What’s worrying you about your cybersecurity? That’s the very first question you should ask when you start shopping for managed cybersecurity services.
Then, you should ask, “What kind of cybersecurity services do I need?”
Believe it or not, the answers to those questions are not the same for everyone.
Some organizations worry too little, with the feeling that they just need a new software tool. Your cyber insurance provider requires endpoint detection and response (EDR), so you install EDR software. You’re worried about hackers, so you get a new firewall. Relying only on security tools is not the right strategy.
Some worry too much, but overwhelm paralyzes them:
- Am I doing enough to strengthen my cybersecurity posture to mitigate critical risks and fend off cyberattacks?
- Am I able to pass a regulatory compliance audit?
- Am I able to lower my cyber insurance premiums, or even be eligible for cyber insurance?
- Does my current IT team even have the time and specialized expertise to handle my security needs?
- Where do I begin?
Your answers to the questions above are important when considering outsourcing cybersecurity because you must weigh the costs with the benefits you expect from the investment. If you think cybersecurity is just a matter of installing some software, a complete cybersecurity strategy will probably seem too expensive. But if you’re eager to tackle some tough questions, then the answers will lead toward the right managed cybersecurity services partner for you.
By managed cybersecurity services, we mean the outsourcing of cybersecurity functions and responsibilities to a third-party service provider. In this model, organizations collaborate with a cybersecurity service provider to enhance their security posture, protect digital assets, and mitigate the risk of cyber threats.
Managed cybersecurity services are a great fit for organizations that do not have the internal expertise to keep up with cybersecurity best practices, tools, and threats. It makes sense—considering the devastation that a cyberattack can bring—to hire professionals who oversee an organization’s cybersecurity.
Now that you’re more aware of your mindset regarding cybersecurity, let’s dig into how much cybersecurity services should cost, what’s included, and how outsourced services are offered. (This article's focus is on managed cybersecurity services pricing, so we won't be diving into individual tool costs or salaries for cybersecurity professionals.)
In this article, we'll cover:
- How Much Do Managed Cybersecurity Services Cost?
- What’s Included in Managed Cybersecurity Services?
- Managed Cybersecurity Services Pricing Models
- The Cost of Not Having the Right Cybersecurity Measures in Place
- Choosing a Managed Cybersecurity Services Provider
- Outsourced Cybersecurity Services from VC3
How Much Do Managed Cybersecurity Services Cost?
Minimum costs for outsourced cybersecurity services start around $2,000 - $3,500 per month and go up from there.
On a per-user basis, that breaks down to a range between $195 and $350 per user, including support and maintenance. If you already have support (whether in-house or outsourced), the cybersecurity portion on its own is typically $35 - $65 per user.
The cost of cybersecurity services depends on the size of your organization, the complexity of your IT environment, and your specific needs (such as regulatory compliance).
Why the wide range? It’s challenging to compare apples to apples without analyzing everything that’s included from a services provider. And these services are difficult to evaluate properly if you don’t have the technical knowledge to sift through different options.
To help you evaluate, we’ll take you through some of the main components of managed cybersecurity services pricing.
What’s Included in Managed Cybersecurity Services?
Managed cybersecurity services often include a base set of common services along with a few advanced options. You don’t need to know the technical details of the tools that a security provider has in their stack. Still, there are some foundational technologies that you should be familiar with, at least by name. Whether you need the following items or not depends on the level of protection you need and your risk tolerance.
- Advisory services: The provider may offer security consulting through advisory services. The advisor provides regular reports and analyses of your security events, incidents, and overall security posture while offering expert guidance and consultation about your cybersecurity strategy. They will also work closely with you on becoming compliant and maintaining compliance with regulatory frameworks. Advisory services can vary depending on the depth of advice and how involved the advisor needs to be (such as running security committees, representing cybersecurity to your board or council, etc.).
- Cybersecurity software tools: Many providers deploy cybersecurity software tools as part of their services. Common tools include:
- Endpoint detection and response (EDR) coupled with 24/7/365 human monitoring: EDR is an essential tool to ensure that endpoints such as computers, servers, and mobile devices are secure from malware, ransomware, and other threats. It helps both prevent and detect threats. If you only have the tool without humans monitoring the alerts, then you may be vulnerable to cyberattacks despite having the EDR software installed.
- Multi-factor authentication (MFA): Any email applications, VPNs, cloud-based systems, servers, workstations, administrative accounts, critical infrastructure, and systems housing sensitive data need MFA. Though these are the highest priority, it is best practice to use MFA on every account you have. Your managed services provider will assist you with MFA to protect user account access for line of business applications and systems. Additional coverage options include hard-token MFA, third party application MFA, and network VPN MFA—which may be needed if you have policies to put MFA directly onto workstations or if you want your users to use tokens instead of personal mobile devices to authenticate their passwords.
- Microsoft 365 protection and backups: Because Microsoft 365 is so important to most organizations, you need baseline security protection and data backups beyond the default settings of the application.
- Credential monitoring: Also known as dark web monitoring, it’s useful to know if stolen user credentials (usernames, passwords, etc.) are being sold on the dark web.
- Advanced email protection: Some organizations require advanced encryption, filtering, and scanning to increase email security.
- Advanced web and content protection: Such tools can add an extra layer of protection to block employees from accessing potentially malicious or risky websites.
- Security Incident Event Management (SIEM) / Security Orchestration, Automation, and Response (SOAR): With SIEM, a security team provides real-time analysis of network hardware-generated and application-generated security alerts. SOAR combines SIEM, logging, managed detection and response (which involves a security team proactively looking for cyberthreats across your servers, computers, and entire IT network), and tools such as EDR.
- Advanced malware protection: These tools deploy a comprehensive and sophisticated set of security measures designed to detect, prevent, and respond to advanced malware threats (including zero-day attacks) that attack your endpoints and networks.
- Advanced cloud security: A set of sophisticated and comprehensive security measures and strategies are designed to protect cloud-based infrastructure, services, and data from a wide range of advanced cyber threats.
- Next-generation firewall: Next-gen firewalls combine traditional firewall capabilities with additional features and functionalities to provide enhanced protection against modern cyber threats—going beyond the basic packet filtering and stateful inspection of traditional firewalls.
- Incident response: No one can guarantee that you’ll never have a cyberattack, so a comprehensive security strategy isn’t complete without a remediation plan. As you’re evaluating costs, make sure that you understand the level of remediation offered. Services may include rapid response to security breaches, investigation of incidents, and coordination of efforts to contain and mitigate the impact.
- Policy writing: For some security providers, policy writing is included, and for others, it’s an add-on. Your policies set out guidelines for how you allow people and systems to access your network. Unless you have someone internally drafting your policies, it’s recommended that you say yes to assistance in this area.
- Regulatory compliance: Some security providers specialize in specific regulations such as HIPAA, CMMC, GDPR, SEC, etc. to make sure you’re compliant. In addition, many service providers follow common security frameworks such as NIST because these frameworks include a baseline of cybersecurity best practices that your organization should be following.
- Software patching: You need to ensure that software, applications, and systems are kept up to date with the latest security patches. Timely patching helps address known vulnerabilities and protect against exploitation by cyberattackers.
- Vulnerability management: This involves the regular assessment and management of vulnerabilities within an organization's systems, including identifying and addressing weaknesses that could be exploited by cyber adversaries.
- Security awareness training: Employee training programs enhance cybersecurity awareness and promote a security-conscious culture within an organization. This includes educating staff about phishing, social engineering, and best practices for maintaining security.
- Identity and access management: These are a set of practices, technologies, and policies that aim to ensure secure and appropriate access to an organization's resources by managing and verifying the identities of individuals and devices.
Managed Cybersecurity Services Pricing Models
The cost of cybersecurity services depends on the size of your organization, the complexity of your IT environment, and your specific needs, such as regulatory compliance. Depending on what managed cybersecurity services model you choose, let’s look at the options—and the prices.
Standalone Managed Cybersecurity
This option usually makes sense if an organization:
- Has an IT employee or employees with IT experience but little cybersecurity expertise.
- Uses an IT support vendor with limited time or expertise to help with cybersecurity.
- Needs to comply with regulatory requirements.
If you think your internal team or current IT support company has a good handle on IT management but no significant bandwidth for cybersecurity, then you might consider using outsourced cybersecurity services. If you choose this option, keep in mind that all parties—your IT employees, your IT support vendor, and your cybersecurity services provider—should work together closely.
Dedicated managed security service providers act as trusted advisors to help organizations make informed security decisions and often include insights into trends, vulnerabilities, and recommendations for improving security.
Outsourced cybersecurity services typically begin at a minimum cost of $2,000 to $3,500 per month, with prices increasing depending on scope and complexity of services.
Co-managed IT services + Managed Cybersecurity
If you’ve got a team that already handles both your IT and cybersecurity baseline items, you may find that the size and complexity of your organization requires that you need extra IT and cybersecurity specialization. However, you may find that you don’t have budget to hire extra staff, or they are difficult to hire and retain.
Co-managed IT services with managed cybersecurity may be a cost-effective answer. Costs can vary quite a bit depending on the scope of services, depth of monitoring, and speed of response to security incidents. Organizations requiring 24/7 real-time monitoring, rapid incident response, and continuous threat intelligence updates may have higher service fees.
Managed IT Services + Managed Cybersecurity
Ultimately, you need both cybersecurity and IT management—and in some ways, they overlap. For example, utilizing IT best practices for keeping your hardware updated, software patched, and network administered all contribute to your cybersecurity posture.
When you use a managed IT services provider, you can expect baseline cybersecurity services as part of your package. However, be cautious. If you’re paying less than $100/user/month for managed IT services, then it’s unlikely that very many cybersecurity services of consequence may be included. You might get some monitoring and alerting, but no real robust services and tools.
Once you get into the $100-$200 per user/month range, you start to receive proactive cybersecurity services that cover most of the baseline needs for your organization. For every tool that your provider utilizes, there’s typically a licensing fee that can run anywhere from $5 per user/month to $30 and up. Don’t expect the cost of these tools to be itemized, but just know that every tool has a cost.
Managed services with cybersecurity baseline items included is often the best option for smaller organizations that want a totally seamless IT management and cybersecurity experience. The managed IT services company should work with you to develop a roadmap for technology improvements, including cybersecurity.
The Cost of Not Having the Right Cybersecurity Measures in Place
When considering your options, think about what it will cost not to have the appropriate cybersecurity measures in place. A breach's impact can be bad – in the worst case, leading to business failure. For example, not complying with regulations could mean the loss of customers and hefty fines. Experiencing a data breach could incur costs and reputational damage from which it’s impossible to recover.
Choosing a Managed Cybersecurity Services Provider
As you’re vetting providers, look for signs of their credibility. Do they have specific designations such as Managed Security Services Provider (MSSP)? Do they have expertise in compliance that’s verified, like being a Registered Provider Organization for Cybersecurity Maturity Model Certification (CMMC)? Verify the credibility of a cybersecurity service company the way you would any other vendor that you’re evaluating with references and case studies.
By outsourcing cybersecurity functions to a managed service provider, organizations can leverage the expertise of cybersecurity professionals, access advanced technologies, and stay vigilant against evolving cyber threats. This approach allows you to focus on your core operations while maintaining a robust and adaptive cybersecurity defense.
Outsourced Cybersecurity Services from VC3
Here at VC3, we provide organizations with different options for managed IT and managed cybersecurity services. Whether you want to completely outsource everything IT, or need a guide to help you navigate regulatory compliance, we’re here to help. Get in contact to explore your options.
Note: This article was originally published in March 2022. It was updated in March 2024 to reflect current information.