Abstract: What is the Business Case for MSSP?

business case score card featured image

An abstract form our highly anticipated MSSP paper, What is the Business Case for MSSP?

The National Institute of Standards and Technology (NIST) advises that similar to financial and reputational risk, poorly managed cybersecurity risk may negatively affect performance and place an organization at risk by reducing its ability to innovate. Decision makers and executives are repeatedly experiencing losses due to their inability to be fully knowledgeable about properly managing cybersecurity risk and complying with guidelines of the established frameworks (such as following some of the key elements of the NIST Cyber Security Framework).


Leaders of companies, big and small, recognize that security plans must be created, implemented and continuously updated to protect an organization’s basic requirements in areas including (but not limited to) technology, processes and user awareness. The key question is whether to manage these risks in- house or outsource (transfer risk or share mitigation) to a managed security-as-a-service provider (MSSP).

The managed security approach transfers the expense and management of ‘in-house’ security to a third party having existing expertise and capabilities. But, the struggle arises in how to decide if an ‘in-house,’ on premise, security management program is effective enough? What is the cost-benefit analysis when deciding to budget expenses for in-house verses out-sourcing? Organizations (big and small) desperately need a quick reference guide for deciding how to manage and implement their security program.

The proposed MSSP “Scorecard” provides an outline that helps an organization better understand if there may be a competitive advantage for them in choosing to outsource to an MSSP. It also serves as a resource that aids in calculating the Return on Investment (ROI) of this decision. This “scorecard” approach considers how cyber security investment decisions map directly to managing business priorities. An organization examines the priority and value associated with having consistent operations that are associated with their networks, software, hardware, and data. Hence, depending on your threats, specific strategies will differ. For example, an industry affected via unintended disclosure may devote more attention to stricter access control rather than a more robust logging and monitoring

Executive leaders should first conduct a quick self-assessment to help decide which cyber risks to accept, transfer, mitigate, or avoid; a framework to validate the financial incentives in information security management. As the perceived threat has risen, companies must either build in-house security expertise or outsource as a response. In this white paper, we outline a process to assist in making a business case for or against the MSSP route and provide a checklist to help simplify the decision-making process. This paper will address three approaches, in-house security, partially outsourced security, and fully outsourced security.

You can download the full whitepaper here.