A shortage of skilled cybersecurity professionals, combined with budget cuts, is fueling growth in the managed security services market.
Estimates vary but the managed security service market is expected to enjoy a compound annual growth rate between 11% and 16% to reach up to $87.5 billion by 2030.
Many businesses find themselves unable to hire or retain an in-house security team due to budget constraints combined with a rapidly rising skills gap. Excessive workloads are also making it challenging to train up existing staff fast enough to keep pace with evolving threats.
Meanwhile, CISOs are under increasing pressure as their roles expand beyond technical oversight to include regulatory compliance, third-party risk management, and business enablement.
To address these persistent issues, CISOs are increasingly turning to managed security service providers (MSSPs) to help augment capabilities and bridge gaps.
“The cybersecurity skills gap isn’t just about unfilled roles; it’s about overstretched teams battling burnout while trying to keep pace with evolving threats, compliance demands, and business pressures,” says Robert Phan, CISO at cloud-based directory platform vendor JumpCloud. “This is driving more CISOs to turn to managed security service providers to plug gaps, gain 24/7 coverage, and access expertise that’s increasingly hard to build and retain in-house.”
This pressure is particularly acute for SMEs. The World Economic Forum’s Global Cybersecurity Outlook recently revealed 41% of SMEs suffered a material cyber incident last year.
“With growing attack surfaces and lean IT teams, many can no longer keep up alone. MSSPs and modern, cloud-native platforms help level the playing field, consolidating identity, access, and device management while supporting a zero trust approach,” JumpCloud’s Phan explains.
“Organizations are recognizing that in-house teams alone can’t keep pace with evolving threats,” adds Chris Gilmour, CTO at MSP Axians UK. “MSPs offer immediate access to specialized expertise and mature operational capabilities, enabling CISOs to scale both skilled resources and critical technologies, without the delays of hiring or upskilling.”
MSSPs help CISOs “extend capacity, reduce internal strain, and maintain continuous protection across an increasingly complex attack surface,” Gilmour says.
Security operations primed for outsourcing — and what must stay in-house
Experts quizzed by CSO cautioned that while the majority of functions lend themselves to outsourcing, others — including managing overall security strategies — are best retained in-house.
Generally anything that’s operational, repeatable, and requires specialist tooling or 24/7 coverage is best handed over to MSSPs. Prime candidates for outsourcing include:
- Security operations centers (SOCs)
- Cloud platform management
- SIEM and log monitoring
- Framework-based cybersecurity management functions
- Threat intelligence feeds and analysis
- Vulnerability scanning and patch management
- Endpoint detection and response (EDR)
- Firewall and network security management
- Compliance tracking and audit support
“MSPs already have the infrastructure and staff in place to deliver these services efficiently — and at scale,” Richard Tubb, who runs the MSP community at Tubblog, tells CSO. “That’s a huge win for CISOs who need fast results without building everything from scratch.”
Afshin Attari, director of public sector at IT consultancy Exponential-e, says CISOs can be confident that MSPs handle day-to-day security operations, freeing them up to focus more attention on strategy, architecture, and governance.
“Managed service providers bring deep expertise, 24/7 monitoring, and access to cutting-edge tools that would be prohibitively expensive to develop in-house,” Attari says. “Services like threat detection and response, network monitoring, vulnerability scanning, and penetration testing lend themselves well to outsourcing.”
Attari adds: “These functions require specialist knowledge and constant vigilance, both of which MSPs can offer at scale.”
Deciding which function to outsource to MSSPs comes down to a careful consideration of business goals, risk appetite, and regulatory requirements, but some things that shouldn’t be outsourced include security governance and strategy, risk ownership and accountability, executive reporting and board engagement, business-aligned decision-making, cyber awareness training, experts say.
“The CISO and their internal team should always retain control of the overall direction,” Tubb advises. “After all, MSPs can provide insight and execution, but only internal teams have the full business context.”
Tom Lovell, infrastructure and modern workplace principal consultant at Infinity Group, agrees: “Strategic oversight, risk assessment tailored to the business, and decision-making tied to regulatory compliance require intimate knowledge of the organization’s unique structure, processes, and risk tolerance, which external providers cannot replicate alone.”
Hybrid and co-managed security models
CISOs embracing the MSSP model need to develop a hybrid approach that finds the right balance between outsourcing functions and building in-house capability.
“CISOs can bridge critical skills gaps, maintain continuous protection with a shared hybrid approach, and create a more resilient security posture without overburdening stretched internal teams,” Exponential-e’s Attari suggests.
Steve Miller, manager of security engineering for EMEA at cybersecurity vendor BlueVoyant, tells CSO that many organizations are turning to co-managed security models.
“Unlike traditional managed services, which often involve outsourcing entire functions, co-managed approaches are designed to work alongside internal teams — augmenting their capabilities rather than replacing them,” Miller explains.
This model offers several advantages, according to Miller:
- Knowledge transfer and upskilling: Internal teams benefit from working directly with external experts, accelerating their learning, and reducing long-term dependency.
- Operational control: Organizations retain ownership of their security operations, ensuring alignment with internal policies and risk appetites.
- Continuous optimization: Security tools are regularly reviewed and fine-tuned to adapt to evolving threats and business needs, thereby maximizing the organization’s return on investment.
- Cost efficiency: Co-managed services can help organizations maximize existing investments, particularly in complex platforms where optimal ingestion patterns get the most out of licensing and minimize costs.
Jordan Schroeder, managing CISO at cybersecurity services provider Barrier Networks, says the best functions to consider outsourcing are those whose “process is mature and well-defined, with clear outcomes and responsibilities.” But a co-managed approach can still provide benefits elsewhere.
“For organizations with immature or ad hoc cybersecurity functions, outsourcing can accelerate the development of necessary definition and maturity, provided the MSP understands that their role includes guiding organizational development,” Schroeder advises.
Daryl Flack, cybersecurity expert and partner at managed security services provider Avella Security, argues that turning to MSSPs to outsource some security functions can be a good option for larger enterprises, not just SMEs.
“Organizations of all sizes are grappling with the challenge of recruiting and retaining specialized technical expertise, deploying advanced security tools, and maintaining the certifications and accreditations essential for regulatory compliance, third-party contracts, and a robust security posture,” Flack says.
Flack adds: “By partnering with MSSPs, CISOs gain access to a deep bench of highly skilled professionals and leading-edge technology. This approach empowers organizations to mitigate the risks associated with limited in-house resources.”
See also: