Managed Security vs Internal IT
A 2024 Swiss cybersecurity report found that SMEs using managed security services detected threats 60% faster than those relying solely on internal IT.
For most Swiss SMEs, a hybrid approach — combining internal core competencies with external managed security services, offers the best balance of cost, expertise, and control. This decision has far-reaching consequences for security levels, costs, and operational flexibility.
An increasing number of Swiss SMEs are turning to external security services, and the trend is rising. Yet uncertainty about the optimal approach persists. This guide provides a differentiated analysis of both models and shows when each approach makes sense.
Internal Cybersecurity: The Traditional Model
Advantages of Internal Security Teams
Deep Business Understanding: Internal employees know the company culture, processes, and systems in detail. They understand business-critical workflows and can prioritise security measures accordingly.
Direct Communication: Short paths to management and other departments enable quick coordination and pragmatic solutions. No communication through ticketing systems or service level agreements required.
Full Control: The company retains complete control over data, systems, and security decisions. No dependency on external service providers.
Integration into IT Strategy: Security can be smoothly integrated into the overarching IT strategy and ongoing projects.
Availability: Internal employees are directly available on-site when needed, know the physical infrastructure, and can intervene immediately.
Disadvantages of Internal Security Teams
Skills Shortage: The Swiss job market for cybersecurity specialists is extremely tight. According to ICT Professional Education Switzerland, over 3’000 qualified specialists are lacking, and the Federal Office for Cybersecurity (BACS) classifies this shortage as a critical risk for the Swiss economy. SMEs often cannot compete with large enterprises or consulting firms in recruitment, as those offer higher salaries and more attractive career prospects.
High Personnel Costs: A qualified cybersecurity specialist costs CHF 100’000 to CHF 150’000 annually in Switzerland, with senior profiles costing significantly more. Add social contributions, continuing education, infrastructure, and recruitment costs.
Limited Specialization: Cybersecurity encompasses numerous disciplines: network security, endpoint protection, cloud security, incident response, threat intelligence, security governance, and more. A single person or small team cannot cover all areas at expert level.
No 24/7 Coverage: Cyberattacks happen at any time of day or night, often deliberately outside business hours. A small internal team cannot ensure round-the-clock monitoring without exorbitant on-call costs.
Knowledge Silos and Key-Person Risk: If a key person falls ill, resigns, or goes on holiday, critical know-how is missing. In small teams, there is often no redundancy.
Limited Threat Intelligence: External providers see attack patterns across hundreds of clients and can detect threats earlier. Internal teams only have the perspective of their own company.
Learning Curve for New Threats: Cybersecurity evolves rapidly. Internal teams must continuously upskill but often lack time, as they are busy with day-to-day operations and projects.
Cost Factor: Internal Security
For an SME with 50 employees building a dedicated internal security team, the following costs typically arise:
Personnel:
- 1 Security Engineer (80—100% workload): CHF 110’000
- 1 Junior Security Analyst (50% workload): CHF 35’000
- Social contributions (approx. 20%): CHF 29’000
- Recruitment (one-time, amortised): CHF 8’000
- Continuing education (certifications, conferences): CHF 10’000
- Subtotal Personnel: CHF 192’000
Technology (still required regardless):
- SIEM solution: CHF 15’000
- Threat Intelligence Feeds: CHF 8’000
- Security Tools: CHF 12’000
- Subtotal Technology: CHF 35’000
Total cost: approx. CHF 227’000 annually
For this investment, the company receives coverage primarily during business hours, with limited depth of specialisation.
Managed Security Services: The External Approach
Advantages of Managed Security Service Providers (MSSPs)
Specialised Expertise: MSSPs employ teams with diverse specialisations: network specialists, malware analysts, compliance experts, incident responders. SMEs gain access to expertise that would be impossible to build internally.
24/7 Security Operations Centre (SOC): Professional MSSPs operate Security Operations Centres with round-the-clock monitoring. Threats are detected and addressed at night, on weekends, and on public holidays.
Scalability: Services can be quickly scaled up or down as needed. For special projects, incidents, or business developments, support can be flexibly adjusted.
Modern Technology: MSSPs invest continuously in the latest security technology, threat intelligence platforms, and automation. These costs are distributed across many clients.
Threat Intelligence: By serving numerous clients, MSSPs identify attack patterns early and can protect proactively. When one client is attacked, all others benefit from the insights.
Predictable Costs: Monthly or annual service fees are plannable and contain no hidden personnel costs such as holidays, sick leave, turnover, or continuing education.
Quick Start: Implementing managed services typically takes weeks, while building an internal team takes months to years.
Compliance and Certifications: Many MSSPs are certified to ISO 27001 or other standards and can simplify compliance documentation.
Disadvantages of Managed Security Services
Less Business Context: External service providers understand specific business processes and culture less deeply than internal teams. This can lead to false alarms or suboptimal prioritisation.
Dependency: The company becomes dependent on an external partner. If quality issues arise or the business relationship ends, switching providers can be complex.
Communication Overhead: Collaboration takes place through defined interfaces, ticketing systems, and service level agreements. Direct, informal communication is more difficult.
Data Privacy Concerns: External service providers need access to systems and logs, which raises data protection questions. Careful contract design and selection of a trusted partner are essential.
Standardization vs. Customisation: MSSPs work with standardised processes and tools. Highly individual solutions are often harder to implement than with an internal team.
Potential Conflicts of Interest: Some MSSPs earn from additional services or escalations. Transparent pricing models and clear SLAs are important.
Swiss Data Privacy: For Swiss companies, it is important that data remains in Switzerland and the MSSP complies with Swiss data protection law. Not all international providers meet these requirements.
Cost Factor: Managed Security
Managed security services are typically billed under various models:
Basic SOC Monitoring (24/7, reactive):
- CHF 2’000—CHF 5’000 per month for SMEs with 30—50 endpoints
- Annually: CHF 24’000—CHF 60’000
Managed Detection and Response (MDR, proactive):
- CHF 4’000—CHF 8’000 per month
- Annually: CHF 48’000—CHF 96’000
Thorough Managed Security:
- SOC, EDR, SIEM, Vulnerability Management, Incident Response
- CHF 6’000—CHF 12’000 per month
- Annually: CHF 72’000—CHF 144’000
Additional services:
- Penetration Testing: CHF 8’000—CHF 25’000 per test
- Incident Response (during an incident): CHF 200—CHF 350 per hour
- Consulting: CHF 180—CHF 280 per hour
- Security Awareness Training: CHF 100—CHF 300 per employee
For an SME with 50 employees, a solid managed security package typically costs CHF 60’000—CHF 100’000 annually, significantly less than an internal team, while offering greater expertise and 24/7 coverage.
The Hybrid Approach: The Best of Both Worlds
The hybrid approach is the most cost-effective solution for 70—80% of Swiss SMEs, as it combines internal business context with external 24/7 expertise. According to an analysis by digitalswitzerland, over 60% of Swiss companies already use a mixed model. A hybrid approach combines the advantages of both models:
Model 1: Internal Basics + External Specialization
Internal:
- IT generalist with basic security knowledge (part of the IT team)
- Responsible for: basic configuration, patch management, user administration, first point of contact
External:
- MSSP for 24/7 SOC monitoring and incident response
- Security consulting for strategy and architecture
- Specialised testing (penetration testing, red teaming), providers such as RedTeam Partners complement managed security optimally by verifying the effectiveness of existing protective measures through realistic attack simulations
- Awareness training
Advantage: Cost-effective, combines internal business context with external expertise.
Ideal for: SMEs with 20—100 employees, moderate risk profile.
Model 2: Internal Security Leadership + External Execution
Internal:
- CISO or Security Manager (can be part-time or virtual)
- Responsible for: strategy, governance, risk management, vendor management
External:
- MSSP for operational security (SOC, EDR, SIEM)
- External experts for specialised projects
Advantage: Strategic control kept internal, operational expertise external.
Ideal for: Mid-sized SMEs (50—200 employees), regulated industries, elevated risk profile.
Model 3: Internal Security + External Augmentation
Internal:
- Small security team (1—2 people)
- Responsible for: strategy, architecture, governance, day-to-day operations
External:
- 24/7 SOC for times when internal team is unavailable
- Incident response retainer for emergencies
- Specialised services as needed
Advantage: Maximum control, external support as a safety net.
Ideal for: Larger SMEs (100+ employees) or companies with high risk profiles.
Decision Criteria: What Is Right for Your Company?
Arguments for Primarily Internal Security:
- Very specific, complex, or proprietary systems that make external understanding difficult
- Extremely sensitive data where external access should be minimised
- Sufficient budget for a multi-person, specialised team
- Size and attractiveness to recruit and retain qualified specialists
- Regulatory requirements demanding direct, internal access
- Geographical or operational particularities requiring permanent on-site presence
Arguments for Primarily External Security (MSSP):
- Limited budget that does not allow a specialised internal team
- Difficulty recruiting cybersecurity experts
- Need for 24/7 monitoring and incident response
- Desire for rapid build-up of security capabilities
- Lack of internal expertise for modern threat environments
- Desire for predictable, plannable costs
- No critical mass for full-time security positions
Arguments for Hybrid Models:
- Desire for internal business understanding AND external expertise
- Moderate risk profile that allows differentiated coverage
- Existing IT resources but no security specialists
- Cost optimisation through targeted combination
- Flexibility for future growth
Selection Process for Managed Security Providers
If you decide on external services, choosing the right partner is critical. Our thorough checklist helps with the selection.
Key criteria:
Swiss Presence and Data Privacy: Is data processed in Switzerland? Is the MSSP familiar with Swiss data protection law?
Certifications and Standards: ISO 27001, ISAE 3000, industry-specific certificates?
SOC Quality: Where is the SOC located? Who staffs it (own employees or subcontractors)? Which languages are spoken?
Transparency: Do you receive insight into processes, tools, and metrics? Or is everything a “black box”?
SLA and Response Times: How quickly are incidents responded to? What happens in case of SLA violations?
Incident Response Capabilities: What happens when a serious incident occurs? More on incident response here.
References: Which other Swiss SMEs use the service? Can you speak with reference clients?
Technology Stack: Which tools does the MSSP use? Are these modern, recognised solutions?
Pricing Model: Are all costs transparent? Are there hidden additional costs?
Exit Strategy: How easy is it to switch if the collaboration does not work out?
Transition Management: Switching Between Models
From Internal to External
When switching from internal to external security:
Ensure documentation: The MSSP needs thorough documentation of your infrastructure, configurations, and processes.
Organise knowledge transfer: Plan sufficient time for handovers and training of the MSSP team.
Clarify internal roles: Even with an MSSP, you need internal contacts. Define these roles.
Phasing: An abrupt switch is risky. Plan a transition phase with parallel operations.
Employee communication: If internal security employees are affected, communicate transparently and fairly.
From External to Internal
When you want to internalize managed services:
Start recruitment early: Finding qualified specialists takes months.
Demand knowledge transfer: Your MSSP should be contractually obligated to hand over its knowledge.
Evaluate technology: Which tools from the MSSP can/will you adopt? What else do you need?
Gradual transition: Take over areas of responsibility gradually, not all at once.
Keep a retainer: Even after internalization, a reduced MSSP service as backup can make sense.
Cost Comparison: A Worked Example
Scenario: SME with 50 employees, moderate risk profile
Option A: Purely Internal
- 1 Security Engineer (100%): CHF 120’000
- Social contributions: CHF 24’000
- Tools (SIEM, TI): CHF 25’000
- Continuing education: CHF 8’000
- Total: CHF 177’000
- Coverage: Mon—Fri, 8:00—18:00, limited specialisation
Option B: Purely External (Managed Security)
- MDR Service (24/7): CHF 72’000
- Quarterly Pen Testing: CHF 12’000
- Security Consulting (5 days): CHF 10’000
- Awareness Training: CHF 6’000
- Total: CHF 100’000
- Coverage: 24/7, broad expertise, rapid response
Option C: Hybrid
- IT generalist with security duties (30%): CHF 30’000
- Basic SOC Monitoring (24/7): CHF 36’000
- Annual Pen Test: CHF 12’000
- Security Consulting (3 days): CHF 6’000
- Awareness Training: CHF 6’000
- Tools: CHF 10’000
- Total: CHF 100’000
- Coverage: 24/7 monitoring, internal point of contact, balanced expertise
In this example, Options B and C offer better value for money than a purely internal solution, with Option C providing the best mix of control and expertise.
The Future: Trends in Security Organisation
Virtual CISO (vCISO): An increasing number of SMEs are using external, experienced CISOs on a part-time or project basis to gain strategic security leadership without funding a full-time position.
Security-as-a-Service: Granular, modular security services enable precise sourcing of only the components needed.
AI-Based Automation: AI-powered tools reduce personnel effort for routine tasks and make both internal and external models more efficient.
Community-Based Security: Industry collaborations and information-sharing groups enable SMEs to share threat intelligence collectively.
Managed Detection and Response (MDR): These services combine technology (EDR) with human expertise and are increasingly becoming the standard for SMEs.
Conclusion: There Is No One-Size-Fits-All Solution
The optimal security organisation depends on numerous factors: company size, industry, risk profile, budget, existing resources, and strategic priorities. For most Swiss SMEs, a hybrid approach is optimal, combining internal business context with external expertise and 24/7 monitoring.
More important than the choice between internal and external is the quality of execution. An average internal team is no better than an average MSSP, and vice versa. Invest time in careful selection, whether of employees or partners, and continuously develop your security organisation.