks while retaining others in-house. This approach can be thought of as a co-management structure, where a in-house resource manages the strategy with the support (either human support or software) that enables them to do their job. We’ll get into this later.

A Breakdown of Outsourced Options: MSPs, MSSPs, and the Role of Software

Managed Services

Managed Service Providers (MSPs) deliver broad IT operations and infrastructure management services, while Managed Security Service Providers (MSSPs) focus exclusively on cybersecurity services. These providers can offer an outsourcing of all IT and security tasks, including device procurement, IT tickets, and deployment and management of a full stack of security tools.

The primary difference between the two lies in the scope of their offerings, with MSPs providing basic security services as part of their broader IT services, while MSSPs specialize in comprehensive cybersecurity services. Co-Managed IT Service Providers offer a collaborative approach, blending client management, internal IT teams, and MSP offerings together.

The Role of Software

There are also a range of options to outsource some IT and security operations via software. The scope of what can be automated without the involvement of a human is limited and this is mainly used for tasks such as generating automated reports for compliance purposes. In deploying tools, there is also a level of expertise that is required to oversee the software’s deployment and on-going management. An MSP/MSSP may often use software to streamline their operations.

Understanding the ‘Maturity Model’ of an Organization

While this doesn’t apply across the board, there is a general pattern that can be tracked with how the management of an organization’s IT and security strategy evolves in relation to outsourcing and keeping operations in-house. In the space of IT and security, there’s a common patterns that emerge, in what we’ve named ‘the Maturity Model’:

The Maturity Model of Cybersecurity Strategy Management

  1. IT & Security Services managed in-house: an organization meets core IT/security requirements in-house. For companies smaller than ~20-30 people, we see a non-dedicated team member navigate and manage security and IT operations on an ad hoc basis. As the business scales, this will likely become too large a burden for one person, or the technical requirements will be beyond what a generalist can manage. Here there are two options: to make a dedicated IT/Sec hire, or to outsource the work.
  2. IT & Security is Outsourced to an MSP or MSSP: in efforts to save time and money, and have a higher quality of IT & security operations, organizations will often choose to outsource their operations to an MSP or MSSP, or more automated software solution. This enables them to leverage the expertise of an out-sourced team, who is able to scale operations quickly, usually using a pre-defined set of tools and processes.
  3. IT & Security is moved back in-house: once an organization reaches a certain size, it’s common to see them make the move to bring their IT/Sec function back in-house. This is often because an outsourced option does not provide the level of customization, flexibility, or visibility desired as an organization grows. There also may be an inflection point, whereby it becomes more cost efficient to manage this work in-house rather than pay the fees for this work to be externally managed.

The Cost of Rapid Management Turnover

It’s worth recognizing that this style of evolution is common as a business grows (both relating to security and beyond). Companies make calculated decisions around how to balance resources, budget, and business needs, and the reality is that as the balance of those factors shifts with time, choices for how to manage operations and processes may also change.

However, there are costs associated with it in the context of cybersecurity. Firstly, migrations and transfers of management are costly and disruptive. Any IT person who’s going through an MDM or IdP migration understands the work (and frankly, pain) associated with this, so being thoughtful from the outset of establishing a strategy that is scalable could save a lot of pain over time. Multiple migrations can lead to fragmented data, gaps in coverage, and a negative user experience as they are disrupted in the move from different systems. Secondly, the impact to users can be huge: migrating tools places a burden on users to repeat activities, such as device enrollment, and contributes to confusion as they are requires to navigate new tools.

So, what other options are there?

An Alternative Way: Co-Management

In the maturity model we have outlined, beyond the pain of multiple migrations or changes in processes and management, another problem  lies right beneath the surface. When a company brings management back in house, the goal is to increase the service quality and tailor it to the organization. However, usually an organization significantly underestimates this challenge and what happens is something different. A company will hire a dedicated IT-resource, have them bring everything in house, and they spend their days fire fighting and handling tickets — spending time on the problems not actually unique to the organization. The size of the task forces them to be reactive instead of proactive. But they were hired with aspirations of being proactive and getting ahead. Begs the question: is there a way to empower this in house resource and get the best of both worlds?

Here enters the concept of a co-management model, which involves an in-house IT team remains responsible for the IT/secuirty operations of their business, but leverage a software or tool to help them manage it. From an IT perspective, this hybrid approach utilizes software to automate time-intensive, repetitive tasks such as pushing out versions updates, responding to tickets, or managing password resets. From a security perspective, tools and software can lift the heavy burden of configuration, deploying and managing security tools, such as MDMs and anti-virus softwares. The benefits here are countless, but a few key ones to understand includes:

  • Firstly, it enables IT-teams to manage a growing number of employees without having to grow the headcount of the team. Co-management leverages software to allow an in-house team to automate time-consuming tasks, like ticketing and password resets.
  • Secondly, it frees up the time of the IT/Security team to focus on the high-priority strategic work, without being swamped by the day-to-day tasks of managing an organizations’ IT operations.
  • Thirdly, by leveraging the right software, teams can access the expertise and enterprise-grade quality of security that is usually associated with a larger specialized in-house team, or an MSSP. Software that can configure and deploy a security stack in an automated way gives users access to tools they may not have expertise in or the skill to navigate independently, unlocking a higher-quality security stack.

Deployed correctly, the co-management model helps overcome both the challenges faced by in-house teams who are bogged down by cumbersome IT tasks, and help an organization build a more robust, yet flexible, strategy that can be more consistent with the lifecycle of an organization.

Guiding Principles & Considerations When Choosing the Right Security Strategy

Deciding the security strategy that is right for an organization depends on several factors, and the right structure will look different for different organizations. The scale, flexibility, level of expertise, and budget within an organization are all key factors in determining the outcome.

That being said, there are some core principles and considerations that any organization should explore when  assessing the security strategy that’s right for an organizations. Let’s take a look below:

  • If you outsourcing, consider what you’re outsourcing - there’s some things that should be visible to an org, or managed by an org, so even when you working with an outsourced model, it’s important to understand what’s happening with your security strategy.
  • Consider a future-proof strategy — when making your management choice, you should be asking yourself the question: what will the business look like 1,3 and 5 years? Selecting an option that only serves you in the short-term will cause problems down the line.
  • Make the right choice in context of your business — for instance, level of expertise, complexity of IT/security requirements, time vs money — all factor into making the ‘right’ management choice for your org, so be intentional and thoughtful in the choice you make.

Interested in learning more on this topic? Check out our latest article: What cybersecurity tools do you need to build and effective security strategy? and our other articles here.

To stay up to date on Company news, follow us on LinkedIn.

Get started with Zip
Learn more about Zip's MDM, EDR, IT, and Compliance solutions and we'll find the right fit for you.