With enterprise adoption of managed security services gradually maturing, the rewards and risks of using these services have become a lot clearer for current and potential customers. A recent survey by Forrester Research of 140 MSSP customers found some organizations are leveraging third-party security providers successfully while many others are struggling to extract value from their relationships.

The analyst firm discovered that CISOs everywhere are struggling to justify their spending on MSSPs to non-security executives because of a lack of proper metrics and because of technology complexity—among other things. At the same time managed security services vendors themselves are struggling to tie the benefits they offer to the things that really matter to organizations—for their customers and stakeholders and how they support business requirements.

Using an MSSP is not outsourcing

“The number one mistake organizations make when using an MSSP is thinking that managed security services is outsourcing,” says Jeff Pollard, an analyst at Forrester and one of the authors of the survey report. The reality is that most firms consistently spend more time on security after adopting an MSSP, not less, he says. Often the time they spend might be on more valuable activities such as tracking down serious threats and incidents, and on vulnerability remediation activities. “If the company went in expecting to spend less time and needing less resources, that rarely becomes the case.”

Companies of all sizes tap MSSP services these days though bigger organizations tend to do it for different reasons than small- and medium-sized businesses. Daniel Kennedy, an analyst at 451 Research, says that some 30% of companies with fewer than 1,000 employees and four out of ten organizations with more than 1,000 workers have implemented managed security services.