How SMBs can set up the right Security as a Service (the next SaaS!)

Information Security – if there’s one topic that is likely to make any CIO’s wallet hurt, it’s information security.

With all the media coverage lately on data theft, credit card theft, and identity theft, every company from the sole proprietorship to the massive international corporation to the critical government agency knows that they need it, and suspects that they lack it.

It’s one thing when a small-town restaurant’s Twitter account gets hacked, but it’s something else entirely when the government does. And while large corporations can call on large consultancies, who are the SMBs supposed to call upon for help? Information security is a specialty trade and experts do not come cheaply.

With so much demand and relatively little supply, the market is primed for a rise in specialty firms and independent consultants offering Security as a Service, at great savings. These may be tempting, especially when the latest hacks are front page news, but SMBs should think before they act. Here’s what they should consider.

There are no silver bullets

First and foremost, there are no silver bullets, quick fixes, or easy outs here. Security is a mindset, a way of life, and must be pervasive throughout all information systems, from log-ons through drive encryption to application hardening and secure remote access, and dozens of other things as well.

If a company is looking to ensure its information technology infrastructure is secure, it needs to make sure that the consultant or firm it chooses has practical experience with all of its systems.

One size does not fit all

Two companies with the same number of employees, the same annual revenues, and the same number of systems will not have the same needs. Even if a company wants to go with a fixed fee engagement, unless the provider is so large and has such a markup on services that they can afford a variance from one project to the next, one should expect the really good ones to quote on time and materials.

Security is best when it is layered, and security assessments have to peel back the layers to truly understand what is going on. Until it gets three layers down, a company won’t know what to expect at the fourth layer, so it has to plan for this to figure out what it costs.

Expertise is not gained overnight

Many consultants may choose to hang their shingle out to meet this rising demand, and may be relatively new working for themselves, but they should have years of industry experience working for companies as security experts in order to be truly qualified to help their clients with their security.

It is imperative to ask questions, look at resumes, and be sure that the professionals providing the services truly are qualified.

Certifications are good, but references are better

There are lots of security certifications on the market, and many are truly challenging to obtain and maintain, but just because someone can pass a test, doesn’t mean they are a security expert.

It is important to ask for references, from previous customers or co-workers, and take the time to check out the references before selecting a provider. Unless a company truly is their first customer, they should have previous customers willing to take a few minutes to talk about their experiences.

This is not a one-time thing

Security assessments, vulnerability scanning, penetration testing, system hardening…these are perpetual needs any information technology infrastructure will have forever.

It is important not to look at a security assessment engagement as a one-time thing. One goes to the doctor for an annual checkup and the same should be true of the corporate security posture. In between those annual full checkups, it is worth considering a monthly vulnerability assessment just to help make sure patching and system configurations are up to date.

Does it make sense to subscribe to SaaS or bring expertise in-house?

Companies could contract with a Security as a Service provider to provide regular security services, or they could have them help their own IT team to deploy in-house systems for vulnerability assessments and patch management, and then use the provider when needed for major projects, upgrades, or annual checkups.

If the in-house IT team has the capacity to take on the additional work needed for security, they need the right tools and training and can then take care of it. Companies should get an annual audit to be sure, and again, consider an external monthly vulnerability scan to make sure nothing was missed. But if one individual is the IT team, as well as the sales manager and delivery driver, he or she probably already works 25 hours a day, and may need to rely upon the pros going forward.

Companies should do what makes sense for their business and budget, but remember that a single security incident can put them out of business, so this shouldn’t be left to chance!

Information security is critical for any business with any IT at all…even if an entire business is run from a phone, one can imagine what damage would be done if email was hacked or the credit card processing system was compromised and customers found bogus charges on their accounts. For any business with any presence online, ensuring systems are secure and remain so is critical to ensuring they stay in business. There will be many independent consultants and security firms offering to help companies do just that, for the right price of course.

If companies can ensure they get the right service for their needs that is going to help keep their business going strong, staying secure, and remaining trusted by customers. SaaS can help.

Sergio Galindo, General Manager at GFI Software