Why Build Vs. Buy Isn’t Always The Right Calculus For Detection And Response

Something’s not matching up for many small- to medium-sized businesses (SMBs) in terms of their threat detection and response capabilities. On the one hand, more than half (56%) of small business owners said in a Q3 2021 survey that they weren’t concerned about falling victim to a digital attack over the next 12 months. A quarter said they were “not concerned at all,” reported CNBC, with 59% adding that they were confident that they could resolve any cyberattack. What’s curious is the fact that just 28% of small business owners polled in the study said that they had an incident response in place. Almost half (42%) said that they had no plan, while only a quarter indicated that they carry cyber insurance.

Setting the Record Straight

The only way for SMBs to be confident in their ability to prepare for a cyberattack is to have threat detection and response tools and services in place. This raises an important question. How can these organizations implement proper detection and response?

Generally, the industry likes to frame the answer as a choice between “build” and “buy.” That is, do SMBs and other organizations want to build their own detection and response capabilities? Or do they want to work with a managed security services provider (MSSP) that can do it for them?

What’s interesting is that neither of these routes typically works for an SMB. On the surface, the obvious argument is that in-house Security Operations Centers (SOCs) aren’t feasible. SMBs don’t have the budget to build one out. Not when organizations spend an average of $2.86 million each year on maintaining a SOC in house, noted Dark Reading. There’s also the issue of trying to staff an internal SOC. This is a three-fold problem. First, they need to attract skilled talent in a highly competitive market. Second, they need to staff the SOC. (Approximately $1.5 million of an average SOC budget goes to labor costs, per Dark Reading.) Lastly, they need to try to retain their talent to avoid the costs of training someone new every 2-3 years.

In response to these challenges, it’s all too easy to argue that SMBs should lean on managed services. There’s just one problem. These managed services are really expensive, too. In some cases, they’re even more expensive than the costs of building a SOC internally. Dark Reading shared that the average cost of outsourcing a SOC to a managed security service provider was $4.44 million, or $1.58 million more than if they had just built the SOC themselves. And only one in five respondents to that study went on to label their MSSP as “highly effective.”

The Shortcomings of an MSSP

That last finding about MSSPs’ effectiveness is telling. Indeed, TechRepublic notes that there can be certain drawbacks to working with an MSSP of which SMBs and other organizations need to be aware. First, there’s the reality that MSSPs don’t always collaborate well with internal teams. This can limit the ability of MSSPs to notify internal teams of what they’re seeing on a customer’s network and internal teams to act on that information in a timely fashion.

Second, MSSPs are sometimes limited in the types of solutions they provide. They might lack the capabilities through which organizations can proactively scan for and predict threats, as an example. They also might not have a way of correlating threat data, leading internal teams on wild searches for legitimate security issues that ultimately turn out to be false positives.

Finally, MSSPs don’t always take on the role that they need to. Here’s TechRepublic with more.

“MSSPs need to take on the role of the CISO rather than the role of a security advisor,” it explained. “It needs to have a deeper understanding of company processes and procedures and an inherent knowledge of how operations work. MSSPs also need to shift from focusing entirely on regulatory compliance to understanding the threats targeting each of their individual customers and managing security to suit their needs, rather than applying a one-size-fits-all approach.”

No Build, No Buy … Now What?

Clearly, MSSPs don’t always offer the type of value for which SMBs are looking. This reality puts these organizations into a difficult position. It’s not a case of build vs. buy. It’s that they neither build nor buy what they need.

Fortunately, SMBs can work their way around this false “build vs. buy” dichotomy. They can begin by adopting a top-down strategy such as the Center for Internet Security (CIS) Controls and using it as a framework for their decisions. With this strategy, they might realize that solving the SOC problem isn’t the most important thing for them right now. Maybe they need to concentrate their attention and resources around other things for the time being.

With that foundation, they can turn their focus to finding a service that gives them more bang for their buck. The only way for them to do that is to invest in a solution that leverages automation not only for its defense capabilities but also for cutting back on notifications. That latter functionality is crucial, as it can help to reduce the noise and elevate valuable alerts.

Automation isn’t the only thing that SMBs need in a service, either. SMBs don’t need a big SOC that they’ve built out. They also don’t need to pay a service to have a SOC. What they need is a team that can use their expertise to troubleshoot and examine critical issues. They need a team that can thread the needle.

We wouldn’t be writing this if we didn’t think we could help smaller organizations thread that needle, so if you have any questions, please reach out. We’d love to have a no-pressure chat about how we might help you.

Put Us In Your Corner.

We back you up with managed threat protection, visibility, and support, 24/7.