Procured, Not Protected? What to Watch When Outsourcing Cyber Security

At The-C2 this year, managed security services came up in more than one breakout room, corridor chat and follow-up conversation. There was general agreement that MSS is becoming more important, and that uptake is rising quickly. But alongside that enthusiasm, there was a more candid thread running through those conversations.

It centred on something that doesn’t show up in the sales pitch or the dashboard. Many organisations are expanding their reliance on managed security providers, but very few feel confident they are truly getting the clarity or outcomes they expected. That was exactly the topic of a follow-up meeting I had recently with someone I met at the event.

We talked about maturity, talent, expectations and gaps. And what emerged was a more nuanced picture of the current state of MSS, especially for those responsible for making it work inside their organisations.

Growth Is Happening, But So Are Frustrations

There is no doubt the MSS market is growing. Providers are covering more ground than ever: from SOC-as-a-Service and endpoint detection to threat intelligence, vulnerability management, digital forensics and more. Many are layering on machine learning and automation to improve scale and efficiency. From the outside, this looks like progress.

But several of us in that group, and the colleague I met with later, acknowledged a lingering sense of frustration. Despite the growth, customers often struggle to understand what is really being delivered, or how to measure it. Service descriptions are vague. Dashboards are busy but often shallow. And the real value, when it comes, is hard to attribute directly.

We also touched on a common pain point. Language in the MSS market lacks consistency. A service called “threat detection and response” might mean very different things from one provider to the next. That makes procurement challenging, but it also complicates internal conversations between cyber teams, procurement leads and business stakeholders. Everyone is trying to compare offerings that are being sold in different dialects.

The Skills Gap Is Holding Everything Back

One theme that came up repeatedly, and which really shaped our thinking, was the talent shortage. It is not just a supply issue. It is now influencing service quality, customer expectations and operational risk.

On the customer side, organisations are increasingly turning to managed services because they cannot build or retain skilled internal teams. But if there is not enough knowledge in-house to ask the right questions or validate the service being received, that quickly turns into blind reliance.

On the provider side, the growth in demand is outstripping the growth in available talent. Some MSSPs are stretched thin. Others are turning to automation and tooling to plug the gap. That may work for routine tasks, but in high-stakes situations, such as subtle anomalies or live incident response, judgement matters. If there is no human expertise behind the alert, the value disappears quickly.

This leads to a deeper concern. As services become more productised and interfaces become slicker, the people using them may lose touch with what is actually happening under the surface. If a security operations team is reading graphs instead of engaging with context-rich insights, the relationship becomes passive. And passive rarely means resilient.

The Role of Regulation Is Increasing, But Slowly

There is progress on the governance side. More organisations are aligning around procurement frameworks. And in several of the discussions at The-C2, there was interest in the idea of clearer certification or benchmarking standards to bring more trust and consistency to the market.

That movement is welcome, but it is not moving quickly enough to help the teams struggling right now. The problem, as it stands, is that many buyers are still making decisions without clear standards. And providers are often writing their own definitions of performance.

In the absence of common frameworks, the burden shifts back to the customer. You need enough capability in-house to evaluate a service on its own terms. That is a significant ask for small or mid-sized organisations, and even larger ones are having to adjust their operating models to keep up.

What We Took Away From the Conversation

The conversations ended with more clarity than closure. But a few points stood out.

Firstly, managed security is a valuable tool, but it cannot be treated as a turnkey solution. It works best when the customer maintains enough internal capability to challenge, interpret and act on what the provider delivers. Even a small, well-briefed internal team can make a big difference in outcome.

Secondly, the relationship matters. If MSS is treated as a box-ticking exercise or a fixed contract, it is unlikely to deliver lasting value. But when the provider is seen as a partner, one who evolves with your threat environment and works alongside your strategy, the results are far better.

And thirdly, the skills challenge needs to be addressed collaboratively. Customers, providers and the broader ecosystem all have a part to play in growing and retaining talent. Whether that’s through training, mentorship, shared threat intelligence or secondments, it needs attention now. No dashboard will make up for an empty chair.

Final Thought

Managed services have never been more relevant to business resilience. The scope is wider. The tooling is more advanced. And the appetite for external support is only increasing.

But none of that guarantees success.

The organisations getting the most from MSS are not those who outsource the most. They are the ones who stay engaged, who know what questions to ask, and who recognise that outsourcing a service does not mean outsourcing responsibility.

If we want MSS to deliver what it promises, we cannot just manage the risk. We need to stay close enough to understand it.