MSP vs MSSP: Why Outsourced Security Often Falls Short

In this episode of Breakfast Bytes, Felicia explained the key differences between Managed Service Providers and Managed Security Service Providers, emphasizing that organizations should prefer MSPs acting as their full internal IT departments for security functions unless they are the IT department and lack necessary technical skills. She highlighted the limitations of the current incident response paradigm, particularly the challenges with outsourcing security monitoring to MSSPs and the lack of effective escalation to capable incident response teams. Felicia stressed the importance of having a skilled incident commander with strong decision-making authority and technical expertise to effectively handle security incidents.

Summary

MSP vs. MSSP Security Services

Felicia discussed the differences between Managed Service Providers (MSPs) and Managed Security Service Providers (MSSPs). She explained that MSPs act as outsourced IT departments, handling various IT functions, while MSSPs focus specifically on security services. Felicia emphasized that organizations should aim for their internal IT departments, or their full-service MSP to handle security functions rather than outsourcing to MSSPs, unless they have an internal IT team that lacks the necessary technical skills. She advised that organizations with revenues of $300 million or more should consider hiring in-house talent or outsourcing to large, well-funded companies to avoid potential legal issues with smaller providers.

Enhancing Incident Response Effectiveness

Felicia discussed the limitations of the current paradigm in incident response, highlighting that outsourcing security monitoring to MSSPs often results in a flawed workflow and a lack of true escalation to capable incident response teams. She emphasized that effective incident response requires a highly skilled incident commander with deep technical knowledge, rapid decision-making authority, and an understanding of organizational politics, which is typically lacking in both internal IT departments and outsourced security providers. Felicia also pointed out the need for clear leadership and decision-making authority during incidents, as well as the ability to make immediate technical and policy changes without being hindered by organizational politics.

Felicia discussed the limitations and risks of outsourced security services, emphasizing that while they may provide a false sense of security, they are not a substitute for internal capabilities and the need for organizations to maintain authority over their security decisions. She explored the challenges and risks associated with using managed security services providers and outsourcing MDR or SOC services, highlighting the importance of understanding service offerings and making informed decisions rather than relying on trust or price. Felicia concluded that while MSSPs might be suitable for very large organizations, direct purchasing from software manufacturers could often be a better option.

Outsourced Security: Limitations and Risks

Felicia discussed the limitations and risks of outsourced security services, emphasizing that while they may provide a false sense of security, they are not a substitute for internal capabilities. She highlighted the importance of understanding the limitations of basic security tools like Sentinel One basic licensing and the potential risks involved when using intermediaries. Felicia stressed the need for organizations to have the authority to make changes based on real data and real issues in their environment, rather than relying solely on outsourced services.

MSSP Risks and Vendor Selection

Felicia discussed the challenges and risks associated with using managed security services providers (MSSPs) and outsourcing MDR or SOC services. She highlighted the lack of visibility into configurations and processes when purchasing through distributors, which can lead to significant security gaps and risks. Felicia emphasized the importance of making informed decisions based on detailed understanding of service offerings, rather than relying solely on trust or price. She concluded that MSSPs should only be considered for very large organizations that require a large counterparty for liability and risk balancing, and even then, direct purchasing from software manufacturers might be a better option.