Do not fill in this field

Enter no text in this field

Get Instant Access
to This Blueprint

Business Email

Full Name

Company

Phone

Job Title

Most organizations do not have a clear understanding of their current security posture, their security goals, and the specific security services they require. Without a clear understanding of their needs, organizations may struggle to identify a partner that can meet their requirements.
Breakdowns and lack of communication can be a significant obstacle, especially when clear lines of communication with partners, including regular check-ins, reporting, and incident response protocols, have not been clearly established.
Ensuring that security partners’ systems and processes integrate seamlessly with existing systems can be a challenge for most organizations in addition to making sure that security partners have the necessary access and permissions to perform their services effectively.
Adhering to security policies is rarely a priority to users as compliance often feels like an interference to daily workflow. For a lot of organizations, security policies are not having the desired effect.

Our Advice

Critical Insight

You can outsource your responsibilities but not your accountability.
Be aware that in most cases, the traditional approach is more profitable to MSSPs, and they may push you toward one, so make sure you get the service you want, not what they prescribe.

Impact and Result

Determine which security responsibilities can be outsourced and which should be insourced and the right procedure to outsourcing to gain cost savings, improve resource allocation, and boost your overall security posture.

Select a Security Outsourcing Partner Research & Tools

1. Select a Security Outsourcing Partner Storyboard – A guide to help you determine your requirements and select and manage your security outsourcing partner.

Our systematic approach will ensure that the correct procedure for selecting a security outsourcing partner is implemented. This blueprint will help you build and implement your security policy program by following our three-phase methodology: determine what to outsource, select the right MSSP, and manage your MSSP.

2. MSSP RFP Template – A customizable template to help you choose the right security service provider.

This modifiable template is designed to introduce consistency and outline key requirements during the request for proposal phase of selecting an MSSP.

Member Testimonials

After each Info-Tech experience, we ask our members to quantify the real-time savings, monetary impact, and project improvements our research helped them achieve. See our top member experiences for this blueprint and what our clients have to say.

8.3/10

Overall Impact

$13,739

Average $ Saved

Average Days Saved

Client

Experience

Impact

$ Saved

Days Saved

Testimonial

Waymo

Guided Implementation

10/10

N/A

Learning

Medcan

Guided Implementation

8/10

$25,000

Kevin was measured and thoughtful in his recommendations for us to move forward with the context of being a small business and relevant services.

City Of Fort Collins

Guided Implementation

7/10

$2,479

Kevin was willing to meet even tho CoFC is early in its journey toward a cybersecurity strategy and roadmap.

Mueller, Inc.

Guided Implementation

10/10

N/A

Garfield County IT

Guided Implementation

9/10

$12,776

The Info Tech tools will be helpful. I have no negative comments.

Christchurch City Council, NZ

Guided Implementation

9/10

N/A

Jerry's Foods

Guided Implementation

10/10

$31,833

we are still not done so not sure why the survey yet.

Load More Testimonials

Select a Security Outsourcing Partner

Outsource the right functions to secure your business.

Analyst Perspective

Understanding your security needs and remaining accountable is the key to selecting the right partner.

The need for specialized security services is fast becoming a necessity to most organizations. However, resource challenges will always mean that organizations will still have to take practical measures to ensure that the time, quality, and service that they require from outsourcing partners have been carefully crafted and packaged to elicit the right services that cover all their needs and requirements.

Organizations must ensure that security partners are aligned not only with their needs and requirements, but also with the corporate culture. Rather than introducing hindrances to daily operations, security partners must support business goals and protect the organization’s interests at all times.

And as always, outsource only your responsibilities and do not outsource your accountability, as that will cost you in the long run.

Photo of Danny Hammond
Danny Hammond
Research Analyst
Security, Risk, Privacy & Compliance Practice
Info-Tech Research Group

Executive Summary

Your Challenge

A lack of high-skill labor increases the cost of internal security, making outsourcing more appealing.

A lack of time and resources prevents your organization from being able to enable security internally.

Due to a lack of key information on the subject, you are unsure which functions should be outsourced versus which functions should remain in-house.

Having 24/7/365 monitoring in-house is not feasible for most firms.

There is difficulty measuring the effectiveness of managed security service providers (MSSPs).

Common Obstacles

InfoSec leaders will struggle to select the right outsourcing partner without knowing what the organization needs, such as:

How to start the process to select the right service provider that will cover your security needs. With so many service providers and technology tools in this field, who is the right partner?
Where to obtain guidance on externalization of resources or maintaining internal posture to enable to you confidently select an outsourcing partner.

InfoSec leaders must understand the business environment and their own internal security needs before they can select an outsourcing partner that fits.

Info-Tech’s Approach

Info-Tech’s Select a Security Outsourcing Partner takes a multi-faceted approach to the problem that incorporates foundational technical elements, compliance considerations, and supporting processes:

Determine which security responsibilities can be insourced and which should be outsourced, and the right procedure to outsourcing in order to gain cost savings, improve resource allocation, and boost your overall security posture.
Understand the current landscape of MSSPs that are available today and the features they offer.
Highlight the future financial obligations of outsourcing vs. insourcing to explain which method is the most cost-effective.

Info-Tech Insight

Mitigate security risks by developing an end-to-end process that ensures you are outsourcing your responsibilities and not your accountability.

Your Challenge

This research is designed to help organizations select an effective security outsourcing partner.

A security outsourcing partner is a third-party service provider that offers security services on a contractual basis depending on client needs and requirements.
An effective outsourcing partner can help an organization improve its security posture by providing access to more specialized security experts, tools, and technologies.
One of the main challenges with selecting a security outsourcing partner is finding a partner that is a good fit for the organization's unique security needs and requirements.
Security outsourcing partners typically have access to sensitive information and systems, so proper controls and safeguards must be in place to protect all sensitive assets.
Without careful evaluation and due diligence to ensure that the partner is a good fit for the organization's security needs and requirements, it can be challenging to select an outsourcing partner.

Outsourcing is effective, but only if done right

83% of decision makers with in-house cybersecurity teams are considering outsourcing to an MSP (Syntax, 2021).
77% of IT leaders said cyberattacks were more frequent (Syntax, 2021).
51% of businesses suffered a data breach caused by a third party (Ponemon, 2021).

Common Obstacles

The problem with selecting an outsourcing partner isn’t a lack of qualified partners, it’s the lack of clarity about an organization's specific security needs.

Most organizations do not have a clear understanding of their current security posture, their security goals, and the specific security services they require. Without a clear understanding of their needs, organizations may struggle to identify a partner that can meet their requirements.
Breakdowns and lack of communication can be a significant obstacle, especially when clear lines of communication with partners, including regular check-ins, reporting, and incident response protocols, have not been clearly established.
Ensuring that security partner's systems and processes integrate seamlessly with existing systems can be a challenge for most organizations. This is in addition to making sure that security partners have the necessary access and permissions to perform their services effectively.
Adhering to security policies is rarely a priority to users, as compliance often feels like an interference to daily workflow. For a lot of organizations, security policies are not having the desired effect.

A diagram that shows Average cost of a data breach from 2019 to 2022.
Source: IBM, 2022 Cost of a Data Breach; N=537.

Reaching an all-time high, the cost of a data breach averaged US$4.35 million in 2022. This figure represents a 2.6% increase from 2021, when the average cost of a breach was US$4.24 million. The average cost has climbed 12.7% since 2020.

Info-Tech’s methodology for selecting a security outsourcing partner

Determine your responsibilities

Determine what responsibilities you can outsource to a service partner. Analyze which responsibilities you should outsource versus keep in-house? Do you require a service partner based on identified responsibilities?

Scope your requirements

Refine the list of role-based requirements, variables, and features you will require. Use a well-known list of critical security controls as a framework to determine these activities and send out RFPs to pick the best candidate for your organization.

Manage your outsourcing program

Adopt a program to manage your third-party service security outsourcing. Trust your managed security service providers (MSSP) but verify their results to ensure you get the service level you were promised.

Select a Security Outsourcing Partner

A diagram that shows your organization responsibilities & accountabilities, framework for selecting a security outsourcing partner, and benefits.

Blueprint benefits

IT/InfoSec Benefits

Reduces complexity within the MSSP selection process by highlighting all the key steps to a successful selection program.

Introduces a roadmap to clearly educate about the do’s and don’ts of MSSP selection.

Reduces costs and efforts related to managing MSSPs and other security partners.

Business Benefits

Assists with selecting outsourcing partners that are essential to your organization’s objectives.

Integrates outsourcing into corporate culture, leveraging organizational requirements while maximizing value of outsourcing.

Reduces security outsourcing risk.

Insight summary

Overarching insight: You can outsource your responsibilities but not your accountability.

Determine what to outsource: Assess your responsibilities to determine which ones you can outsource. It is vital that an understanding of how outsourcing will affect the organization, and what cost savings, if any, to expect from outsourcing is clear in order to generate a list of responsibilities that can/should be outsourced.

Select the right partner: Create a list of variables to evaluate the MSSPs and determine which features are important to you. Evaluate all potential MSSPs and determine which one is right for your organization

Manage your MSSP: Align the MSSP to your organization. Adopt a program to monitor the MSSP which includes a long-term strategy to manage the MSSP.

Identifying security needs and requirements = Effective outsourcing program: Understanding your own security needs and requirements is key. Ensure your RFP covers the entire scope of your requirements; work with your identified partner on updates and adaptation, where necessary; and always monitor alignment to business objectives.

Measure the value of this blueprint

Phase	Purpose	Measured Value
Determine what to outsource	Understand the value in outsourcing and determining what responsibilities can be outsourced.	Cost of determining what you can/should outsource: 120 FTE hours at $90K per year = $5,400 Cost of determining the savings from outsourcing vs. insourcing: 120 FTE hours at $90K per year = $5,400
Select the right partner	Select an outsourcing partner that will have the right skill set and solution to identified requirements.	Cost of ranking and selecting your MSSPs: 160 FTE hours at $90K per year = $7,200 Cost of creating and distributing RFPs: 200 FTE hours at $90K per year = $9,000
Manage your third-party service security outsourcing	Use Info-Tech’s methodology and best practices to manage the MSSP to get the best value.	Cost of creating and implementing a metrics program to manage the MSSP: 80 FTE hours at $90K per year = $3,600

After each Info-Tech experience, we ask our members to quantify the real-time savings, monetary impact, and project improvements our research helped them achieve.

Overall Impact: 8.9 /10

Overall Average Cost Saved: $22,950

Overall Average Days Saved: 9

Info-Tech offers various levels of support to best suit your needs

DIY Toolkit
"Our team has already made this critical project a priority, and we have the time and capability, but some guidance along the way would be helpful."

Guided Implementation
"Our team knows that we need to fix a process, but we need assistance to determine where to focus. Some check-ins along the way would help keep us on track."

Workshop
"We need to hit the ground running and get this project kicked off immediately. Our team has the ability to take this over once we get a framework and strategy in place."

Consulting
"Our team does not have the time or the knowledge to take this project on. We need assistance through the entirety of this project."

Diagnostics and consistent frameworks are used throughout all four options.

Select a Security Outsourcing Partner visualization

Outsource the right functions to secure your business.

About Info-Tech

Info-Tech Research Group is the world’s fastest-growing information technology research and advisory company, proudly serving over 30,000 IT professionals.

We produce unbiased and highly relevant research to help CIOs and IT leaders make strategic, timely, and well-informed decisions. We partner closely with IT teams to provide everything they need, from actionable tools to analyst guidance, ensuring they deliver measurable results for their organizations.

What Is a Blueprint?

A blueprint is designed to be a roadmap, containing a methodology and the tools and templates you need to solve your IT problems.

Each blueprint can be accompanied by a Guided Implementation that provides you access to our world-class analysts to help you get through the project.

Table of Contents

Talk to an Analyst

Our analyst calls are focused on helping our members use the research we produce, and our experts will guide you to successful project completion.

Book an Analyst Call on This Topic

You can start as early as tomorrow morning. Our analysts will explain the process during your first call.

Get Advice From a Subject Matter Expert

Each call will focus on explaining the material and helping you to plan your project, interpret and analyze the results of each project step, and set the direction for your next project step.