Two terms or concepts that apparently seem to be and mean the same thing, but that have nuances that contain subtle differences, depending on the point of view and the management model the company has opted for.
Cybersecurity management consists of a protection model determined by the comprehensive strategy of an organization, in order to protect all its systems, infrastructure, data and information assets against risks and threats (against cyber risks and cyber threats).
This involves a complete and iterative process of review, needs collection, scoping, definition, planning, implementation, testing, supervision and continuous improvement of cybersecurity policies, procedures, tools, services, solutions and technologies. >.
Managed security, in fact, seems to be the same, understood as a cybersecurity management model, focused on also offering comprehensive protection to the organization's systems and data.
So are they the same, or does it just seem that way? A priori, yes, they are the same, in that they share the same objectives. However, when we talk about “managed security” as such, we mean something else that is not part of security management: the < b>outsourcing some, or all, cybersecurity tasks, to external expert providers (generally in cybersecurity and/ or in particular specialized in certain aspects of it).
That is to say, the differentiating nuance lies in the fact that when we talk about managed cybersecurity we are talking about the fact that the organization is not in charge of its own cybersecurity, but rather a third party does it. , while, when we talk about cybersecurity management, in the vast majority of cases, the organization is the one in charge of its own cybersecurity , partially or in its entirety and with partial or no support from third parties.
Perhaps this can be better understood by putting ourselves in the situation in which we ask a company things like: “And, you, what cybersecurity management model continue?”, or “Who is in charge of managing your cybersecurity?”. Perhaps that is the key differential, the Cybersecurity Management Model that is carried out, internal (IT Department and specialists in the field who are the company's staff), or external (hiring of collaborators, subcontracting, outsourcing).
The cybersecurity management by the organization puts direct control over the cybersecurity policies and processes in its hands. b>, adapting them to their specific needs, although it entails greater effort and cost in terms of specialized internal resources and continuous training.
Managed cybersecurity delegates that responsibility and control to the specialized experience of external providers, reducing the workload of the internal team and being more profitable, although it generates dependency and limits the capacity for customization. Managed cybersecurity service providers also offer real-time monitoring, threat detection, incident response, and expert advice, among other additional "pluses”.
Of course, it is perfectly viable (and even appropriate and healthy in many cases if it is viable) the coexistence of both models in a Mixed Model or Hybrid Model, where the organization decides link certain aspects of your cybersecurity to a third party (or several), while others are treated internally for whatever reasons.
Which of them is better? Which of the three management models is the most appropriate, efficient and profitable? It will depend on each case, on each company, on its needs, on its sensitivity towards delegation, on its core business, on its sector, on its size, on its resources, on its objectives, on its clients or types of clients, on whether it is a company with critical products, services or activities or not, its finances, its investors, the board.
Internalizing provides greater control and adaptability, but can be costly and require a significant investment in specialized talent.
Outsourcing can be faster, more efficient and cost-effective and provide access to specialist knowledge, but it involves external dependency and a potential lack of adaptability.
For this reason, in most cases, the best option is generally a mixed approach that keeps cybersecurity management internally, while also relying on services external cybersecurity managers.
The internal management of cybersecurity (internalize) has its advantages:
- Internal control where the company has direct control of the cybersecurity strategies and measures implemented.
- Adaptability, since it allows greater flexibility and customization to the needs and special characteristics of the company due to know-how or knowledge internalof the organization.
- Know-how or internal knowledge, which allows developing specialized knowledge (knowledge) within the organization.
But internal cybersecurity management (internalize) also has its disadvantages:
- Greater effort for the company, in terms of organization, capacity, processes, times and resources (with their dimensioning, management and training).
- High cost and investment compared to the alternative model, since it requires the search for hiring specialized talent, incentives to avoid talent drain , the technologies and solutions adopted and the recycling, training or continuous specialized training of said personnel.
- Limitations in access to specialized resources that can interfere with the recruitment of experts and specialists by medium-sized, small, or resource-poor companies with limited budgets.
- Complexity to keep up to date to be able to protect efficiently due to the overwhelming daily volume of new emerging threats, new techniques, the infinite number of attack vectors b>, trends, new vulnerabilities, patches and security updates to apply, etc.
For its part, managed cybersecurity has the following advantages:
- It can become faster, more efficient and more profitable.
- Capacity for delegation of activity and responsibility that reduces the workload of the internal IT team, or frees it from tasks, allowing them to focus on the that they must attend to.
- Cost reduction compared to maintaining an internal team of experts and specialists or assuming part of these tasks by the IT team without specific capacity or knowledge.
- Access to experts and specialists that cannot always be achieved with internal management.
- Access to specialized knowledge that comes from the accompaniment, service and support of true experts.
- Proactivity that comes hand in hand with expert knowledge and consisting of a monitored service, almost always 24x7.
Although managed cybersecurity also has its disadvantages:
- External dependency, due to the degree of delegation and trust in a third party for its cybersecurity.
- Loss of control by the company by leaving all, or part, in the hands of a third party.
- Possible danger, conditions or attacks focused on the supply chain (third parties) that may pose and lead to cybersecurity, privacy and confidentiality problems for the organization.
- Regulatory or legal non-compliance that affects the organization and translates into reputation problems, sanctions, or fines, when its supplier does not have a certain certification, or even when it has With it, worse, some punctual non-compliance occurs.
- Possible lack of flexibility, adaptability and limitation in customizations as external personnel manage, without 100% knowledge of the organization, accesses, permissions and aspects inherent to specific managed services of third parties, their characteristics and the tools they use.
- Possible lack of coordination and alignment, as the supplier does not perfectly know or understand the internal processes or operations.
In summary, cybersecurity management offers internal control and adaptability, but often with greater costs and resource challenges, while managed cybersecurity offers access to experts and proactive approach, but could involve external dependency and customization limitations.
The choice between both models will depend on the needs, resources and risk tolerance of each company.
And, which of them do you choose for your company?
Maybe you need the help of professional cybersecurity services like the ones we offer at Zerolynx: Cybersecurity Services.
If you prefer, contact us and we'll talk.
Íñigo Ladrón Morales, Redactor de contenidos para Zerolynx.