SOC vs MDR vs In-House Security: What New Zealand SMBs Need in 2026

The decision between building security internally, outsourcing to a Managed Service Provider (MSP), or engaging a specialist security firm providing SOC or MDR services isn't straightforward. Each approach has genuine trade-offs, and the right choice depends on your specific situation, risk profile, and resources.

But there's an increasingly important factor changing the equation: cyber insurance requirements. What was once optional - 24/7 security monitoring - is becoming effectively mandatory for coverage. That changes which options are actually viable.

This guide explains what each approach entails, where each makes sense, and why the traditional "build it ourselves" approach has become significantly riskier for most NZ SMBs.

The Staffing Reality: Why DIY Security Is Harder Than It Looks

New Zealand has a cybersecurity staffing shortage that's not getting better.

According to recent industry data, the tech sector is experiencing acute skills shortages, with cybersecurity positions among the hardest to fill. For SMBs competing against larger enterprises with bigger budgets and established security teams, hiring becomes exponentially harder.

The Hidden Costs of Internal Security

When organisations decide to build internal security capability, they typically underestimate the total cost:

Direct salary costs are just the beginning. A security professional in New Zealand costs somewhere in the range that assumes significant experience (junior roles pay less, but lack the expertise you likely need). But that salary is only 60-70% of the true cost.

Add recruitment costs (headhunter fees if you use them, advertising, interview time), onboarding (training, integration with existing teams, knowledge transfer), and ongoing development (certifications, conference attendance, staying current with evolving threats). A security hire typically costs 30-40% more than the salary suggests when you account for the full picture.

Then there's turnover. Security professionals are in high demand globally. The moment they gain experience at your organisation, larger companies and overseas opportunities become attractive. Average tenure for security staff in NZ is substantially lower than IT generalists.

The tools and infrastructure costs are also significant. Your security team needs:

• SIEM (Security Information and Event Management) systems collecting and analysing logs from all your systems

• Threat intelligence feeds keeping them updated on current attack patterns

• Endpoint detection and response tools for visibility into devices

• Vulnerability scanning and assessment tools

• Potentially a dedicated Security Operations Centre (SOC) space and infrastructure

Each of these has meaningful licensing and operational costs and they require expertise to implement and maintain properly.

The expertise gap is real - Security operations isn't something you learn from textbooks. A new hire takes months to become truly effective at your organisation - understanding your specific systems, risk profile, and threat environment. During that ramp-up, you're paying for capability you're not yet getting.

The coverage problem - A single security person working business hours means zero monitoring outside those hours. Attackers, of course, work around the clock. Even hiring two people gives you weekends and night coverage that's thin and reactive. Effective 24/7 security operations requires rotating teams, which means you need at least three people to cover 24 hours continuously - and even then, coverage isn't continuous (people take leave, get sick, get promoted).

For most SMBs, the true cost of a minimally viable internal security team - just one person plus tools and infrastructure - runs into the hundreds of thousands of dollars annually. For more robust 24/7 coverage, you're looking at multiples of that.

The Compliance Problem

There's also something less obvious but increasingly important: cyber insurance now regularly requires 24/7 security monitoring as a condition of coverage.

"One of the interesting things I've noticed is in New Zealand, when I'm talking to a board, I would typically make a cost-benefit argument," says NSP's CISO Geordie Stewart. "In Europe and America, they'd be interested in ROI analysis. One of the things I noticed in New Zealand is that doesn't cut any ice. But as soon as you say to somebody, '80% of your competitors have already done it,' well, now they're interested."

The shift toward managed security services in the NZ market isn't entirely voluntary - it's driven partly by insurance requirements. If you can't demonstrate 24/7 monitoring, many insurers will either decline coverage entirely or price it as uninsurable risk.

That means "DIY security with business hours monitoring" isn't actually viable for most businesses that need cyber insurance - which increasingly is nearly all businesses.

Understanding the Spectrum: From MSP to SOC to MDR

Before deciding what you need, you need to understand what these terms actually mean - because they're often used loosely, and that creates dangerous expectations mismatches.

MSP (Managed Service Provider): IT Management, Not Security

An MSP manages your IT infrastructure: servers, devices, networks, software, connectivity. They ensure systems are available, performing well, and updated.

Security is part of what an MSP does - they'll ensure antivirus runs, firewalls are configured, patches are deployed. But security isn't their specialisation; it's a feature of their broader IT management service.

This is an important distinction. "An MSP with security capabilities" is not the same as "a security provider." It's like saying a general practice doctor can handle complex surgery - technically they understand the body, but it's not their core expertise.

For basic security hygiene - ensuring devices are patched, antivirus is running, basic firewall rules are in place - an MSP is often adequate. But for threat detection, incident response, and 24/7 monitoring, you're relying on a generalist providing security features, not a specialist providing security operations.

MSSP (Managed Security Service Provider): Security Operations Focus

An MSSP specifically focuses on security operations: threat detection, incident response, security monitoring, compliance.

Think of the distinction this way: an MSP keeps your lights on and your systems running. An MSSP watches for intruders trying to break in and responds when they do.

An MSSP will:

• Deploy and maintain security monitoring tools

• Provide 24/7 threat detection and analysis

• Respond to security incidents

• Maintain compliance with requirements like cyber insurance expectations

• Provide security consulting and guidance

The critical difference is that security expertise is their core business, not an add-on service.

SOC (Security Operations Centre): The Team and Infrastructure

A SOC is both a physical/virtual space and a team structure providing continuous security monitoring and incident response.

A SOC includes:

• Security analysts monitoring systems 24/7 for threats

• Incident response specialists who respond when threats are detected

• Tools providing visibility into your entire environment

• Processes and procedures for investigation and response

When someone says they're "building a SOC," they typically mean hiring a team to provide these services - either internally or through a managed provider.

An internal SOC requires significant investment: hiring the right people (analysts, incident responders, a SOC manager), building the team structure, implementing the right tools, and creating the processes and procedures. For most SMBs, this is economically unfeasible.

A managed SOC - where you contract with a provider like NSP to operate a SOC on your behalf - gives you SOC-level capability without building an internal team.

MDR (Managed Detection and Response): SOC Plus Proactive Hunting

MDR is SOC-level monitoring plus additional capabilities:

Detection: Identifying threats and anomalies in your environment Response: Taking action to contain and remediate threats Hunting: Proactively searching for threats that may have evaded detection systems Threat intelligence: Understanding the broader threat landscape and how it applies to your specific environment

MDR providers typically employ senior security analysts (often former incident responders or threat hunters) who go beyond passively monitoring alerts and actively hunt for signs of compromise.

The distinction between SOC and MDR is important for insurance and compliance purposes. Many cyber insurance policies now specifically mention MDR as meeting their monitoring requirements - not just generic "24/7 monitoring," but MDR-level capability.

The Cost Reality (Without Locking In Prices)

Understanding typical cost ranges - without committing to specific pricing - helps you evaluate options realistically.

Internal Security Team

A single full-time security professional costs you somewhere in the range where you'd budget for that salary, benefits, recruitment, tools, and ongoing development. Add to that SIEM and security tools running another layer of cost. The total annual cost for one person plus tools typically starts in the range you'd apply to a mid-to-senior technical hire with additional overhead.

For 24/7 coverage, you need at least three people rotating through shifts, plus a manager/coordinator. That's a substantial annual investment - we're talking multiple senior salaries plus tools and infrastructure.

This doesn't account for ramp-up time (your team isn't fully effective for months), turnover costs (when someone leaves, you're recruiting and training again), or the opportunity cost of hiring someone who could be doing other strategic work.

Managed SOC/MDR Services

Managed security services typically cost less than building a full internal team - but the pricing model varies significantly based on:

• How many devices/users you're protecting - Pricing scales with your environment size

• What services are included - Monitoring only vs. monitoring plus incident response

• Response SLA requirements - Faster response times cost more

• Integration complexity - Complex environments with legacy systems cost more to monitor

• Threat intelligence and hunting - Additional proactive services add cost

Rather than guessing, the honest conversation is: you'd contact providers like NSP and discuss your specific environment. Some organisations find managed services cost comparable to internal hiring; many find it costs significantly less when you factor in recruitment, turnover, and opportunity costs. Some find a hybrid approach works - internal resources for strategic security work, managed services for 24/7 operational monitoring.

The point is: get quotes from real providers based on your actual environment. Don't assume managed is cheaper or more expensive without doing the analysis.

The Insurance Angle: Cost Justification

One cost component people often overlook: cyber insurance premium reductions.

Organisations that can demonstrate 24/7 security monitoring and documented incident response procedures often qualify for cyber insurance premium reductions of 15-30% compared to organizations without these controls.

If your cyber insurance premium is significant, the cost of managed SOC/MDR services might be entirely justified by insurance savings alone - before you even account for the risk reduction benefit.

Conversely, if you're trying to save money by skipping 24/7 monitoring, you may find your cyber insurance either denies coverage, charges uninsurable-risk premiums, or excludes certain incident types. That risk is poorly quantified in most "should we outsource?" analyses.

When Each Approach Makes Sense

Having understood what these options are and their cost ranges, here's when each is actually appropriate:

Build Internal: Rarely the Right Choice for SMBs

Building a meaningful internal security capability makes sense when:

• You have 500+ employees and can justify a 3-5 person security team

• You have the budget to attract experienced security professionals in a competitive market

• You have specific regulatory or operational requirements that demand internal control

• You can genuinely commit to 24/7 operations (not business hours with "someone on call")

For most NZ SMBs, this is economically unfeasible. The organisations that attempt it typically end up with a single person trying to do everything, burning out and leaving within 2-3 years, then scrambling to find managed alternatives.

Exception: You might have one internal security-focused person providing strategic guidance and governance, while a managed provider handles the operational 24/7 monitoring. This hybrid approach - sometimes called a vCISO model - gives you internal security leadership without the full team overhead.

Managed SOC/MSP Combination: For Risk-Aware SMBs

If your organisation has meaningful exposure (handling customer data, regulated data, significant financial information), and you want proper 24/7 security monitoring without building an internal team, a managed SOC makes sense.

You're getting:

• 24/7 threat detection and monitoring

• Professional incident response when needed

• Compliance with cyber insurance monitoring requirements

• Expertise you likely can't hire internally

The trade-off: you're outsourcing your operational security. You need to be comfortable with that and ensure your vendor selection process is rigorous.

For most professional services firms (law, finance, accounting), healthcare practices, and any organisation handling sensitive data, this is becoming the standard approach.

MDR: When Risk Profile Justifies Advanced Capability

MDR (beyond basic SOC-level monitoring) makes sense when:

• Your threat exposure is higher (you're in regulated industries, handle valuable data, operate in geopolitically sensitive contexts)

• Cyber insurance requirements specifically mention MDR

• You've experienced incidents and want more proactive threat hunting

• Your organisation wants to move beyond reactive monitoring to active threat seeking

MDR costs more than basic SOC because you're paying for more senior analysts and proactive hunting capability. But for high-risk organisations, that cost is justified.

The Reality Check: Most NZ SMBs Should Use Managed Services

Let's be direct: most New Zealand SMBs should be using managed SOC or MDR services, not trying to build internally or relying on MSP security features.

The reasons:

1. Staffing is impossible - The skills shortage is real, hiring is hard, retention is worse

2. Insurance requires it - 24/7 monitoring is now effectively mandatory for coverage

3. Cost effectiveness - Managed services typically cost less than internal building when you factor in all costs

4. Risk reduction - Professional 24/7 monitoring catches threats that business-hours-only approaches miss

5. Expertise concentration - Managed providers stay current on threats; one internal person can't

The organisations that try to go it alone typically end up regretting it and switching to managed services anyway - just after paying the opportunity cost of years without proper security.

Evaluating Managed Security Providers: What Actually Matters

If you decide managed SOC or MDR is right for you, how do you choose a provider?

Red Flags to Watch

Offshore-only operations with no local presence - You want people who understand the NZ market, regulatory environment, and threat environment. Time zone mismatches for incident response are also problematic.

No incident response capability - Monitoring without response is like having smoke detectors but no way to put out fires. Ensure your provider has actual incident response specialists, not just alert analysts.

Generic, non-customised approach - Your environment is unique. Providers offering only off-the-shelf monitoring stacks without customisation for your specific systems and requirements aren't treating your security seriously.

No clear SLAs or response procedures - How quickly will they respond to a critical alert? What's the escalation process? If this isn't documented clearly, you don't have a real commitment.

Vague about their tools and processes - A provider who can't explain clearly what they're monitoring, how their detection works, and how they handle incidents is hiding complexity or incompetence.

What to Specifically Ask

What does your monitoring actually cover? Not "we monitor your environment" but specifically: what systems, what data types, what threat vectors, what's excluded?

How many people are actually looking at my alerts? Is it one analyst covering 50 clients? A dedicated team? Automation with human review?

What's your incident response capability? Can they respond 24/7? Do they have forensic specialists? Are they just alerting you or actively containing threats?

How do you stay current on threats? Do you have threat intelligence operations? Are you actively hunting for new threat patterns or just responding to known signatures?

What's your track record with similar organisations? Ask for references - specifically organisations similar to yours (industry, size, risk profile).

How are we integrated with our cyber insurer? Can you provide documentation to our insurer showing we meet their monitoring requirements? Do you know what evidence insurers expect in incident claims?

The Local Advantage: Why NZ Matters

There's a specific advantage to working with NZ-based providers: understanding of the local regulatory environment, Privacy Act 2020 requirements, local threat landscape, and the way NZ organisations actually operate.

Offshore providers may be cheaper, but the time zone mismatches, regulatory unfamiliarity, and communication challenges create friction when you actually need incident response.

The Integrated Security Stack: How These Pieces Fit Together

Here's how this actually works in practice for a well-secured organisation:

Strategic governance: A vCISO or internal security leader setting strategy, overseeing compliance, reporting to the board, ensuring security aligns with business objectives.

Operational monitoring: A managed SOC or MDR service providing 24/7 threat detection and incident response.

Core security controls: An MSP or managed IT provider ensuring systems are patched, devices are secured, and infrastructure is maintained.

Risk management: Regular risk assessments and penetration testing identifying vulnerabilities before attackers do.

Incident response: Documented procedures and tabletop exercises ensuring your team responds effectively when incidents occur.

This isn't one massive investment - it's building capability over time. But the foundation layer - 24/7 monitoring - has become non-optional if you want cyber insurance coverage and genuine security posture.

The Hybrid Model: The Most Realistic Path for Most SMBs

Here's what actually works for most NZ SMBs:

Year 1: Implement managed SOC/MDR for 24/7 monitoring. Ensure cyber insurance requirements are met. Document compliance.

Year 2: Add vCISO services to provide strategic security leadership. This might be one person at fractional time or a formal engagement depending on your complexity.

Year 3+: Layer in regular risk assessments, incident response planning, and vulnerability management as budgets allow.

This approach gives you professional security without trying to hire a team that probably doesn't exist or recruiting people who'll leave for Australia.

Conclusion: The Era of "DIY Security" Is Over

The days when SMBs could afford to treat security as "something the IT person handles" are gone.

Cyber threats have become too sophisticated, too frequent, and too costly. Cyber insurance has codified what "adequate security" means - and 24/7 monitoring is now part of the definition. And the talent shortage means finding someone to do this work internally is economically unfeasible for most organisations.

The organisations succeeding at security in 2026 aren't trying to build security teams. They're using managed providers for 24/7 operational security, keeping strategic leadership internal or fractional, and layering in risk management and incident response capability based on their specific risk profile.

It costs less than you might think. It's better than you can likely build internally and it  satisfies what cyber insurers now require.

The question isn't whether you can afford to use managed security services. The question is whether you can afford not to.

Evaluate Your Current Security Approach

If you're currently relying on in-house resources, an MSP without specialist security focus, or hoping your current cyber insurance covers you without 24/7 monitoring, it's worth having an honest assessment.

NSP provides:

• Security Operations Centre (SOC) and Managed Detection & Response (MDR) - 24/7 threat detection, analysis, and incident response meeting cyber insurance requirements

• vCISO services - Strategic security leadership without full-time hiring

• Risk assessments - Understanding your current security posture and gaps

• Incident response planning - Ensuring your team is prepared when incidents occur

• Managed IT services - Core infrastructure management working alongside security operations

We work with NZ organisations from startups to established businesses, law firms to healthcare providers, helping them build security capability that actually works.

Schedule a security assessment to understand your current security posture and evaluate whether your approach meets modern requirements - or call 0508 010 101 to discuss your specific situation.

We're 100% NZ-based, understand the local regulatory requirements and have worked through real incidents with real organisations. Let's make sure your security approach is actually sustainable and adequate for 2026.