TL;DR: Boards want fewer surprises. Managed security gives round-the-clock cover, clear accountability and pricing you can plan against, if you know what “good” looks like.
"Cyber security is a cat-and-mouse game where the bad guys are always a step ahead."
- Luke Elston, Microsoft Practice Lead, CyberOne
The case for managed security is no longer theoretical. In 2025, there were around 2,200 cyber attacks every day, and attacks rose year on year. That reality collides with a persistent skills shortage and the practical limits of running your own 24x7x365 operation.
This article summarises the key points discussed in Part 1 of our Boardroom Briefing Series "Build A Board-Ready Managed Security Business Case for 2026" and turns them into a checklist for leaders evaluating managed security.
Attackers do not work office hours - If you plan an internal SOC, 9 to 5 is not enough. They will hit at 2 AM, on weekends and over the Christmas period. To cover that, you need people on three shifts. At an absolute minimum, you need six individuals to cover 24x7, with most aiming for eight to allow for holidays and sickness. That is before the technology spend and vendor management overheads.
Managed providers also see more and learn faster - Your internal team only sees your business. A managed service provider sees many businesses at once and turns those patterns into faster, sharper detections. When a provider protects 100 organisations, the compounding effect of learning is real.
|
Category |
Key Insight |
Supporting Data |
|
Skills shortage |
Organisations cannot hire fast enough to build internal 24x7 coverage |
62% of security leaders cite lack of skilled personnel as a major barrier |
|
AI-led attacks |
Attackers use automation to accelerate reconnaissance, phishing, payload generation |
74% of leaders see AI‑driven attacks as a major challenge |
|
Global cyber crime |
Attack frequency and sophistication continue rising annually |
2,200 attacks occur daily in 2025; up 30% year‑on‑year |
|
Operational burden |
True 24x7x365 in‑house SOC requires minimum 6 to 8 staff plus tooling and management |
Internal teams struggle to sustain staffing, training and shift patterns |
Request an MXDR (Managed eXtended Detection and Response) service, then test for non-negotiables. Every hour of every day the provider should be protecting you, backed by contractual SLAs. If SLAs are missed, there should be credits, not apologies.
Providers should define KPIs for mean time to detect, respond and contain, and report them transparently so you can challenge underperformance. Monthly reviews should show the number of threats discovered and prevented, the trends, and any vulnerabilities or gaps that need action.
They tell you a threat has been discovered but they do not respond and contain. If response and containment are not included, you carry the riskiest minutes yourself.
Off-the-shelf content is fine as a baseline, but it will not reflect your risks, systems and users. Look for routine detection engineering with measurable outputs such as a set number of custom rules each quarter, and proactive threat hunting every month or quarter with written findings and preventative actions.
If the provider copies your telemetry into their environment you have doubled your threat surface because two copies of sensitive data now exist. Choose a model where the core security technology and telemetry sit in your tenant. You keep sovereignty and the option to change provider without data risk or long exit projects.
3 cost drivers matter most: your log strategy, the service pricing model and hidden extras.
Prioritise high-value security logs, filter noise, and blend hot storage for active detection with cold storage for long, cheaper retention. This keeps coverage high and spending sensible.
Hot vs Cold Storage Explained
Hot Storage
Fast, searchable and designed for active threat detection. Security teams use hot storage for recent logs (typically 30 to 90 days) where rapid investigation matters. It costs more but delivers instant access for detection and response.
Cold Storage
Lower-cost, long-term retention. Ideal for compliance, audits and historic investigations where speed is less critical. Access is slower, but it keeps overall spending under control while maintaining the required data trail.
For most organisations, a per-user, per-month model is predictable because headcount is easy to forecast. Infra-heavy or OT environments may prefer a per-device, per-month model to align costs with assets. Avoid events per second pricing. Volumes fluctuate; bills yo-yo, and forecasting becomes a guessing game.
Watch for low entry prices that exclude common needs. New data sources, custom rules, bespoke SLAs and tuning can become chargeable for change requests. Ask for an all-inclusive price with the best and final terms that cover typical scope. Bundle add-ons where possible to get a better deal.
A good provider reduces telemetry costs, not inflating them. Some are incentivised to drive ingestion. You want one who will optimise ingestion and retention, prove the impact each quarter and keep the signal-to-noise ratio high without losing detection coverage.
|
Area |
What Drives Cost |
How to Control It |
|
Log Ingestion |
GB/day into SIEM or data lakes |
Prioritise high‑value logs, filter noise and summarise high‑volume data |
|
Storage Strategy |
Hot vs cold retention, compliance retention periods |
Keep 90 days hot; move older data to cold unless mandated otherwise |
|
Pricing Model |
Per‑user, per‑device or EPS |
Use per‑user for predictability; per‑device for OT‑heavy; avoid EPS |
|
Hidden Extras |
Custom rules, integrations, threat hunting, tuning, SLA upgrades |
Request all‑inclusive pricing with bundled add‑ons |
|
Provider Incentives |
Some inflate their ingestion to increase revenue |
Choose a partner focused on optimisation, not volume |
Start with SLA compliance and KPI performance for detect, respond, and contain, delivered through a live dashboard and monthly reports. If a provider is not transparent, challenge them and reset expectations.
Add structured service reviews with a named customer success lead who is your advocate. Review detection engineering outputs, threat hunting results and log optimisation outcomes. Show evidence that actions agreed last quarter were delivered. This is what builds board confidence that the operating risk is under control and trending down.
If you want the complete breakdown, real-world insights and the full checklist for building a board-ready managed security business case. You can watch Part 1 of 3 | Boardroom Briefing Series: Managed Security today.