As cyber-security around devices, networks, and more continues to diversify, multiply, and experience an increase in the number of breaches, small to mid-sized businesses have to ask themselves if they are properly equipped in-house to handle the necessary protocols to protect their data. What they also need to realize is that it’s okay if the answer is, “No.”

Picture this; you work in a small company and in order to keep up with PCI regulations, you’ve been asked to run a penetration test.  This is well outside your day-to-day security tasks, however you’ve mentioned having some experience in penetration testing so you’re called up. You conduct the test and receive your results but how did you know what to test for? Were you able to test for every vulnerability found in your scanner? Do you have the bandwidth or team resources to patch what is needed? Running a penetration test just to check a box isn’t enough to keep your organization safe. Oftentimes, when working in small to mid-sized businesses, employees are required to take on many tasks outside of their day-to-day jobs.

If businesses try to allocate security protection work to each employee’s task-load, it is expected that there will be delays or missed pieces as there is no one with sole responsibility and oversite. A company that is unable to either be proactive, or respond timely to matters such as data breaches or broken firewalls could find themselves in a load of trouble with not just the company, but with any of the clients they serve as well as federal regulators. Avoid both the data breaches and bad reputation by taking the time to research, invest, and implement the appropriate plan to have the best defense up and running, even if that plan is for your team to outsource and manage your defenses through a third-party. The list of mandated security tests and controls seems to grow exponentially as the security industry looks to combat the intelligence of hackers which is growing just as quickly. When choosing a Managed Security Services Provider (MSSP), there are several points to consider.

Here are some questions to ask as you determine the best option for your business: 

  • Does it provide for both immediate and future needs? 
  • Can you grow into the provider’s other programs as your business grows? 
  • Does this provider have experience in your specific industry?
  • Does the cost of outsourcing offset the cost of straining internal resources?
  • Can you define what tasks the MSSP will be focusing on?
  • How transparent will the provider be with their operations, storage of data, and protection of your records?
  • What is the reputation of the MSSP you are seeking to work with? Just because you’ve outsourced your security services, does not mean that they can work as a silo, separate from your day-to-day business.


The communication cannot be dropped between your MSSPs and your internal staff members—specifically with your security liaison. As your MSSP finds the vulnerabilities, potential attack paths, or areas that need another added layer of security, both parties need to be informed and work to prepare a plan of action. At Core Security, we believe outsourcing your MSSP should be in partnership with your in-house team. In the big, bad world of security breaches, it is important to educate and recruit amazing in-house talent but it is also just as important to realize when you need to reach out in order to keep yourself, and your customers, safe.