DIY vs MSSP: Which is Right for You?

We live in a service-based economy where everything from movies and music to industrial lighting is available by subscription. Cybersecurity is no exception. Companies have the choice of building out their own security operations center (SOC) or working with a managed security service provider (MSSP) to handle the process for them. Which is best? Here are some factors to consider when deciding.  

Setup time

With data breaches on the rise, companies have no time to lose when setting up a robust cybersecurity operation. This is one area where working with an MSSP offers a clear advantage. According to Gartner, it takes between 18 and 24 months to establish a full physical SOC. That’s a long time for a company to be vulnerable to attack.  

Conversely, an MSSP gives you a ready-made SOC operation that shortens your setup time. Our white paper shows that a service provider with a well-honed onboarding process can onboard a customer in 30-45 days.  

Managing a cybersecurity technology stack

A DIY SOC means building your own cybersecurity technology stack. That gives you complete control over the tools you choose, enabling you to tailor a system exactly for your needs.  

The downside is the heavy lifting involved. A robust cybersecurity operation encompasses a wide range of tools, including:  

  • Vulnerability management: Tools that scan for software and hardware vulnerabilities, recommending the appropriate patches.  
  • Endpoint protection: Software including device management and anti-malware tools to protect endpoint devices from attack.  
  • Secure gateways: Next-generation firewalls and content scanners to protect networks against malicious traffic.  
  • Network monitoring: Software that logs and identifies network traffic, identifying suspicious events and escalating them for analysts.  
  • Intrusion detection and prevention: Preventative services that stop an emerging attack by detecting and containing malicious traffic.  
  • Threat intelligence feeds: This up-to-the-minute information details constantly evolving attack patterns and indicators of compromise.  
  • Security orchestration, automation, and response (SOAR) platform: These automation tools help to offload some tasks involved in cybersecurity response, freeing up time for human analysts and reducing response times.  
  • Security information and event management: This is your information hub for logging and correlating security events. It provides both real-time intelligence and longer-term analytics capabilities.  

This is a daunting list of products to evaluate and buy, but the real challenge comes in integrating them. A mature SOC is an end-to-end ecosystem that quickly detects emerging issues and enables multiple analysts to share and enhance that information. That requires interoperable products. Companies that build this infrastructure themselves often create ‘frankenstacks’ of tools that don’t work well with each other. That limits their employees’ ability to handle security events.  

An MSSP’s core business revolves around building and refining this toolset, meaning that it already has all the pieces in place. These complexities are hidden from customers, who can just enjoy a simple service contract with a single provider. A flexible MSSP will also be able to integrate their solution with any in-house tools that a customer brings to the partnership.  

Sourcing talent

A robust SOC is about far more than tools. Sourcing specialist cybersecurity employees is another challenge for companies taking a DIY approach to cybersecurity. Cybersecurity association (ISC)² found in its 2020 Cybersecurity Workforce study that 56% of companies were at risk because they couldn’t fill cybersecurity positions. Good people are hard to find.  

A DIY operation will need enough SOC analysts to monitor the network on a 24x7x365 basis because attackers never sleep. It will also need research analysts to monitor evolving threats, along with a director or team lead to steer the SOC in the right direction.  

An MSSP will already have invested in recruiting and training a full complement of employees who will provide round-the-clock monitoring as part of its standard service.  

Incident response

The investment doesn’t stop there for companies building their own cybersecurity capability. They must also invest in teams to manage cybersecurity tasks that extend beyond the SOC. Incident response is the most complex. A company needs multiple playbooks to handle various incident types, along with a multi-disciplinary skill set spanning technology, forensics, legal, and communications.  

Full-service MSSPs offer consulting expertise that helps customers hit the ground running when an incident occurs. Their advice and resources are invaluable during a breach incident when a client is fighting fires on all fronts.  


All of these cybersecurity measures are expensive to implement and maintain. A DIY operation faces a mixture of regular capital and operating costs. On the capital side, it needs to invest in the hardware infrastructure and software licenses to support its complex technology stack. The hardware will need regular refreshment, and the software licenses will need upgrades as tools emerge with new capabilities to counter fast-evolving threats.  

On the operating side, staff costs will be a major factor. Robert Half’s 2021 Technology Survey reveals costs of up to $190,000 per year for a data security analyst and $213,000 for an information systems security manager.  

An MSSP absorbs these ongoing costs, replacing them with a simple regular payment that makes complex cybersecurity protection both less expensive and more predictable for customers.  

Your final decision about who manages your cybersecurity will depend on your company’s specific characteristics and needs, but one thing is certain: in an era of mounting threats, it’s a decision you should make sooner rather than later.  


Looking to learn more about choosing the right MSSP? Download our whitepaper.

Have you registered for our next event?