You probably know this even if you have never vocalized it; cyber threats to businesses and individuals will continue to evolve and adapt to whatever defensive measures we employ and therefore there is no achievable end-game approach for your security and compliance program. For large businesses with mature security and IT departments the allocation of funds and time to protect their resources is a given. For small to medium businesses (SMBs) it’s just not as simple. When SMBs try to address their security and compliance needs, they are often diverting much-needed resources from their core business objectives, and that’s a risk not only to their business goals but it also raises questions regarding their ability to manage ALL aspects of their security and compliance obligations. Some SMBs will manage these efforts better than others, but they should also take time to consider the value of developing an in-house practice versus leveraging a service provider who already has a mature offering. The recommended scorecard for such a comparison is to measure the amount of coverage combined with the level of maturity on a 10-point scale divided by the dollars invested. There is usually a direct relationship between the dollars invested and the level of maturity and so the net result leans heavily in favor of managed service providers. This is augmented when you add in the value of the time you spend building your security and compliance practices versus spending that time focused on your core business. SMBs should take care to avoid underestimating the cost of lost opportunities when developing their own in-house security and compliance programs.

Sometimes SMB’s struggle to delineate the value of a managed service provider and so here are some considerations for how to explain the value proposition. Firstly, subject matter expertise is a combination of rudimentary book knowledge and real life experience. While SMB’s may provide training to the staff responsible for their security and compliance practice, there is usually a lack of real life experience to make that knowledge valuable. Consequently, when a real crisis occurs the staff are often unprepared to put their book knowledge into practice. Secondly, SMB’s should compare the value of having their staff working on tasks related to building their business versus the value of the time spent learning and practicing security and compliance skills. If there is more value in having the staff working on making the business better then that’s a clear indication that a managed service provider is justified. Lastly, the costs related to managed services are often treated unfairly because they are usually viewed as a net new cost. Instead, the SMB should list the costs of the in-house staff for time and effort related to them working on security and compliance and then list the lost-opportunity costs of the same staff not working on business-building tasks and finally they should list the revenue at risk when a breach occurs and then compare the total of those costs to the manage service provider’s fees. The value of a managed security service provider is very subtle because if it’s working well there’s not a lot of background noise, however the value of a service provider can be seen when the service is adding to the business viability with security and compliance credentials. In the next post we will explore how a managed security service provider can help build business value to downstream customers.