Managed Security vs In-House IT
Should you build cybersecurity around an internal IT person, or outsource it to a managed security team? An honest look at cost, coverage, and the gaps that matter.
The Honest Starting Point
In-house IT and managed security aren't really competitors — they're different jobs that often get confused for one. Your IT person keeps the business running: devices, accounts, software, helpdesk. A managed security service runs security operations: detecting attacks, responding to them, and keeping the controls tuned.
The mistake most SMBs make is assuming the IT person covers security too. They can cover some of it. What no single generalist can realistically do is watch for threats around the clock, respond to a ransomware event at 2am on a Sunday, or keep pace with the specialised, fast-moving discipline of threat detection.
Where In-House IT Genuinely Wins
Be fair to the in-house model — it has real strengths:
- Business context. They know your people, your systems, your quirks. That speeds up day-to-day support.
- Presence. Someone in the building can physically fix things and respond to staff immediately.
- Helpdesk experience. For device support, onboarding, and IT operations, in-house is often the better experience.
None of those strengths are security operations — they're IT operations. Which is exactly why the two models complement each other rather than replace each other.
Side-by-Side Comparison
Ranges are illustrative — your numbers will vary by size, region, and scope.
| Dimension | In-House IT | Managed Security |
|---|---|---|
| Annual cost (typical 15-person SMB) | $70k–$110k (one generalist) | $6k–$18k |
| Coverage hours | Business hours + best-effort on-call | 24/7/365 |
| Threat detection depth | Partial | Yes |
| Incident response capability | Partial | Yes |
| Specialised security expertise | Partial | Yes |
| Continuity when staff leave / take leave | No | Yes |
| Day-to-day helpdesk & device support | Yes | Partial |
| Knowledge of your business context | Yes | Partial |
| Compliance documentation & audit prep | Partial | Yes |
| Scales with company growth | No | Yes |
The Coverage Gap Nobody Budgets For
A single IT person works roughly 40 hours a week. There are 168 hours in a week. That leaves 128 hours — 76% of the week — with no security coverage at all. And attackers know it: ransomware overwhelmingly launches on Friday evenings and weekends, precisely when the in-house person is off the clock.
You can't close that gap with one hire. You'd need three to four people for genuine 24/7 rotation — which puts you well past $300,000 a year in salary alone, for an SMB that may only have 20 employees.
The Real Cost Comparison
For a 15-person business, the honest math looks like this:
- In-house generalist: $70,000–$110,000 fully loaded, business hours only, single point of failure, plus you still buy all the tools separately ($10,000–$20,000/year).
- Managed security: $6,000–$18,000/year all-in, 24/7, a whole team, tools included, scales as you grow.
The managed model isn't just cheaper — it delivers something the in-house model structurally cannot at SMB scale: continuous coverage and specialist depth.
The Right Answer for Most SMBs
Keep your IT person — or your IT/MSP arrangement — for what they do well: operations, helpdesk, device support. Add a managed security partner for the security operations layer. Clear division of responsibility, no coverage gap, no $300k payroll line.
In-house security only becomes the right call above roughly 200 employees, or with specialised compliance demands. For a 5–50 person business, the outsourced model wins on cost and on coverage.
For the wider framework, see our MSP vs MSSP guide and the complete MSSP guide for SMBs.
Frequently Asked Questions
Can my in-house IT person handle cybersecurity?
They can handle some of it — patching, account setup, basic configuration. What a single IT generalist cannot realistically do is 24/7 threat monitoring, incident response, and the specialised work of detecting modern attacks. Security is a discipline distinct from IT operations, and it doesn't sleep when your IT person goes home.
Is in-house IT cheaper than managed security?
Rarely, once you account for the full picture. One IT generalist costs $70,000–$110,000 loaded and still leaves nights, weekends, holidays, and sick days uncovered. A managed security service delivers a whole team, 24/7, for a fraction of a single salary — typically $5,000–$30,000 per year for an SMB.
Should I fire my IT person if I hire an MSSP?
No. They do different jobs. Your IT person keeps systems running and supports your team day-to-day; the MSSP runs security operations. The best outcome for most SMBs is your IT person plus a managed security partner, with clear lines of responsibility between them.
What does in-house IT genuinely do better?
Speed and context on day-to-day issues. An internal person knows your business, your people, and your quirks. They're in the building. For helpdesk, device support, and operational IT, in-house is often the better experience. The gap is purely in 24/7 security operations and specialised threat work.
When does in-house security actually make sense?
Above roughly 200 employees, or when you have specialised compliance (CMMC Level 3, classified work) or in-house product-engineering risk. Below that, the economics and the coverage math both favour outsourcing security operations.
Not Sure Where Your Coverage Gaps Are?
Book a free 30-minute assessment. We'll review what your current IT arrangement covers — and what it doesn't.