Many companies understand they are ill equipped to design, implement, and maintain IT infrastructures. As a result, outsourcing to a managed service provider (MSP) is a common, valuable practice. However, many of these same companies are left scratching their heads about the value of outsourcing security to the managed security service provider (MSSP). After all, good security is just antivirus and strong passwords. Right?
In total, the MSSP is a worthwhile investment. In a risk saturated world, the MSSP is often the most cost effective and reliable method for achieving the goals of a basic cyber security program, reducing risk, and protecting the data assets all internet connected businesses need to thrive.
MSSP’s can offer an attractive value proposition if the fees include an appropriate number of services.
A Brief Definition of Good Cyber Security and its Costs
Good cyber security identifies and reduces cyber risks surrounding business critical assets to level equivalent to or below risk tolerance. Some risks are so prevalent due to common features like operating systems, IT protocols, psychology, etc. there is a minimum level of cyber security every company needs.
- Asset Management
- Phishing Countermeasures
- Patch and Vulnerability Management
- Endpoint Detection and Response (EDR, not antivirus)
- Secure configurations
- Multifactor Authentication (MFA, where possible, and not SMS if possible)
The above six controls are minimum security in today’s environment. A three-person team, with enough skill and experience, could pull this off. Here is a simple chart indicating labor costs of such a team based on reasonable market salaries and average total compensation modifier.
| Salary | Mod | Total Comp | |
| Architect | $135,000 | 1.4 | $189,000 |
| Engineer | $115,000 | 1.4 | $161,000 |
| Analyst/Ops | $82,000 | 1.4 | $115,000 |
| Total | $465,000 |
If the business has “in-house cyber security” without a $465,000 minimum budget (tools add to the cost), then the business is not doing security. Plain and simple.
The limiting reality of above numbers is the size of the business, or the small size. A four-employee company doesn’t need a sophisticated asset management process or tool. Same goes for patching and vulnerability management. There are steps a tiny company can take to identify and reduce cyber risk that doesn’t require spending $450k, but those steps are getting saved for a future article. However, even a four-employee company needs security and there is little doubt that company can afford a single qualified security engineer ($161k/year) to take care of it.
This is where cyber security consultants and MSSPs come in.
The MSSP Value Proposition
The managed security service provider offers, at a fraction of the cost, the technical and administrative security controls to reduce the risk of diminished or lost revenue resulting from a data breach.
Data is more valuable than the processing hardware or the widgets created from the data. Even if you make a physical product, the data the product is built from is at least as valuable as the product itself. Not understanding this is to leave the business open to major risk due to a lack of proper cyber security controls.
Forward thinking managers and leaders have understood this for decades:
“The information about the package is as important as the package itself.”
Fred W. Smith, Federal Express Founder & CEO, 1990
Therefore, it’s not a stretch to say: if the person responsible for protecting the data does not make reasonable efforts (six controls listed above) to protect the data, when the data is stolen, corrupted, or otherwise made unusable (think ransomware), then as Swigert might say, “Houston, we’ve had a problem.”
This is not a field of dreams. The act of building more IT or cyber security will not, in of itself, generate more revenue anymore them just printing more newspapers. The contention is, if a business does not invest in cyber security (yes, invest in the same way a business would invest in real estate or production capacity), then they have self-imposed constraints preventing them from scaling and capturing more of the market.
A lack of cyber security is a competitive disadvantage.
Getting breached has become part of the great sifting that happens to businesses. Many businesses fail for many reasons, and data breaches is just another one.
60% of small business fail six months after a data breach… [and small business suffer the majority of breaches.]
Inc.com in collaboration with Cisco Sytems & National Center for Middle Market
Right now, there is a 37.2% probability your small business will suffer a catastrophic data breach. If there was a 37.2% chance a meteorite was going to smash into your mobile business, do you move?
62% Probability of small business (SMB) suffering a cyber-attack
60% Probability SMB fails within 6 months of cyber-attack
37.2% = .60 * .62 = .372Put another way: There is a 37.2% chance your entire revenue stream dries up this year – everything gone. Do you do something about it?
The MSSP gives the company access to architects, engineers, and analysts it would not have otherwise. Access to higher quantity and quality of expertise results in a reduction of risk across the board – lower risk of a breach and a lower risk of that breach having catastrophic impact.
Example MSSP Savings for Various Small Business Scenarios
The below chart shows potential costs and savings associated with MSSP services.
| Company | Acme Printing | Laser Health | Brave Law | Car Deals on Wheels |
| Revenue | $12,000,000 | $750,000 | $5,000,000 | $35,000,000 |
| Users | 100 | 15 | 30 | 350 |
| Avg MSSP | $200 | $150 | $150 | $225 |
| Annual Service | $240,000 | $27,000 | $54,000 | $735,000 |
| License Fees | $28,800 | $4,320 | $8,640 | $100,800 |
| Annual MSSP Fees | $268,800 | $31,320 | $62,640 | $1,029,000 |
| In-House (w/mod) | $577,400 | $575,360 | $575,720 | $1,048,400 |
| Annual Saving | $308,600 | $544,040 | $513,080 | $19,400 |
This chart describes the cost savings situation of if the hypothetical company goes to a quality MSSP. Of course, the objective is meeting the minimum cyber security controls, protecting competitive advantage, and reducing the risk a breach does not shudder the company.
Brave Law could decide not to even spend the $62k, but in the grand market calculation, that is penny wise and a pound foolish.
We’ve have seen many companies go cheap, less than $100/user, and they were never happy. Ever. They always end up with a rat’s nest of an infrastructure and feckless security controls.
An added “bonus” this chart does not account for, are the fees most MSSPs charge include IT services. If you add in the savings on IT engineering and support, the Annual Savings value goes up. But this article is about security, so those numbers were left unattended.
In total, the chart describes a possible savings scenario. MSSP vendor selection will shift the price around a little, but the chart should demonstrate that if a minimum level of security is desired (as it should be), the MSSP offers an attractive value proposition.
Even for an extra small business (Laser Health), achieving a minimum amount of cyber security is not out of the realm of possibility.
Notes on the Chart
Number of Users is related to the average of $100,000 of revenue generated/employee. The $100k of revenue generation per employee is a national average for small businesses (revenue < $38 million).
Avg MSSP is taken from experience with multiple MSSPs
License Fees is a sum of the license fees of products fitting the average of the six cyber security components. The are an average of various vendors associated to each control and are per user.
| Control | Licensing Fees |
| Asset Management | $3 |
| Phishing Countermeasures | $8 |
| Patch and Vuln Management | $3 |
| EDR | $3 |
| Secure configurations | $4 |
| MFA | $3 |
| Total | $24 |
In-House (w/mod) is a combination of factors. Min Control Mod is derived from 175 users per 3-person cyber security team, with a minimum of a 3-person team regardless of the number of users less than 175.
2 = 350 / 175The Total below goes in the estimated total for trying to achieve the same minumum cyber in-house.
| Min Control Mod | 1 | 1 | 1 | 2.0 |
| 3-person cyber team | $465,000 | $465,000 | $465,000 | $930,000 |
| Tools | $2,400 | $360 | $720 | $8,400 |
| Management | $100,000 | $100,000 | $100,000 | $100,000 |
| Overhead | 10% | 10% | 10% | 10% |
| Total | $577,400 | $575,360 | $575,720 | $1,048,400 |